Analysis
-
max time kernel
109s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe
-
Size
1.8MB
-
MD5
411f91542c9e4be6ac58e39cb6ee6c56
-
SHA1
896a0a8da0a0356dc575a61a28c9e76d270a1d82
-
SHA256
9eaade0c6d829a6e2703d68eb843b14189909b78e17a5e2c560e599489f4605d
-
SHA512
b5c75b879f8f3bc409c84f44cdfada33e00644d9bf1f03bd2148157fa8fa3ce1e9c9b30ebc8a87039e82471b31486523c31868eae78b8b6def405a1f02b957ef
-
SSDEEP
49152:/E19+ApwXk1QE1RzsEQPaxHNy0vo05s0eusONlP:Q93wXmoK6eD5s0JXP
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3348 alg.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 4744 fxssvc.exe 3252 elevation_service.exe 3884 elevation_service.exe 4848 maintenanceservice.exe 3300 msdtc.exe 4280 OSE.EXE 2212 PerceptionSimulationService.exe 3752 perfhost.exe 1876 locator.exe 3028 SensorDataService.exe 2216 snmptrap.exe 3876 spectrum.exe 1088 ssh-agent.exe 3116 TieringEngineService.exe 3224 AgentService.exe 3908 vds.exe 624 vssvc.exe 4100 wbengine.exe 1688 WmiApSrv.exe 648 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ae335718c3136770.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
Processes:
DiagnosticsHub.StandardCollector.Service.exe2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemaintenanceservice.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d425b0061daeda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc38c3061daeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec4452071daeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b4271071daeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f0111081daeda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exepid process 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 2540 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exedescription pid process Token: SeTakeOwnershipPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeAuditPrivilege 4744 fxssvc.exe Token: SeRestorePrivilege 3116 TieringEngineService.exe Token: SeManageVolumePrivilege 3116 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 3224 AgentService.exe Token: SeBackupPrivilege 624 vssvc.exe Token: SeRestorePrivilege 624 vssvc.exe Token: SeAuditPrivilege 624 vssvc.exe Token: SeBackupPrivilege 4100 wbengine.exe Token: SeRestorePrivilege 4100 wbengine.exe Token: SeSecurityPrivilege 4100 wbengine.exe Token: 33 648 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 648 SearchIndexer.exe Token: SeDebugPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeDebugPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeDebugPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeDebugPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeDebugPrivilege 2312 2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe Token: SeDebugPrivilege 2540 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 648 wrote to memory of 4424 648 SearchIndexer.exe SearchProtocolHost.exe PID 648 wrote to memory of 4424 648 SearchIndexer.exe SearchProtocolHost.exe PID 648 wrote to memory of 2848 648 SearchIndexer.exe SearchFilterHost.exe PID 648 wrote to memory of 2848 648 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_411f91542c9e4be6ac58e39cb6ee6c56_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD54bfa5a1539c70653531708a757fb0715
SHA1b187ab4a0c17f81832a52f25e5013d2c60414488
SHA256ce01824b67e1c5a340d45d56429d2c651bd643c306561a1d3a679a87d83011be
SHA5129cc7564e2a2df53e7b127643ef9b5f1763c993ea0226e7d92ae3271af64b6fb686e70efefc38a29471dc586ceb59dc7e5ff561e296a09b6da06a6fa638e196d0
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.5MB
MD53d5f335547fc90bd0fbc15891e5a99c1
SHA1bc3a905fbb76929b91f1ed9819ab1dbedd8ff8a4
SHA256071e3119790cc88fd549c0ebcbe719ff1b0302b8d3107c29aed4f8a22942ebea
SHA512dca4a011dad9a5dcf5d0d07b4653e073e1d998ad9997cd54562352939c6813ba7ffeef29b5688e2c786ee2e11a09a693ce62f751b372df2722186353ffc744e1
-
C:\Program Files\7-Zip\7z.exeFilesize
1.8MB
MD50675b0f105cf34e4b2540f8ec11fb64d
SHA1ebe94e827caa1027b3f88c7d52f4d0ccbe4c465c
SHA2567ddf0eb10de066f45ca70f0fa90725fa79f33dc5ff03dd8dbf482c24e4c3cda7
SHA5121a79fd14a0725b6008abcd869341a5b4be416a6547e8507d76ba48b388a05568de831c5a594bfb1ed0f49aebec0603dda12725f39df6ca950f91fda2071602ec
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD5dda4cf4ee8e95c331614d30796a234ec
SHA120b48df04cc2ba818d56beb8bbd246c3257e609c
SHA2562c994fedb3c7741e517cc3f233d74d6d9362d59f81a20a58e33af2031de630bc
SHA512d25b38d40c534e2c6604e2bd36019e192a3130fd6c7a99f36c76641d5a4e341b876b9eb2954a1112d0c0a9857206bcfec563239c87632029a574ad20e959b69c
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD5db10447425e3941bc37b529bd6226433
SHA115ef1156077e1fcfa21e0a97df25ab2d0581cfc9
SHA2560f84c1ad38589f8f1e4758890163d0ee3e3b95b501039f8cf363b80323ba31db
SHA512338259d0644eace14d088eb1d2cdd0ba2e546bb558dc547f0f4ffd9593ab528dc0450c61f1dd1a9554f919a3f2f58db1acc95340260f08a5436c85240a74631a
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
1.2MB
MD5a7f708dd44afc4437eeccbf21f3ba788
SHA1ef8eaf495cee24434f1624089716ac21c7c5a99d
SHA2568a2b1d166c7f81c58ec3f5295f00b75abd5e89bfd0e37bbbea77732f794c8449
SHA512dd2cda45e0bb4f2bf1460f1ecdd53ab019d7bf8e54e034c171307b65b241111d0319982eff08cf4c274d6cd16c744c0b1f2bc026c1d34339d20f097687b4ad96
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
1.5MB
MD5a1302ea50d17d5a7f18ea70ac81a7c46
SHA1716069cd30ddbb887600d691c089283e1b10a425
SHA25688d8da305041dfd9cef02f1133f1ab979ec7a4c024a29419784a9d2877072768
SHA512e14bfea7e57d88195c3cc9d36f96cd851576505d15a0b0be1017faa10f0529f769cdc61b944f03e722ef4a49355d884c88466bfab0d2da1dc94075e70c4d6792
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD5fd13974abbad9ff69c3064dd96a3062c
SHA12ab0c140e5f9434b425bceef8261ba329040726b
SHA256ca76442fa1c1f44ff5c77970c5e2747daba9ed5605c1531b6ec517d51a436451
SHA5123fbe5cbe29e704e7620b27c9b6425132df6526373e2f0885fbce1ddaffaa09a399a9dcc5c642d4e5c98ed3073cab117ac82ce573c4c45efb0a226293dcdfcf9c
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
1.6MB
MD5bb2ca00a51148dc13a0fed03c476607a
SHA1cb70b15067cf2c7583dfa92d0e574c3993deddec
SHA256b5f96307d94ae6acb38000e1d30edfbd73af8d02c35503aa78d1b0be877b3cf5
SHA5121802d98a13aa98e803b60610a1276aa7f52355a04b29e77a6c3a9cfdbeca02166cdd325191017b8dfe60ea1ebf4fcfb12c848240085bb4252b729966182c141d
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD510ea54b8fe416ac9ff5408d2d2a05484
SHA1c559a5bbac102dffd31763e5f011dc9d58da5ae2
SHA256b7060a53c47a23095bb49ecb88f120794c529002283550c2826c68b667b7428c
SHA512e051f33df1c3a56273b589a63dd306657cd7bcb34262b2a193040ad4994e2e83751cd0052d4e40a9ab5c3a1cc5daaf2b24e0a2df0cff039e67395c5913947849
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD5a125d66a10bbf953001fc7e12660b795
SHA19e8b06c60c7a8476a9d6b89dee7db1ddd13a304f
SHA256a9e24c3ab1026619d72724ea1e54d34831a99dfae64d9189298d36c0cdca8346
SHA51237e0c9b9db2c3e552bb289df6bf5416d1241f63a24c8fe06d09b2560261adb21f805b9b470486f55c12d81da278272b5fb1971f6ddca02b0172497375f374769
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD51be96ff7371b5b351dbb340ab8a9362c
SHA13f4621b5d4340664c64b0e9a7ebdeeeee36687db
SHA25621e9aad44e58647f8afe206da03312bec678b91f1b07bb30ddf7012e2259f53f
SHA512f1a4cf1da67d117d566b56d4bb6d4e0b087221383036eab51b23e495b058d919d363636e1009cb1a1a5e7330cf3ebb1bc9dea5d78f1e8c4d66dee4da331e8ea2
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.5MB
MD5bf6279714477450748df9115d2141a81
SHA12469c45edab735552a72460c8271d018a8b50068
SHA25607e257d047790cb5de554cce6c547f3876576ca3d38d80d5fdb5d464e0e97ba0
SHA51230b30519802cbbfdcaed51852c23dd6e384c117fee1efaad498d28f681359c13933fbf62da6822b5aa52a281925fc7acca74410443961a989cea60471180d990
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
1.3MB
MD5e55f0117139efe040f5c41c3b38b0ab4
SHA1b250116bdb8f97fe16b39c1966f8e5a06f85062f
SHA25606e3cabaa704561fb2812a47acc74fdee46858916f158c6f9afeca7f2873ac9f
SHA51219ff48548a99ca1792e423d5e3011b1a74e8727f8648f7120caeff5ce861e1899c97c03a9202d58b970b2eb0699a349aaa63fc392f492b78a943a9260537227b
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD5dd839ee500a25ccedd45cd4c55c8d878
SHA188d30d89c8b1690334e8c0165c36ac90a4895023
SHA25639085c03936bef1db051fc3e94a292a460e2c6a647adf3104287f828054aa374
SHA512701a948939e5945636016779eb011386b9d3b385353151656eb774bd08b6c21a73fead161e738717d6e2630eb92bb1f3bf3288b853de17ce5160960de6c59738
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exeFilesize
5.4MB
MD5764167e26d223d7e3388d28fdc3e8c7b
SHA1cd9f5f6e569c4849ea47d1b75ca2972bffc6ba41
SHA2566fe1018499b90ccce5ea9ad151ab5ae311ed167b3310f4e417e90bbfe3493d59
SHA5122b8c2cda707ae903df5b15db3c34e6d303fa9deb85537c517ebbdb71e363db24932017c9c1e5bbab91112012b417955ee8296d245021d162be07bc117ef6c42c
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exeFilesize
2.0MB
MD5ef3e314df6b5178caab73f206f8f6254
SHA19354f236a22ccddc0dcb7d90fb381957fcd80d8d
SHA25602556106b8d2837841c0068a499d832ff7985ab0761d7315c15a46cf9a951d65
SHA5121645fe57ba2686c28069a54a0ba903169f001fd199a7f33d7f6220bb42026bd6e546b98a42d741c9c7c4aee8fc2274318aa0a473d4b1d04a35fd8c5e021b7e5e
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD518b44771c9c12a38f050658b51ae2ee4
SHA1f0b43f9e90a3ec554a2e9c1ba73d270e34fa471a
SHA256137228ec835c06591ec31a930b27d6ec402a464ce4c65f7fc82eb9292cb8528d
SHA51295a1256d803b28aaed4981a9a8132e8417ea80689a61d4dc824c24cdc4c533f1faa42dab01015197ad95d0419eff34478b6498689739ea198bac6a4f7cddd5e3
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exeFilesize
1.8MB
MD5ed1b9af38b0a4c506c32b786a33edac1
SHA10b5bb1078dc95c7d9185d096dbb711ef607692ac
SHA256394fcd7cfd954439c8b566cc18923571473b1d56edc5c058122bd175c4896c40
SHA512ea0a24791ef1f79b35335f93c42c2532fb844a87b97bd4c3e44de8e372bc7a94960a25a518c229d8b46bafa11c4f9998f5abb36a01018409f39a4dab2d11191e
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.7MB
MD5c486453c97b0f10ccd66154968261033
SHA10b907bbaf177b7c1b3efe734399c734192c50544
SHA2565247fe52e036e2a9952c45911d5654ad35a6a7ae2b1fb4d85c68f902f5f061af
SHA51285d3c7b09a289fa3d2b1e8959c2d1a82bfa46a3f440442df512e9f17f2ff70a8f6cc2d454232ffbeb4ceb7b3b33283227911ef6e5769d0407c5474db3b3d0a36
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
1.2MB
MD56f65fb709a167ff57490473fd9d32a64
SHA1c12018cb1925b99358e7aec74cf65d165b78dea5
SHA2561f370d9f8d9a963bdb43c7c3091eb4a741f44389ddde6cbaff902b5c90d0e65d
SHA51265bb368e25b816373a2064f7030654d3e35e2aee7046c59b210f3cb30f478b4bea2eae8a7cd3765cd064a3c866bcf34295c3d4d23ec142482783e595be0fa346
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
1.2MB
MD55e21334db8ae0a310313a5f5b89c9949
SHA1bc63db08c4771fc09e9c4b326390690c5546d1a2
SHA256db8a06bda2a8b5f37cab0b653884a75d06aad39ec32d30e1714c0b721aef9610
SHA51253f1a34d73ee2cb268896862a7ad2faa929a862c75856093ae83d05c4b7284bb1554567e2a57d1f14d696f35bda009030f011b8675d8ba7993bc9d12f87e81f2
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
1.2MB
MD59ef5f3ec6b4151ec98b0334aefe2d740
SHA18fdfe5636387e0e9f869cd109b7c4d12c5722032
SHA2568d6dada0ce6acef7b8b77109e691c6eecd9e670151a5d680e7a8dd8b18d7184d
SHA5124ced391073ea883a073c8cedd4c7fc59f2617a2e97b4a4425760301a14cb0beb45156f18c18056e5f8b23b4c37dd39cb14929ec7bde4e1560f9178c08120336d
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
1.3MB
MD5372b280835d0299f3b173c2ddcd2c54f
SHA1d4408d19ef3aabde92a0912ef407fa8b05ffa376
SHA256ba39f5b347210c0f672fbab8c320c1adaf7046cdf390aa2197d828d94f0da318
SHA512f21baa5cd6b236c7893d80dde19c53b737b4ee097494cdbeb350d644270ea088e815028538da7b3db7d498caa2f7dbba09388199094aa19eefcab7c9c0689645
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
1.2MB
MD58d95565c26443d5228512e8e5cf5a675
SHA158a738a333229ca848acfb299c72c2ad3cbb642a
SHA2560f2f6d3188e8889e264ed0fe157934a6a8c6bd30be26ea8c9ecc33e1be674543
SHA512add1f97efe1dc5d24ecb1fce4a557644210be5d06f030d9c030233d9073c992f0265c3e262be35ba402fc683169350e08a8abb1ab380c231ae298947f803a488
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
1.2MB
MD5bd4ef75f8b793b49f5681c346360b29c
SHA10fd300f2c039041cfd80926309d1981d35af70ae
SHA25603ca3f5aa979689185f6a99d17a717b2abb5af5924b7a07ec14fb8195e62bdcb
SHA512b355a8f94e819b23d6b07618cb3a4b6d630b67b6fa878266cd5deef74a7d4c53ca2e50933a801bd224af286bbf595c1cfc39c52f59bf9280f43c5518adb6dc1b
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
1.2MB
MD5337bc9ed965a5c3fdc46b5f1f203978c
SHA1f3b970056586338af1ad7cd5968ea920c90ba348
SHA256d6fbdae750ebdfe2caa2af38dc9a275cfcfe5470c13d605f52c8e9813eb27f5f
SHA5122fd629c616f4d5b2a4753596f47d8782b3f6adf47ed5b0911d200696792bf7216993560c8c1f3ec16e438c05f95738a81afcd3cf03c58110a7dfbd09b223ec7b
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
1.5MB
MD52bfc9a2cbcf4723b9c0ce83696c6fe7a
SHA1121ccdb260dba8971bc6f01df4246b34ea505a8c
SHA25602640b0539277709ac58b15ee55953486110b37172f7b942d41bda1b2a0a42ab
SHA512bce4e2fe11d8da97b56d035e0d8d98970e943c746468e2ec2bf19c90fcf9b8e7ed76719c90b8f1aa22224c3a830401e89d18910a5fbd6161f026bf6e118f095e
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
1.2MB
MD5f1da451688b831eae4f17ca287fd3163
SHA1a66ae94f0253fe5b6a63a9cf2cdac69d51e44053
SHA2562398251004534066bb4a9bdd5f74139d2633e2319dc665f613c91ba94ebae995
SHA512ee8d55bd70f3e0dfa7df7aced8ae45d5ab1e72d4d8a87016566af373a76900a67c91495627ae927c30745aff5c8318431a8a97eb27903aa6ba97e9092019c245
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
1.2MB
MD52a410711b0dd7fb137086034ba604744
SHA1679577b4e77b13e4454de49d70c8113562dca651
SHA256d103076b060b55510fe42c1dc258143f5c8a61d37a1ee61f84d9186eee289812
SHA512f7572a3a3f530aa032a50925a739bd3b14979a953b9208e2dd8e85256468748d5459f2b6a2330f18601893d82436de5955574b926c10a7fc1a2dbc105b73ba6f
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
1.4MB
MD5e041ac7ff63578051f1facbb0039e64d
SHA17a3259e7669b2b38530bbb7e2a88abcd90ab6dfe
SHA25643aeabf01e8bf3c785142a8df8fe5c3c9fbf83288752a3b74a6fcec40cb60a95
SHA512546821eb29db4874ef0c3a593c710fefa50e99ac93c633e3c1ae187bd540bb1d46fd93972339cbc1de09a472c5ec8b6e95d275741a01dd9b4f6b85809596786d
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
1.2MB
MD5b00cefc49343ceb5140e706bcef93550
SHA1d1d17ccfcc057e94e8354426b35674a0a14c9c90
SHA256008a0571fbbfaf23043d76f20c26e96c85f091dedb6d2bd88d77fe4e12c1189c
SHA512e5d4dcf57fd006a43775014ae68dfd3ee01555c83fdd6ef9d83706f0e86b70e0730c408b83e5f3e0392d1802e6381d52584893e54206381c690e4ae0cd5d4052
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
1.2MB
MD5874f13e1d53bbe07b636765f3525beb1
SHA1213a0fe259cf3e7e521d99c34e4c51f9e0b335f7
SHA256ec20fa3ac46626362513a5fd26daaf1d6a3b501498bea76073a22c1392ac808a
SHA512c35f0477a59e5084cacad198f843a2af611d7b1262363e1fa8c94738d0d5e6b424a857d4e3ff749fefe3bb941a64fdaae3bdb5573823c7803e49e8b63929b1a1
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
1.4MB
MD580c0d23934e872d3f9828b4cace124ae
SHA127dd48a25a051aba724d00564f2327c944c5a9ce
SHA256f34c4582718eba0651bb0f8d33295d5acdd50c00c3bf771d695dcbc62824ea2e
SHA5123817e3263903a28b1dda56166009b5d4543e1ca936c6f1147060dd1a573a487c2823086af9749facb319a80482f825bf5bdadd89a4606a6a932ce6c066f7f5c3
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
1.5MB
MD5d3cb1f6e2816a587be17be3dbefb924d
SHA186f315dd86bc4dc6cff8f208f1236ea9d0e61d29
SHA2569436105fd471321df3872986d0e56a09a2ccacb7f8cf7cf0c0f03baa9f059454
SHA5125c0a62e12bd87d20bc9d4f7b8b2592f9aeae97e0d95e008073f49fe1dc6edee54673443681ce0c7896b3b7fe0d1c16b1e04bcf6ff2423c3ee54a064a066ecd32
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1.7MB
MD5e1981d937a181b854ff3b067f6f0eabf
SHA148c51d2520f93f48d61a3d50886b41ccb1b62c5c
SHA256954297b2f48a28f48ac82b4815cb97a3220ce034ae010b9b1736f28f00aef168
SHA51217b63f05414ba0e7db798d51a65f08f0c6f6430ae4c65586df7a967f36f44473c8645d5ec26f15738932a05166cc59cbff29bb559890986c7f77b565b27ab5c0
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD509ba9193d5a804ddfa783f0f9303a04c
SHA1477b4a5835de195dac32a392c8c803c4c40e77bd
SHA256f1e9dd73a7ae85f6c3348f2321c53954e0a5e3d03bdfd2f3da4f40f192cb9571
SHA5124c239dfa5566813c4be3236ddf85135c451c890d60bce6e19630ee7cb24a39237a3b34ae38f46728877530cf454d95ee8862dcd7d19b7f6710d923f9b9cb0c38
-
C:\Program Files\dotnet\dotnet.exeFilesize
1.4MB
MD52463799cdc039dd01861f488370d95e5
SHA1d06b1d8787cafbf2d4e9f83a1c5c4ebe1165985d
SHA25661b1183bc75b3ba10038b4aecd1550820eebe452812b694a9fb8745bad323a3b
SHA512c062bee7bec85583657d988e4848efeb64c7bf20912d54fb0b93881aab2587c58e55f06687216fd68ef17cbe71477a71741e641b70c7ecd49f297b30bd58a8b4
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.2MB
MD5a781b194610a1e3b3a337efedcac82f9
SHA11e00b3ffb0552ed603f5febe5416f9299873fdc9
SHA2565b050cbce49759080e4e7f5c9b5391aa9b6c14cf4c02803e9448c2cfd6517b0d
SHA51261120ed7a8ce61772c062b6d216b69a531ea4b296f65a0e7b5199d498355bedcdcb87feeace755da464460491579352b37a2ae10019ecf98a9301be74b2f0dbb
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD50e5962755bddee81648b33ae042bad84
SHA1b8204d615d32ea4339c06b14175540584ed5b7a6
SHA256a6093b8537ff10d1e15d0efa2df35b1bdf8a79b264bd5bb44f1faff759301dd2
SHA512f3644c39179907fd6b68f5ce336ced0a47516f8182642d67ba617b4db943cebc40c9f3f71bf1245bba72d0200a6cc7caaa4b7ee844efe8030ca2c0a7bd7c14d2
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
1.3MB
MD51b3c3ed5ac7dec6282d1f5cb84af1f92
SHA13872f9f446b14e9d974e20ef23e63362ed09803c
SHA25627710d603552f8044494d07da518ce2e8c79e1ad2256f306d5b9fec755a296a4
SHA5126dfaef5ec4e0b5311d21c8bf532bd42a56a55b34e6a1829b77d85d2655144bf75f91b660c7fca19a6398a080ac5b3b783108896d13430af1b2907e52af64a9d4
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD582c1dcd46f94a83144871b8b59ae5ce5
SHA13397011ef9bac7070b6c276ab6e9f6d0d396eaa5
SHA25698bbca87276c58255ca8e3b87eb30089f9cec77f87f119a2db1169f5834a69ff
SHA512cfd95572080c3ac4e92b08d9f7c8709e0ae99db252ece8bd36c0767b4c2e67818750d742c1ffdbc6f32dbf9fcc71d361fdebf07d65b08713e5e70adddae3c098
-
C:\Windows\System32\Locator.exeFilesize
1.2MB
MD5cda984ef3539833346e69e4dd4d0cdd5
SHA1fd82b70f5874d50f41b65c6ec0126e9943056a41
SHA2564d6f1b17238faf8856c06d24287903e5c134c41d7d3beecd0a80e406c84a66c2
SHA51289df425229784eba293516f8eb2d1d655371ba4fd82af812be84ec57a428ee42094d3f97c13fdee6f58252d53e2f65f3d05d89918bcc9b1189680f4bf7fbcf93
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
1.6MB
MD5776954576af919674f572bd0ce7b67b4
SHA1180aceed4547427915851910ece0f172ae705726
SHA2565c40b1c7d437983f8ce841c05e5f67b0cf72b3c8153638adeef2727fd414726c
SHA512a185a9eb4515be7126f010bc1342b50ad7aa26a52570f911f33d8d49b86c047ab5c768ebedf4cdd94ecd29d3a679a10a29d5cd3c754881783ea5c4ee967d3020
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
1.3MB
MD5f432119452260fb528fd58e028f9fe28
SHA11e7245dba891f86aebe1f3531596e3f4d749c2b6
SHA256c4351b085b4b6a4cf20981ace71a823c8851f2bf3d968f0cb37d53799eb912c3
SHA51276e53d2cd5e21f0d9b04ac4a47bd23117145f992e234a5460041e597b611acbaf27ac5dcae971a59d91e21cb90101a6aac30faa1608ad4cd04225ab421c11826
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5c2e0a1cf0650073677f1aecd9ea6517d
SHA1f4081bad6e4fee287a4eb6d064552f9c90a23536
SHA256d3f426872307ef7d11b6ee257a2e29b61516443a2d1cad568265d8260af93d42
SHA512546162877a119d513fc03879cb1b0223615d928efad0fd37607d5590fa24f12d7add7f00c26ea52f439b9f9f01598f02e434ff0bcc35ca9bca1a95c02b172a4a
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5f03e2c2cafb10595d77bc70523d9f6ed
SHA1dd1a2973ae6b777905aff7bd2c553f3ebdc26ade
SHA2568052b9509dc18399b2199d87e445693c47446ea1c435b1b25c42bf72da073a71
SHA512d2e33f290b18b4d1f36ae77971e8161d745ce7847f383cc8ccd1616194f7a448f87b4274d6db4dc4c0f266c34683080c41d3500a0d43834991862e505a41165f
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD549c1326d74bab8f17bcc040b8a8981e5
SHA1095dffe28b36e5128e61b01d564704186a57b5c5
SHA25662313b0528f706b7d3745acb29b9959151483bf7d612b99428b239648cb62c1f
SHA51257a9583c866e47f46481dc008013512338f76e586ac9501e77553c512c230c0cab0333e3ef2d00003e5a3d9334434a2f4024b5507dc5416ac16170147b2f8432
-
C:\Windows\System32\TieringEngineService.exeFilesize
1.5MB
MD5ac0ee7cb56bcdf8f3c94a89ce5d745b9
SHA12ba5d557f05a7cf91da0da05c7216d4fb1bd7328
SHA2567c352ac9bef73f14e4c43e47e9ce4f2c91836f357f72d85365fa428cb1423520
SHA51214c8e39c0c3248a3d1adadf5a5be5acc88d7e57c5bebfae3bf3d8cbdd381df670b818e0cd65f099775ac3d7a30cf6fc26a5aef52c884bca4d2b0b7095d450b30
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5c585afeb4604b78b6ddf848d9f116bfa
SHA1c83bd7e9e6be7b5a3c3cdb5a38e316218ea8c55f
SHA2566aa7429ec9de0a0e3743b08c87435153f51d76be8523d44e515138cda07af33c
SHA512c04c21a84d22b44a4db84c0dc5510c5f9f59d47171d4a2854fd9f2995b41ed7d27a84bf1a5202691d55ea16e6e3447a4442af591511f62f404e5bb859521f203
-
C:\Windows\System32\alg.exeFilesize
1.3MB
MD55393d7f9a9f237e213126a4c23b8abf5
SHA1d49aa082428ce88998a65f1a31292b62d9645e53
SHA2562e93275c2f7acdcefebbb83bd861c766ed9253e833c787dfe4345db19b58e530
SHA5125baa8d556dbcfada5708626b952b805376ce770caafef3da8e7d664214787c356a30bc322819ba2e3e6f3b589c0f02ed1c9eb3e77a36a7ed322fb2227156586a
-
C:\Windows\System32\msdtc.exeFilesize
1.4MB
MD5078bc6e6414148d585983334a9357427
SHA10627069aa1633a0bd6c1e3d79627e1736699e852
SHA2567118a7159a7a250ac3cca6562a4f4a5163dea28e8905e6557605178c40438c13
SHA512aedfc54315ea98658319009cd0e536351f13517b4de471ff6d191ac253f9c68080ab5f59d9f42e949dad95daed2080b7512ef5e469a6b8ab31fa4c248a74dc6e
-
C:\Windows\System32\snmptrap.exeFilesize
1.2MB
MD580eaeadc45e2a5f6dcbf9f4ccb38f1b2
SHA1cb55936b05a9f958bb9d366f7b835bf904b50b3d
SHA2561410354291ec23914c79ed6a96d9f87ae860913b300fde4544e1f6618fe901da
SHA512382d8519b6128a3430c546b3531ab262fb76a09b824657de19f6cc350f36f25d3f0ba9e01de5399d4179575516ef8231968274d142da940d7f8f7f9a9fa78036
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD59e00c01568afbe8e518d87c4f3f21847
SHA169db4438a408635cfa1ea5d28c537e6c7bb7118a
SHA256e0b7a5edb0b9321a5b61daa8fdae1959da98ad32296086581c7c1f407ec6df4e
SHA51242a8171aac2805ec721fb3db55c978566abaf9d39c910e167eae3b2fd2fb0cc1302aa14801a047b7592b17da9db9703ba1e6ef7f3f5ada84f348ca563ae841e8
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.4MB
MD5fef9e728d7b6815e4b505c06cce7dca6
SHA15211d4029d2ff4595fcdb9443ee4912482c16eb1
SHA2565b7600922e5ac17a400d5111b15467389a52355c571badac13e478881072ebd8
SHA512ebb3850b191b21e197d3717334b8ce9d835f27c1ea28b4e60bde5c2b28546e02359ded9dedc65f26b232fdc23349229d492b2fe6ae282e2073207130c9b4cb0a
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5f3ef580873c5003f122db8791c4f77a7
SHA1f080039f71e83672f0b93d5929856725c2d1ae7e
SHA25666b62ce24078bb61da46b401f07703d272f465574530fdb6f58fae207b499837
SHA51220d42a5e89354e4d6c6d394bbd9cd4578cf2c6f432464a072e1c79354d14b1def0fd8c6723de575a9735ce491a095f6b97f5b0227dcac14de4c6c13e5d6d03b2
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5c86b55be81b6f70aaa8e47aad363220b
SHA101b1045f2e4a62cad0cd3dc7775b767ad58f9b87
SHA25678cdd9f6e42be3b09d156037e9e7001b7acbb152404732ce5553703d0236fced
SHA5129b9cd0363694923c24a5184842ce72ed2b0911e5073a1a9d1103df33e0d2943df9125079009f5c70c596380cbbdc3cc139480840b029e979be56375893e9b22b
-
C:\Windows\system32\SgrmBroker.exeFilesize
1.5MB
MD555225fc12624f9165a108bc6bc6aad2e
SHA17e0187e4f2e74da165a863d0d03406bc2654a9f6
SHA256b81cc1c5890858b009e800defc256b0102788e4c9865910b24341ef8002ccbb4
SHA512387b117bd011d482a0d3d71fd0bcdd2bad91117d69b29118149686af7163a27a4966c8b75c7fda02ec694d933ee4c4583cd08aae3456645dbbbfd5155d1ef2a3
-
C:\Windows\system32\msiexec.exeFilesize
1.3MB
MD5aade284fb1d5ded2db210bb3239206e1
SHA1e4558183ee59402555dbd00f37eb92c8cae79aa4
SHA256e321c8569dbbbd91968f3359cef59f20e9062d4f9bfa2b68cf7099e62e4de588
SHA512b098cf3a0834f5c6c5c4ae316aa31386a669f8cf5a4e05291202d1e42ff0fd30ff86c01653bb250187f3c7bcff82a3993366e0ed6ab84bdb57733a9c16411fce
-
memory/624-440-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/624-159-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/648-446-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/648-172-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/1088-143-0x0000000140000000-0x0000000140259000-memory.dmpFilesize
2.3MB
-
memory/1088-402-0x0000000140000000-0x0000000140259000-memory.dmpFilesize
2.3MB
-
memory/1688-444-0x0000000140000000-0x000000014021D000-memory.dmpFilesize
2.1MB
-
memory/1688-170-0x0000000140000000-0x000000014021D000-memory.dmpFilesize
2.1MB
-
memory/1876-167-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/1876-111-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/2212-158-0x0000000140000000-0x0000000140202000-memory.dmpFilesize
2.0MB
-
memory/2212-98-0x0000000140000000-0x0000000140202000-memory.dmpFilesize
2.0MB
-
memory/2212-89-0x0000000000BB0000-0x0000000000C10000-memory.dmpFilesize
384KB
-
memory/2212-95-0x0000000000BB0000-0x0000000000C10000-memory.dmpFilesize
384KB
-
memory/2216-333-0x0000000140000000-0x00000001401ED000-memory.dmpFilesize
1.9MB
-
memory/2216-120-0x0000000140000000-0x00000001401ED000-memory.dmpFilesize
1.9MB
-
memory/2312-0-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/2312-88-0x0000000000400000-0x00000000005D9000-memory.dmpFilesize
1.8MB
-
memory/2312-1-0x0000000002300000-0x0000000002366000-memory.dmpFilesize
408KB
-
memory/2312-8-0x0000000002300000-0x0000000002366000-memory.dmpFilesize
408KB
-
memory/2540-16-0x0000000140000000-0x0000000140200000-memory.dmpFilesize
2.0MB
-
memory/2540-114-0x0000000140000000-0x0000000140200000-memory.dmpFilesize
2.0MB
-
memory/2540-26-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/2540-17-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/3028-171-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3028-385-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3028-115-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/3116-437-0x0000000140000000-0x0000000140239000-memory.dmpFilesize
2.2MB
-
memory/3116-148-0x0000000140000000-0x0000000140239000-memory.dmpFilesize
2.2MB
-
memory/3224-152-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/3224-150-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/3252-32-0x0000000000820000-0x0000000000880000-memory.dmpFilesize
384KB
-
memory/3252-40-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/3252-38-0x0000000000820000-0x0000000000880000-memory.dmpFilesize
384KB
-
memory/3252-134-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/3300-73-0x0000000140000000-0x0000000140210000-memory.dmpFilesize
2.1MB
-
memory/3348-12-0x0000000140000000-0x0000000140201000-memory.dmpFilesize
2.0MB
-
memory/3348-110-0x0000000140000000-0x0000000140201000-memory.dmpFilesize
2.0MB
-
memory/3752-162-0x0000000000400000-0x00000000005EE000-memory.dmpFilesize
1.9MB
-
memory/3752-100-0x0000000000400000-0x00000000005EE000-memory.dmpFilesize
1.9MB
-
memory/3752-106-0x0000000000930000-0x0000000000996000-memory.dmpFilesize
408KB
-
memory/3752-101-0x0000000000930000-0x0000000000996000-memory.dmpFilesize
408KB
-
memory/3876-365-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/3876-130-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/3884-44-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/3884-50-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/3884-52-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/3884-146-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/3908-439-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3908-156-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/4100-163-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4100-443-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4280-74-0x00000000007E0000-0x0000000000840000-memory.dmpFilesize
384KB
-
memory/4280-82-0x0000000140000000-0x0000000140226000-memory.dmpFilesize
2.1MB
-
memory/4280-80-0x00000000007E0000-0x0000000000840000-memory.dmpFilesize
384KB
-
memory/4280-154-0x0000000140000000-0x0000000140226000-memory.dmpFilesize
2.1MB
-
memory/4744-29-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4744-41-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4848-68-0x0000000140000000-0x0000000140226000-memory.dmpFilesize
2.1MB
-
memory/4848-55-0x0000000140000000-0x0000000140226000-memory.dmpFilesize
2.1MB
-
memory/4848-56-0x0000000001510000-0x0000000001570000-memory.dmpFilesize
384KB
-
memory/4848-62-0x0000000001510000-0x0000000001570000-memory.dmpFilesize
384KB
-
memory/4848-66-0x0000000001510000-0x0000000001570000-memory.dmpFilesize
384KB