bf736ae4b3ae29681471d029f515673796e0b4bb03c9a22479a24041b4374fad

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Size

1.6MB
MD5

2addb95a599826f7ba251140b2054499
SHA1

6b0de87870f52e538db8786ef979ee86509720e8
SHA256

bf736ae4b3ae29681471d029f515673796e0b4bb03c9a22479a24041b4374fad
SHA512

e0dcec7fb7a34729e284a0f39488766e0a829eff46035908557fcfb28e757d240cb08202a3f35932e0d28d50d967fee2b6fc5546582a55a4d5d9d226d279152e
SSDEEP

24576:H2lmz4R3SRQ5UOOU62FBnO+E222YJbNEUQKGOb:H2Mz4R95UbU62FAQ228QKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1216	alg.exe
4740	DiagnosticsHub.StandardCollector.Service.exe
1916	fxssvc.exe
3768	elevation_service.exe
1108	elevation_service.exe
3612	maintenanceservice.exe
5084	msdtc.exe
1732	OSE.EXE
2336	PerceptionSimulationService.exe
4904	perfhost.exe
1912	locator.exe
4824	SensorDataService.exe
4752	snmptrap.exe
1544	spectrum.exe
1916	ssh-agent.exe
2156	TieringEngineService.exe
908	AgentService.exe
3580	vds.exe
5044	vssvc.exe
4868	wbengine.exe
728	WmiApSrv.exe
2876	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b356507b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064dddc780198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000198f2b810198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ffef77f0198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000700887780198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb95ea7e0198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f62b567c0198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079a5797f0198da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000574e4f790198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000c1ee7c0198da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Token: SeAuditPrivilege	1916	fxssvc.exe
Token: SeRestorePrivilege	2156	TieringEngineService.exe
Token: SeManageVolumePrivilege	2156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	908	AgentService.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	4868	wbengine.exe
Token: SeRestorePrivilege	4868	wbengine.exe
Token: SeSecurityPrivilege	4868	wbengine.exe
Token: 33	2876	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeDebugPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Token: SeDebugPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Token: SeDebugPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Token: SeDebugPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
Token: SeDebugPrivilege	1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
1600	2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 5616	2876	SearchIndexer.exe	122
PID 2876 wrote to memory of 5616	2876	SearchIndexer.exe	122
PID 2876 wrote to memory of 5652	2876	SearchIndexer.exe	123
PID 2876 wrote to memory of 5652	2876	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_2addb95a599826f7ba251140b2054499_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
acbda13cf5fe4f82d6fa17e240d60ab3

SHA1
9a6fbb4ff18a464086dd915f1309e9e748bffd73

SHA256
f31f9cc37d4870119f74255fb923790f2dc98380cf980d5f9e72981ff7cf53d5

SHA512
23c011b4ce4ffdb9de09c217dfe2efa8704478512ce4f5d779afb91f33a780850abbda804cdd90a77401e1795e8eb671013adb2a3d76b20d593a30a7330fc9a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
51289dc52f522b8c3e2ec178b16e4eb2

SHA1
3ec3b7b30c6b29ce9da3624e98dd86fe1a73b6a1

SHA256
08eab26aae773408b073688260691b4ab8cddbc515e1a5113668dbcf3833f61f

SHA512
09ded698b719f01b6732d7cd21a08daf9761e2ce04d5b06b5aac7468221ff7ba3a84fb88f83088bf84d99294718df2da0746d683b3ef3721708fc3756e6cc627

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
896KB

MD5
eb6586ff50bb71506e925180b2dbb7c3

SHA1
a8cee2ca399cdbea0a84bfe0ed79c91f751ed6c1

SHA256
73203b07ffdc683223291da2f0f4eb4511fcdb2c76ffe9d5aaac9710c7380b8a

SHA512
5acc9c501cb4ef17e4559691efafa60e09df46e6d4b58f2a3a4858fbd107d855a6d96a8198ae803d539ecb29f93a9a7c7e29a5026e2cf9f57c34bb5511688fe0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
832KB

MD5
985d5353318df3ba3aa50072d22a1aa4

SHA1
c084ab0120cf18e2cef4131b69717c408d8d2a26

SHA256
33030d67f4829f91e614b7b1ccd26d1f9c57787948ace38d47ac1b3d4e737dee

SHA512
f74877f4cf0c90da543964c4531a2c5b8c6f02f9e61256fdf6cb420514379822f70700cb0e9be23d3d98e718e1b884f9d1483fd947bf011262a6dc7cf01d0199

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
832KB

MD5
cad9cbe0550f240e3d5635cd9da1e9dc

SHA1
24ce5d9edc770d906ec4e559cd97b707308864ad

SHA256
0fa0d7e43462bd1ae2be9155fbdee1d8ec767d1e7f6e3fb15646bd9d9830fd1c

SHA512
1d7f013b7891d671648c857c47b1d3f48bcf0e9f5e966d2e689337d81058ff46bc7cae127fe340b51ddc286dce2a5f11644bef2d287f12b67ff382aef05335d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.1MB

MD5
43d9a2a211d557415a55913204a4ae61

SHA1
fe63207cd7a544e1de9539149f6789931264d66b

SHA256
60cd31eb13a076569ac01ec8e57d47d0980b9607729239b0537340fbee1015d4

SHA512
9c658eabcb5e76ef9af35d767502957c87c3dd6317b60cbf3285716c791f8ab76557555f325408c3fcf6ee7be60c81ee513f06a8e2e6c248b1abd816825f09af

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
89809438ce98bd988071b1566cc7e57b

SHA1
7db8c17787b66319457c63577af6f0da3e4d7027

SHA256
3ca19d8b6776307840c2931481e83c9bd6adf0600c4c6d0fb398e26fb3d9456c

SHA512
d9548be294f2ade69d8d8d4849dfcac698c2908fb484202531ccbe9767add2380f703f598b2ff057923c2850de706354ed95a829fcf447c171a2c7e43b1f83b5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
704KB

MD5
214dfa76d98100515567e93e2c1c665a

SHA1
da26de0288b2eb57bc8637367150ed28f3d46d01

SHA256
7e3d3aca03452b9d8ee54014dfac71c3c48bbd067346c3da11656da0aaeb4883

SHA512
3d3c5ef9bff54c3125291d348b5d98052a7755132b643df7d7de1261240ebede7507268a028d87f2cad2472be9f467cea6ce6e3210ffe4a3a74319cbbd9a8b15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
70b2a055cd5520a6993b500bce04d87c

SHA1
7050250f8d56a57beebba76e1cdafa9aec0e0fad

SHA256
870eb3ade6111d77683505780f6b576eeb11364d8d4763bfc202841adceb1f9c

SHA512
489e25b0efb0ec9ba16c9f50b590ae041f314fc403b56c24596e2f78d2ae9aad0630abfa49e04c4038831a54e3a2c781ae641274826276220a7d9e775b754282

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
512KB

MD5
8df8ebce649058254525ebc733e5e03b

SHA1
c9036d36aa441cb7ca75880ca5bfde3a270734ca

SHA256
fcb1d7e35ddc4c5f821656852e79285b8ab48255ee08300eeb0521ec5914b1d8

SHA512
94d3b261c718d0e938bd7fef1592829553ffeb75a3e115307fff2acdf3104b809d6d30eb10d00f56a2b6028c8709afb916eaf08a37eb89e99bf45810f8a46074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
576KB

MD5
7da4f0f98e48df9104d6f6f0d8c19c1f

SHA1
ace383dbb4dc33e25a74caf3f39db7ca1e52e2cf

SHA256
43e397368fd3ea74557df9b7f7ceaec92f4588e4fc7cb3e1f556556e2c393686

SHA512
435f3a8edf8a1a3b4bf7d49f57ae245263436a01f69a9d1f22b237f3f56a6077ccf98fb9caeb0d125ca9c6a009d346160ecfe8d45cbed8ec7ee2d48f30e6ee5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
576KB

MD5
b70cef4d8e197d0d220138c5d72975d6

SHA1
2625ab8751153c29cbac8d8fd7b0c821be77b184

SHA256
7865d56c98a54b50fde95fe35d8ef8f40d759847024cd45d6612830e6ba07805

SHA512
85980195ff4583b2114c2dd5413152c2a3c9ba67014cf3e22c1f34959e149886e031935d14c231dc337c2da633544476e2ef5b304fdc7d30b1c4cf0ba98ead41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
576KB

MD5
14b3504210cc63a309d7066870d55a0d

SHA1
86b800f5d2a81d897aa094358151ac5da2bb7a84

SHA256
5ad9b97b0d0cb65f53a3f01ce221ad497e30e6504c14b6b6b554e3ecf5b61fd4

SHA512
6e4eb50b11ed11fd3d8d0cdebdc81348dec7704d36d9b7ad5dc95d90c9f5e12dea442ee84289e48452863a2b5f5b4c135d96062b03ac3685f6519f8e0e7ee38a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
576KB

MD5
1c58bb5a324a042f1bfc352c0112a977

SHA1
c5e18e79973dce0aa79a6e26d1fe4d915db6eaf9

SHA256
62a916c9fa44f12bc180970570a01f3cd1ff725dbd210eaa1432c2bb1c3ecd1d

SHA512
0c787b73ccea2106f0da5b1c031c9180b5ffb24c85faab34d57eddd92c7d9bf5d7d5d4b3c9db359baa96b3f8618ee8148ca30fa3ed31fadd49508dfca51578b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
576KB

MD5
9ac1a5f7d1251586446c8fa21a79daf0

SHA1
759edb67ce7ce8a088b6adae440e01b9fe778000

SHA256
1a07268a9c0fee6989c0407c9858b3b23e3cef9cce49d8da2d76412896ec0717

SHA512
f5c9ef5470982353c581359f2fbb6e3ab4b5a39bb8fbe3d96a0279f05f57a2dadb8fa3b5b14501e6d98bcd54a065ada7e1e792ef57b6f39041e9660ac8a1036e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
512KB

MD5
f2385aab0000c655645e202af6245e4c

SHA1
f78d2e3aed0758219869fb0a0099d60f8c83a7d6

SHA256
4aa2b3e3b813fc6d546e3184952dd90e5f469dfb4ad9e6a630d711adc60e04ce

SHA512
8d4e60aa697a64948bc602b971a76c40e74bc7e7d192867e6d0ca63702b87bd33441f5da4009e4aa95749952898e831e3f8d0ab80d6a918ba489c53386c7e2e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
576KB

MD5
6f21521050500c5a04526f4c159bc01d

SHA1
d01cb05b62afec0b9f736cad2446abcc12ed1ba6

SHA256
7876ed01cfd40e711e9f8c1bf11fec4ad1591a03cbb6aaa12f9ab3e16871ed85

SHA512
25ebf59c416b738b4f2ebaee52231f28b1b2030e348aa44fd502d881081852ed3d5d999743d44d94cabec6a30387db51ca7e4e8af2717c27b410838add2b1e66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
512KB

MD5
b34450eb28189db22cb46fc3cc68ae74

SHA1
1c5d0c352580a78e92007807281243100f638146

SHA256
5b9f7cef8952cc9895053746a1588c9e5b21fb781262ea119f152de86218a81a

SHA512
e696c66834de672b5d6ba07b068edb1c04d84ff3849c80aa5fd7348f77b4a84d868d1e811875d2896341e1e03ee5bd1da16e64cb9ec73237c7111f5a9a7f106f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
576KB

MD5
272fedca4af37ca1df28d5e3190aa379

SHA1
a0bb7f04c1cb92b9e8ff6224baae7207b18a2f8b

SHA256
bcf736955f30aa804430e196d61ae601601a513e3b5d5a3b3205e4463727ddff

SHA512
e79c2adc256c4f99d3513591bca89e039ff63e9639338fc4ed8615b8ef014d1c713d2f5b5fc8cd13e764b2ec2cc2acd9efbde0dc49ab81bc1e178bff5a719de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
578KB

MD5
be799f22ccc64a4601cb0d027fa57036

SHA1
182d15b71d18a2e746cb377971ebb6b4d1770179

SHA256
caddb48fc80ff022383ff734c4fda2ae05ee9682f29d36c2b632bae7e7353de5

SHA512
501f4f95e933537092740e05db0d4ea976ce88ba6cb485d6f73e135e46b6adc592488487290de623c86ec6f80980085a093c2fdc8ef70f4106d2bea3cce90866

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
512KB

MD5
d187370ed51081b157e7dc53ba0471a8

SHA1
b6023e5464f57792bae3c6b0ada736152c4e631a

SHA256
6e81165a1829240964b1c5851dbe35c28afdab87ec9ab09f2b79c4b4423ffe23

SHA512
f2c469a08f3b43aa235d2b9c93d099238a4539e571d04103064421010764f89cadd7cf2a3f286def9b01abd9757cd93bb86ee965641a2f557dfcfc5a0e0c51e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.3MB

MD5
0bfb8689b9039bd8635a28927f72c329

SHA1
0ae08a9826b92712d53c685bc45f5509fbbaeeaa

SHA256
d85d12ad0f03110aac3b38ceb99032847a98e8ec4b0468774099eda60ca37aa7

SHA512
0e31d2d1e4b85c5e223a7fa7009d90a8682c9abbcb4dbc5e577c510581aa580a5bc6f160ff645264669433a417f7af803bcad9019fdcc1ad0ee79f30e348fead

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
84d540eee914ba1b264f2468eda0e4d8

SHA1
a607aa899259161536d4fc7d36db6877b3bae403

SHA256
d9eeb7ac5d58cf8ac8e8635866fb73f347106f3783f738cb02cee9f01933efab

SHA512
9dabc577527c79683ceb2d41e2be531a9ac0301adb052f4c5a00b3679f1c9e3bc5e198e6bfc754470907c23054092cb1c5aa8a407779b66d1b9fe67dd4b44dd0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7c167c3dc0dd47914925562a67c621b4

SHA1
ff278260015be3807ee146c199c14ea79dfc0931

SHA256
973ce146f64aa9c20892418e9d64d3691db3b0f73065f6306b97ac56d93ed0c6

SHA512
85c7ed2359b72f6012ac75859a96d482ba216d3bc2e974f9b3761d160a4e624a465cc1774a6525d10795d7864c5d12058c8228ef3f92d33e46557b3b69d57f7e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
60d06187fa4f4c6b9ba31738b40e27af

SHA1
fae41b6d0911027e3318ab01d047200a5d674bfa

SHA256
6e4b747b05371c41eedd5f130edeca2add12f50dcf8065a9d86f6ed6cae62f7c

SHA512
7a22dddbb756b6bd1cab5b50c5e915810079a9843eb7df148f66c835f487e8ca2c1a17f0acdbb77e8d0087b76d1ebd0137e37c6affb09d90608dbf2001ffe600

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
53d22835f38f1f121f56065326f58654

SHA1
0ae7552e6008657ea9b121ac1330de9ea555aae2

SHA256
6b58779b0e472dae7ad53f92f9f453119df77e7dda2ac093a47335310eb58c15

SHA512
e3b190d1951d71dcf6ec93219211ef8c64e9a8b81f442e8ac3854098cd45dc74e2842279205998b807be45b744d54c7d6e2434872da9928c6553a4a8a8a38d49

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
08647222004e90066f4ba4847cf35ab3

SHA1
9aa87b30f896db453d63e71c6fdaedbdca363001

SHA256
10bc7a0fb06df7875868c6ce188bcfebfbe74494ccdf8ebbe766633a324860a2

SHA512
9bba5b8d173f355fdce2a22688bd139c852c757256e38f4c6aac01a80b21ae1c47cbd08eeb6e0a8162c25a186f9c5c62a0b874c6312921a97c27d450577a5ff3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
47ce7538a1fba64bd6e06346932cfd4b

SHA1
8ede0b3ad0fefcd0826083a80548b866dd4079b6

SHA256
77a9f8ff3807e060c35c5fba265d7266b89dddbfa7df0868eb5c6dc963c71d6e

SHA512
255c17013ad642b85eacd14f6c44349fdd10be24c562444db76430e4c72db563cf14f2338ee4f27ee66cff81f50e3a19e59979c01a6de455135af26bffa51fa1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
25338d02bc43abc5b80f47f5fab855f8

SHA1
5bb00be238e551ae21dae88f3ef67261aeae2cf1

SHA256
9c93bb6973bd7c509dfb058d7faa7e77de45363dea99c2c1ee385b1496fe1c08

SHA512
501571f4d46ed0bcc70accb1434250a90ccf43762da814e84a2cbc83a2f69b0edd196e4ca365956c4d4e23d981d87c45f43c65b7c00e3b41fbc4dafa8679e689

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
69a2316b0559e6e733ee49ddffe37c40

SHA1
fe2758860f0d7a088a376d91675a70b8007c1c5e

SHA256
dc3eb87fe9cd4fe99d710c784bb1d473b450e963314a52a002855e76f2216981

SHA512
0ece6b9c766faa12b77447d91a5a96b11f2ca90a524a085347ea4e632b2024efa468903edd7e8e14a9fe794e6e058dc04abbc514045579bf5e634a93a2d7d33d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
84a9151f9883054b7ad0b123ab372b14

SHA1
f0d45912700908b5f43c2dca5423f0faf7de4f06

SHA256
2b43077c7d182c321411ff2b8abf08616a822acf5f979b1115e8fda5d014500c

SHA512
99c93d17aa79e0e68946c28cf1c4a252f6eb1ee4202ec4c48c4b06c88512e66c528be83d5477fe8189af960d2b68bcdf7a3a21c8ab385049ac5f9012ff943054

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
477183106e174b2ea61779fd1d3a595e

SHA1
235fbbc521b98f9ecad73500659d3fa5f749ee6d

SHA256
d6c819f5892d69be6284bd1b14555343356e875a064776c4d03ac833a79fd81e

SHA512
3ca24690b3ae25cd469d52f72032bf90535b4947eb15087278a40785c57a31d4b354244ff59fd267f520c311cdb40d2737a8935cccda3bd0efd474a171ecdecb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
298b13bbbd86d7cad59d79a4b63d394b

SHA1
7e1a1a4e1f89f78fad5695bba18b8165491c15ac

SHA256
c59862eab9ad1c89950537b7967869bf0dc89406f9a0b3e8a1b9350cca2c8e95

SHA512
dd2f92d56857f8e689dd8f9e96cdd4fb61d0dc5ef2daa3656e9c38844d3160a7c463202369753f3fac31b174579ad0a56803ce7f332ae091f5071c3070566b0d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3df933a7ac5d4cd66b2d56a7fa946c9a

SHA1
a19cdfb738052b4e78a404709a555f132dc0ced9

SHA256
6c5621d4f709ce70f975c10794944a9c48bb925b3f1c23d7771d4ef560ed4b0a

SHA512
b75165beb5454bdab502b9e19ae0c12f6f69e7d3d64353a7fe62ef86744b9fd75a4c5d2bd71d19c3e4410838397174358b211dbbb2d1d201cf740cdfe2331b39

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
191624f53e30b6b287e342804152604d

SHA1
1dc7fb9fb6a9c37d058102d2bd95169166014afe

SHA256
c5be2687c82ddb8c2f29ca45f587dcd088f9628b80385208b07db73ebcbf24f7

SHA512
7d6b54d70c108f67e1c50375908de186f0d5eaf9b97168a7884f88cc20291d86bcf053e41498ad3c29b77421ee0058f2759ab962a766cffc27c1cba197143cb9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
40b713d3e5a88ad3eb4831822a0e0447

SHA1
4f08117cbd23c11efc23d1e67ac17bad3b972eb0

SHA256
e5ce3e7e16d886414f1371b850ba1171e88cd4bd468a74e6360e3ea6a11b4b58

SHA512
f4517ec0cdbbcb677ec1442382f1e0a215920172df6aaddbebb7518e580d2d2bb3cadfef58492050a30a9e359f0601e020de54a10e26b84f196e253dea3afe28

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a62c86becc27455c71c62855cc06740a

SHA1
aaa196008cac98cd5e0d7d2bf4c997cc6e0e1fa1

SHA256
fc7b5f7ab0aa746ee1a09459b697e247e560df5cda2c82f3b36fb9a9b3777e93

SHA512
b3fd96b35976efdfc74f28c78b4f96c5cb5b815edaf8f134c58759ecbdc99881288844e76d6e9c489b5e6eb2ece5378a50ea99e9be8c1e0dc48dadfd35366dcc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0c0ebc09cb650dc575b3adfc590916f7

SHA1
d89684f364e8161d741c12e2ccb95c862fdd66b4

SHA256
cf90d39a277f1aa54113d82e3e6a917856081aebc826c56752d272aaa31acbc4

SHA512
e440209a34a9f026de4f17fd4d511a58670b3223c637a5d3dbe8ff5ca859d2c008cc580501e67da84ecf4b03f6539ac78809296121bfb63d7e5b501c43836c0f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1c480f444d1b4ad19cd984510d66d71e

SHA1
e769cbfc0e569b639306edf452f1cbcd3d0ffe43

SHA256
274ab5ab6fcfd38ad58efa4981b14c91b7527fec209a8bedfc911bb5ea54e14d

SHA512
f1cd392fd692446575b0f230a87c759d70d5cea464de944ee7551ca2399b85bbe89a11987310bb4912abcfb7a51f121615afdb4093f34b388926e03a636bb3c3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a05d88057e11d1a41335cebe8a9e7a1f

SHA1
4fbb1512c127a7813871e5f71ac02ccab64edfd9

SHA256
b937ec519e045c6fc9d342dbc8b84c61fc6a7378c4d8c4755af51a85fbae1a96

SHA512
7eab918c0807464105a5964173c2793559417633f37378c0ad512366b7403e8072ae56cc3c4440d6286a053f1921cac7b06f8a14f9db7ef30c9609ac49bcffdb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
00277729a75175cf8669c101b1803102

SHA1
76e54e0dd68ce89907d5f039234a939a1ed6c2aa

SHA256
1d501dfc13a40c7bfddae467bc5f04f0d4e4becff1dde8a954758e3b8fb2b901

SHA512
6025ab180a511b4ec355cddfe849c1cf70298a1d3156ae851e33868b266c3401ee30c2ce51cdef752ee945c5396bd9c905a65fc06b7964908da963575d2a7713

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
854139adddbdcafd90a8bdbe326d02ca

SHA1
70f09678c03d044f4c5362297a93f64fd913b067

SHA256
a7ccb0970418bdd0cb7134a790c123039cc7d35fe0d9e68699b52cad37509e60

SHA512
51ff09d532183286845a050ff6f02aba0d03073e8c929015bf2ae7b5e17497c17f47c3a1df0c07754e3d1c13039bbdf311956b3d2ade5802e31dc487b82af297

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c2a6d25f44b216b5b8c7a40c84deed42

SHA1
f7f063af2d536891194400e885293ebc8a05d18c

SHA256
a0ab88e8a7586e4ed8494015951d8d7124d3f47bfc9391440265f4580dffa225

SHA512
acf35be899d8510069f105ed1ce71ad718a6a8c94809aa85c68954a95c49f0361bea8802de0edf6434ca3c3719c1b9c9a570ac7164bcedabe139e727e65e7726

Download Submit
C:\odt\office2016setup.exe

Filesize
1.1MB

MD5
7c1bde7bed8fc2c5cbe3c8c60fecd6cc

SHA1
6264eb0871a75a6600ce74298de3178388de4ea4

SHA256
4c5719abd9bc5b7773db3847a261d70109ab30c421397d3f45866b17aa3235b9

SHA512
7e5afa1b5ab43895c570d625fdab62728f28be146db86230ff90b0c8bb08075ae236c1668ceb7c0778f44e000a5510022aa62c5ccc7931a19870627e06c49692

Download Submit
memory/728-253-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/728-423-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/908-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/908-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1108-166-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1108-63-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1108-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1108-69-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1216-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1216-12-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1216-99-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1544-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1544-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/1600-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/1600-0-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/1600-8-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/1600-37-0x0000000000400000-0x00000000005A6000-memory.dmp

Filesize
1.6MB

Download
memory/1732-104-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1732-216-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1912-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1912-131-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1916-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1916-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1916-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-329-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1916-179-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2156-191-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2156-354-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2336-228-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2336-117-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2876-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2876-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3580-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3580-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3612-86-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3612-74-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3612-81-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3612-76-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3612-84-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3768-55-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3768-57-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3768-49-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3768-154-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4740-26-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4740-116-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4740-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4740-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4752-313-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4752-163-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4824-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4824-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4824-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4868-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-240-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4904-128-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5044-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5044-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-89-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/5084-91-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5084-190-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download