031497482ff8e39f965f92e6fae9282ead4c5289c02e5902f469490f5880cc1e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
Size

1.8MB
MD5

74413fbeca6919363319dc15a157d6a5
SHA1

6539788a55da5cce4ba523e6f36ba6908566f0a4
SHA256

031497482ff8e39f965f92e6fae9282ead4c5289c02e5902f469490f5880cc1e
SHA512

77defde240cf61b09fd474d313c8759059dc3a639b6fc7eaba6f247a300b6e2e571934c60304aa653ed49230b00d1dcfe88008527a47a8ad05cccb9087f4e846
SSDEEP

49152:5Eo9+ApwXk1QE1RzsEQPaxHNULGQrk/Ww4lo5rFGR5:n93wXmoKETi44rq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2572	alg.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
396	fxssvc.exe
1240	elevation_service.exe
1728	elevation_service.exe
4728	maintenanceservice.exe
3172	msdtc.exe
1928	OSE.EXE
1512	PerceptionSimulationService.exe
1080	perfhost.exe
1432	locator.exe
1708	SensorDataService.exe
4508	snmptrap.exe
4200	spectrum.exe
4376	ssh-agent.exe
2264	TieringEngineService.exe
4448	AgentService.exe
4908	vds.exe
380	vssvc.exe
4860	wbengine.exe
680	WmiApSrv.exe
4808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2cf07ac234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aee878b75e9eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f882b4b75e9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b9fb3b85e9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c7a8db85e9eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef183b85e9eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000184b7bb75e9eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd1b0fb85e9eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ddb8fb85e9eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe
2776	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	216	2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
Token: SeAuditPrivilege	396	fxssvc.exe
Token: SeRestorePrivilege	2264	TieringEngineService.exe
Token: SeManageVolumePrivilege	2264	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4448	AgentService.exe
Token: SeBackupPrivilege	380	vssvc.exe
Token: SeRestorePrivilege	380	vssvc.exe
Token: SeAuditPrivilege	380	vssvc.exe
Token: SeBackupPrivilege	4860	wbengine.exe
Token: SeRestorePrivilege	4860	wbengine.exe
Token: SeSecurityPrivilege	4860	wbengine.exe
Token: 33	4808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeDebugPrivilege	2572	alg.exe
Token: SeDebugPrivilege	2572	alg.exe
Token: SeDebugPrivilege	2572	alg.exe
Token: SeDebugPrivilege	2776	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4572	4808	SearchIndexer.exe	112
PID 4808 wrote to memory of 4572	4808	SearchIndexer.exe	112
PID 4808 wrote to memory of 1752	4808	SearchIndexer.exe	113
PID 4808 wrote to memory of 1752	4808	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_74413fbeca6919363319dc15a157d6a5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2448

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3172

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4572
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f582e50bb1c9b4bc2c0f8d7ab70594a5

SHA1
ac72c5d43d2aef78ab39c20436072ace8ed194b5

SHA256
033d9c4d5273118b6e8472c8a74680a097b2b379e1e356871adf4ce2fa9d7437

SHA512
c05ef69c27d52153216ac06e8cccd382fd571f747659e9f239507bd3709c07a85db042f31ecf15f1c81d35424c7aead4ee3b27b6b7e3b91c618ca3ba55a84680

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
97e16d32239048c3d5c20c6c371844ff

SHA1
cd4c6b9f987fdcabd8fba4f2f42816804e4833bb

SHA256
394c3d67a085800224d527aa5bea02c40d988538f949c999176dd04d75fed57d

SHA512
fd38f2534e22ec3d3c06c8246026da3c3e32c8dbbc92f0afbe2ae12f4b5a00bb8edd803e8ec5be913b3d72e84aa642ffd28425f03178a8d1db8b07f6d4609f8f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
eee8abd8825b224d8b966a3a9cdd09bd

SHA1
94590aa715e15d9541c56892b8d50e0caf85536a

SHA256
8c86930d304cd001b08e40fef4f45a26f74f19be8abdbe024277db4177b1eccb

SHA512
418107cab9a1fd5ce4ac45d9dc94088431d24b908694d49c11a8566b2e8b9237c0768d9092ac27bfd2514a8af9ef193bcfe2f1af942e3d03af64aee50db4a35d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e6b032a723769722b1ce88facd53d418

SHA1
646ac7f6af095386ee3c5d8688a1ba6d19194206

SHA256
98155346465f5d5262094a3e80a74fd7c7754defa6ca2b3b38f67595509ca92f

SHA512
a1ad3c1f7637b802ef628e206e5f23d53a58f42b6b12776ce8c78cfbaab6eb07ec2ca4869feda84ee8fc4cf2bbb96c310fb87fdf7a5e809c80493c96754a6cb2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
413a3a531bea793ed8c94f9c21b074f9

SHA1
694208a39a1bf40174b8bf6a091a67bc61a8b470

SHA256
1664fee1557d0e587620be263312deac2848eede7c1a9433c175b127c0177bda

SHA512
5571abd6b0b3e8f1b815de26a9591c0e3fe0432c2691341784925a08ccd6494c7db67ac6d05983c2df29420a57cff9e13b29e5a2e02f58744a752823444ebbbb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0047472b2d638c997a8f81ebbde614f7

SHA1
ac4e7cc080dda04d1cce3d32bf5e1898910c0c5c

SHA256
20dcf46f522417a752a295e2d9ac5dc10f4bdb542b826588a878e55ede00e39c

SHA512
87b7e38ee11e2525f919ac114420e97a663c894be744aee7e67a3fd35e3b49b83f76eba71592d7777025a927f12a49250e9707bf24ac1eb220e62d3dbfea6430

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
799482bd9143a0ccb68a6a38826a7c8a

SHA1
3f4538cfd7b166a2efd464450b5936c43cbfeeb6

SHA256
047199947f2b7454fe99391b938209f5c3f0d194f763c00b46cba40e6aa99b01

SHA512
b891393116c7d001ba3a58d15c12b3c0653ec3b8021c801e5aa2b0a2b2f85f2b9f5d35ec1017de2cdbd6a664087296445c82486af27f098c4b74590d10d99e71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0fca8161217fdcd8d7454ee0e5014770

SHA1
b3b038b1d557a8e9d01ed9a622a712c0684e14c1

SHA256
dd050538501d1590a87722eaf1dbc1f845b45567dad8ea4e27af35162f89dd2e

SHA512
2cb5526d3b4f423e423339eace1b67f453fff39fe0486b5722a90f8c8d0c938bd3255d85eeee8bf9a1b7be11b26ffffb08ac764ed193dd11914b1a4066bc53ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3be414ba08c780358a1738d0dabedc25

SHA1
4218d681bef56a723fceb2c08cedeac659330da5

SHA256
3c89e42cecf83bd207c423dad6b79e97701c04d49b3cdf81ab5239b120f2a4a6

SHA512
d36fea25cb016acdddfbca20d04a79aa340ae58aa61736c93962438baf33e1944dfef368a5798ff2eb477672b8d15c7f6b205ac509a6ebb3d0ddf168d4362e84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ac7df798a1244aa29b2d805853191e77

SHA1
94308f92122560a05b884ede6ec3bdaa16d663ad

SHA256
309fa10216551e2f7d74dcf4447cd26f68f68ea4c5fefb28ca8f15f95cb10f27

SHA512
ddbe6ab15adbdc6b7152b1d99fd4148c0b1b46d6048db86fc492dc9153d1f79976efcfb9e53342ed38ad9851ce012f9251e271db209d92d6b2683bfc01ac5953

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6d9c366341bacab35ea546984b3b99e

SHA1
8b83204608421645ce756c31a1c1477ee5aa4d6a

SHA256
81b61442ceb358a028a8f36125f1375b3b863aa99bcb3ec03f9d6b7f91e8da7b

SHA512
0791bf3c97090a9cff4a663c61944db6b56cb667fd99fc8e0a1b2fc032c592f9e77b4701f76727e4a2030003393195cd6c06ba7ec4d95964f7de09b8ab379a57

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9c3b77ba198f3a0473a7cd07694206ff

SHA1
2a0247f0a1584a02b014f12ba59e4d4f3a1a11d3

SHA256
de288e579da48ae1b71c9f550b9f5bce149143c15ed62d596ba549ece234976e

SHA512
fa7341e2e73cecaa36a89b087430a9a7b4d06868de4c8a1cc564c3da0ca78c1a8b5c5ebe27be0eb0b014e81da974533dfb8def57a2fc310407f6df9325a0123f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ec864e6875aa2e6398a2bf1b07a0f0e0

SHA1
f02d6225d931bdcfb9683f9365c377cae91587ec

SHA256
cbe8ae33f9b4b3596b29b95cf5e804517d8a6ebb852215103c0681e617f33814

SHA512
d34cec0588eae3fe411f532fada004f2e4ad827ec7b4b23fa8b132031e1aeff6459ebb90a74ca281fd58cc89891978398f4ae33ae5b8a76010372f3bc4336bcd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a34e3ca99a3f4133ecd781e1e9a782a0

SHA1
2b94263e62a4470cfd7605117aef73177e4d2230

SHA256
94967401a5e0c323207ad6f337bf2bd35298343a05873ead055b2e6cf6588cf6

SHA512
9831a76531f128e3c1d255b5844b19d7eb89911d2ce4f780bff8c81fa2b74a9a51c4156c570889cd1f0da15382fefb0c60191ce68a1463d697f45f5aac0f346e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0f1c2b5f3409321faf1b0d73fd3dbb4b

SHA1
cb7b2eb3031ce2c9437cdfe46e4f2421b11ca39e

SHA256
3f8270befd0d94d9391e373d45c97e08828d5b697957d42dedead79693018b7e

SHA512
04675174ee26ec6bc28d072c792031597588463e2fdc92ab3e9d8c27e7d57096283c16348e57c45e264aeb473cf286ed6b5ebffa2d009a19f80b615ddb7d6116

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
ef5f60ea921b09e48442960cbdb95a05

SHA1
a7c4eba78652ffd089e23dd5f7dea6a9cbbaac8e

SHA256
ade2fd02a3d899fe2abbf82e76f0a08e2d42ac2ee73f2ea465cab06ca6a6df6f

SHA512
803643663382ac88d35cb0929906cab5663a284ea95fa3554e91d8ab4dd4a0635c85d5be3e81e3590b10374d552015eb75ed7d065345e58453b4880e52a415e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b6a0504ff0ce44809e4c2020af5b2439

SHA1
c79007de28ae68037c54b51a43cfb2c4e5fe05a2

SHA256
45de75b0091a4ca3a1ecaee08fbca1700868489606fc236f019f7443080211eb

SHA512
38f774febaa79c823732e016891cb655ca3208f88a8903faadec638e96380647b199b2862dbe7a7b2f44436d7ed80fee872ffbd3a8496c52ee22f9a82fe2f3f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
06e0aeb8416f4d900597ae4db1474696

SHA1
415a4730e120659a6fa33a592b04d1a3628221eb

SHA256
9232681b9d4eee89d4ecab8b8af8fdbbbc7df4e7bdb8779313945ae4ed5fe93f

SHA512
f6e47c74c99f4c07cd37d4ff8e27f2f7a0da0248bc23882fd3d79bd2d9390040b1254c41fd35b45da1f092bce02005205eda43f29cd892b7f247d14dd2a9735c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
703aa7009a9a12d66b115b1dd16829ab

SHA1
b9df572c6939a7bdf512ebf88442b7cc77245c34

SHA256
c2b79645f83118446a7fe87bd88e63feb95a237e323705fb88392c75a093286d

SHA512
33aec38d670a31d04f0906e0b2bbbc493fc98a09d0964dbf08c0a45bada699e49fcba2fe672112c7513d5866216503c489bc719d390cd8f0a0422e670ab995c5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e1a1656420901f23b6d0d403d9e03eb1

SHA1
4d8c0105c8b4589eb9213b642874bdcd8ce7f935

SHA256
ce32df7672949bf2f2403f0f999d5726026adf7d4b66350a31a711d82e5ec788

SHA512
cdaede7c7c024f1cc3082b336791ef6432ba3d2f4333b6fb2fb59ce53e9848fd4a5579c8cb1dc2f19b743a9fe04e789b4cb890e411452fdd002b246bc69ce8e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e2f961d5e8f6c5c1abf493d22bd08f30

SHA1
76c8ee354cd6790f64dea4223d7334b4f49c2e43

SHA256
1ed72cc4f7c71b84ab1b749680a3cb256083adc66f81f619a7ac456d0c8cbc2a

SHA512
23ae5050c6d091b2a815d33cbe4ae70efd04517ac178449f00b5b9fe9294c1393cadf98b34143b75d8fbdd821d69969d49c748aa49892559e0ac10805190d9f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4f7e2ca036514e4ba7f10f284582ff3e

SHA1
8e2ce86caaceff087c4453f7dd138b864e00d778

SHA256
2ce711efad7df23314bf1d878b239adfe601be9652862794f720d7cf5495fdb7

SHA512
f6a581bbabae021707147ac468831178bb2567a54b8c357ba0e99760a9278b67bb5dcb78a859f69dbe876af9a86bd829fdb96800e57c40407217877839f98af5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
40b4ae1dc40a3d9a9b1d267c1dbc1c72

SHA1
655d28ed0733fc4658ee5c54e471a958b5ec5013

SHA256
e9186d0035be4b2f261c98336a7e88054abb6c0a1b930b081e562093aad36c4d

SHA512
6f80d7b60ec4b4bc3093dacdfaed6ef0f3bd5506fbd49824a7fe8f830bb471962e3599a6b03df2f3907c4b6f7c3daf1d752fade9cdfafe2a4433217d1b860dfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
253c07a22912567a064ca0e57796ce90

SHA1
7c22efdc0f4a6d82d407657b90425bd881984e03

SHA256
9da7527690c646d10aeeb74e0c4506552dfc2750312ce47e0a9170dd74b64724

SHA512
dffabc7450a02d91ab23d7c7a7b016f1606efe481bca839c34ed9bc5645b5154b58cb18d5e19b0a5e21100fdebfe214334cbdd2668e34914655134baa122a730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4607fe4b63117788a1fb5418e019b88f

SHA1
984ca844aaf7bbf2d926e6ef57b7bc5c96e1642a

SHA256
e1b20972d4456ff98ec1f42510507299b3d5e6b053ebad5d86f6b723f38da6ac

SHA512
1923777b4751256bc9109b34e3d5185c66499fa1f07543198056f4a3f1dd709cf3936924eb28b0d1833a74256c40aa2118dff99d1910b415c74ca0a1004e33ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f20ea242f391b1a48a26cbd5efc0cb73

SHA1
1f1695f203b8ab93279224022724ed4f9e8a2525

SHA256
7d3b014be8859284a6d902224a583d458a39e1ef1170570c2517e3a5d7951fdb

SHA512
8b045a2c79cbea95c34074001c85ab5630088d6b790712f0d5c909346281ef27bb8471ba59144d4c52395f2a894cdfadd463109fd2144c62f3e65c81bf8ece9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7fd998056e5b4ca559e28365971356de

SHA1
b1232106bc740e6a2504e6ac648567f1dae4c75e

SHA256
ff34c217edea345398c75322ebbea7a0e379dddf7b205c0f5b88435229d2e96d

SHA512
365b8a83ff91371111c93b427955bf288aed32c6aa7c190903e61d395cdf7821de7b23b92822238f27f984c629f2dc530147dc6c739c84e11398bad24b2a9d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
dad9a958245572e0544f63c6de7bd596

SHA1
a8fdf73260b07be0a514f36ea6d3926f8b4c5ce8

SHA256
d4c7420b4373301c46b5ef0a0b8f66fc824c3ea4af5f5b2f43e7a3820c6ecd00

SHA512
b195913f386fee56006fadfd9fcd1b756bb9c1e5233c2d8898ab876a4a116c7118a4667bdce9b115edcbc73f6119068f22bf6213aabf55d10f0efb8ac86e7cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ebeb3b2deaaf94b0d2a2321092d9b40f

SHA1
1c17bcf9e263e2a7690902789d3e6ce7bbc8e789

SHA256
5218b85ad4d912145ed7e90bf7e0d71c365484ab18421f5b259a441ef2cc9895

SHA512
acf250e0178a1c9e3619eaefc06139cd83c5c7b0a597f19aec77e33160669e5c6e52a70f4dcabc500651dc5dec7a36ba13a5ba819b160eb22d0737e8b32874a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4565bf5e61415fbe472f2b43592a2f95

SHA1
aa74c610ba931cb5c203f6e10891c03a34a98c34

SHA256
550206a9ef7d8ae74b10415cf7d25d2e66bad0c285c4b5646ad8e645d4095f2d

SHA512
b1066fa75a16b15cface38e79943fe3b2c490308fe918df0c208db5fcd3b665650f71d1132cbf8bbcf9f6aaf77f99dff2c1d42a3ed8f8a15c23513bfc36c86fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
99ab97608942afca385724953ffd58b9

SHA1
052302d58a5e9a2381e01c7fc2d755cea38ce7aa

SHA256
0bc08e55e9c34209425209b4ec4609f60cfb4f79e99475b727b6c903272df508

SHA512
5d923e784e7d84a788ba007c435ff9e8d8d1edbb36ae33e5eee90b26faa581d25b335fb60d29dc84f23b5ecf2fdf4aa600206a22b0120f724559d3cf4d48df8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c7062c216b281b1a823133fdd6977638

SHA1
89792339dd015fb4a288985925026c54a7ca2db9

SHA256
6d264d59d1953d6145d755726da05842ef293dd520fe87fa330216c1b3015acb

SHA512
0d9f25f14dc1a7bfddcc780841b341f9888d6db44af9c64a8c6c2e832852e6cdd535ddccba1b20e418942adbb8168f5ee7304e35c0b40e4e44ae060c2f61a687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f71695d3c64017c87e246285bef19d09

SHA1
cdc0b67259c938a651a7dbf0f66a370a15a7f78c

SHA256
e15d5957f8a6da1948b2350bc943dcaaed2204f543a52a282d46ebec5c114366

SHA512
bfea64dd601eb881fba441475a87296a4cf9a927bec87b0884dcedbfd07c0cde2f8073d0a50399a349c3f90551318331b1cee8e78e8b20a482c1c0bc365e31ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
24f30cd8dca3d00bd19f4888a20407b1

SHA1
1128bd55d0efd1683dff0459a44ed66950e843fe

SHA256
02b6e35360a5c5cd649ef951ca76bcdabc6402b61d2fc0c8ba47e1fe18ddf488

SHA512
837547b667b64c012bc1c484d8b44f3881925d7ed2fd9364890e7a407c7dfdc60e6ab57374a8fac049fe4e97e3ea129aa631710078d40163c0db9c06f48d8d01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
06772e084bf4afc4e12c1282f947390d

SHA1
c0171719a3006c930c0a8283b17213f396450b31

SHA256
b4c04487cd6ee7f2cfb6cfe70bab905a17e1b1c0452b1bcb4f5ca6f6945b6ffa

SHA512
bb3d3aede9c5c2ea20abbe8f7610977532aabd40c2cc07a06293e2434d54c5284a5f496d4a42f2c85554b76a3cd6a5d975ebcd826761bce983cf93a35f69a096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4bc4428bfeadb4acdfe26a5e170bd8cd

SHA1
49b2c4642906d1b758c90361f6503de4fa84df6e

SHA256
135d8559086f3e636a3684e3628d3f4337157372048ec9f422b8d9a955fa17d3

SHA512
06d9106ec79a80e5c9bd1fa98458b30cdaef177eac7555f9980b2c5d6494cc2bab050706c9866e495c36a6dff56b6c1050f043e4b5c70d9fe729c225b9740f67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a259fe75cae4d8de3601f19b3bd6a86c

SHA1
3ca09d48eb0c878565606acbd8c9024c5a28967c

SHA256
6fceb1befac22e9c0a34ac8ed9c838e52b36994c7e24a882dd7e459100bd63f3

SHA512
0f3fd9971d3364fd0d4a755064bb386beed6e5edcf27e5e2a914696d8826eada107300c31c08c051bedbc50a2453cb4fd2198a5e245ef414157cd09687a359df

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f3ad6035a6398da3b4665523a4dc55a1

SHA1
acb3b24d5d1b7b9b3a4a81946c7afab08fbbcb37

SHA256
5a346b27647012b05c070bcb12f367d1b7e4e115108ac9cf684246cc221c855c

SHA512
2d765b6d6683b0511c0feab71402fc262dda3c794d2f618e41990c247a896c06922addfc62893d1f6a9e5e199107524afc85f274fdca02be01b2bb157afcd01a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
310b4e1511ea7952ceec97225265bc77

SHA1
007d9a60c7e01486503a9b2f5ef321e3af957b81

SHA256
46b089db45a91761f443d84a0730fc07f228c73da0b45b84a423f562c71e5ee5

SHA512
4935e02fc35be935a8506a560d3c457fc8157e06c06ee8e171bd9689fe65e157343ea1eeb8cf3d560d2030843d36f2683f1cb89ef302317a6af588c057fa67ef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9e686cc5ce1952d9edfb6316f0c5eca7

SHA1
deeb50e029ac3ed46ca095d736e1fc98835efc20

SHA256
a7c8b6c814ee7e740fcabc090c1e9793a91285e5a08da23e16b9bb98ba1da673

SHA512
86ff09b91c10b08b8b4929b1ad3bf1011103756742e34e8497dd09035b24d093c2a37310e677c801979c77fbcedcfa555a7bd2b9c453ebf47580bde248ab9370

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d806988d7d27e8937c09bc278c028266

SHA1
1be71246ef1d045854dbf952e4ea7f1a06ebcf1b

SHA256
febde3a53fe62c5991ae7ded0154a3986c7f9fee601251967e4da33ded4dfce3

SHA512
35fb3d49c552ee0a0f7d148d4ffdc1c32dd832915aa9d7956ce4342e8145f826fd62e6df5d298543f648c50972cd8bf1ce32a6bb324d11fd40f61ade224af39c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3efb2cb1b13888e077d3d778cb05b60f

SHA1
41fa08694e4a152b555a22d489942e531706e58b

SHA256
3a58c4a38bf219aca587144882eec9f98c3b93e8de9352fc8d60495c23c62cd0

SHA512
b3640834db32bf69a08b4d305f59a9bd2e0058dafe8a919e5d0a8c1a42a998661d17e80a60c0f8473675f0fd879dfa42e786f30738ca6e251304cd9adeb352f6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8264795958e12033a4589e056737ba86

SHA1
8806e685af3f89b499a7a0be51e56b4140953faa

SHA256
c8561dffed0dbb9c25305b6e171b07516311e053e344e5862c74dfa66d609225

SHA512
c21d3a039a8712ea1ba08e0c6118be67df851acb55ebd060576273de7a9ad1eeaec508ee2fbd5a7016a473e2a1bc38450e8d22662de7786c74ac8b7199c75a31

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
800fb12e06ffbf5bcf2312ea0bbe8e5c

SHA1
a0db0b8c4fb2d855ac0326c4c4d582fb96bd522b

SHA256
f28b3ca66de059b7cb2d760315405e6c955f9cbc35eb706b607d1acbb69cbfd5

SHA512
c80e62028d60ab58fbf0724661e5a79b8cf4a4a2caecb543ff429f21945d0d7ecfd822982b4f78bd266cca6649f8431305fe6e9c03046b668b092136dd5d83ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2d39a2b916f46218233b051b1422605f

SHA1
2bb7cf7377ec164fb910aa614ebee08a8d70e79f

SHA256
a1dd1d9852613f47a2bfd05bb6bf1ad4d43b7e11f09eea76a08bc9c1593c45ff

SHA512
e79e85f2e65d09e4928d564a9ffc1d49b3f19e047a782ad6f905e0ed842470e3c877fd32b101c1b250b22f95b4ed260e51f6da5a254e536a4e8c27d55e5f2391

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
dc21166938119138e5c006166b494418

SHA1
df1ca7239e84b87781dff5dc116444583084e3ed

SHA256
0410b6aaf8bd3aea991a38a0eaf9f0a06799c12888603ead8dbf4cdfa64493fa

SHA512
9d5d6da3810e788d1dcbcd8db6a4015332cef2ed82ac32e7d81d7a8b89d6bfa6c858547a1e508b25f795b62d2bf82f33d39f97698b69ec60ff63fa71be2d6873

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3d22f0904ce165bfc03d42c217898090

SHA1
fa46c4d3de4bce1addebfb22ddceae9cee92c876

SHA256
b5054fda706003fb7b574567eec5100ca6e8ca6b1792ee14cb7691adbd477d22

SHA512
d7cdd0c732236efcac3b001c6c863880dc371cfe59044263eaf6f5c9619f74aaeb6fecd4893f9739ef8078235dea9f7837972a31dc8290ee6271f1fe0ac2433f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c9719882d5279b91ba945fa488ac34a4

SHA1
a811c1cedabe529ee78159913301a18d6efc69fd

SHA256
ca9e63b7ef410d0c3dd0526ef92c532a7b3e716081379c47ee3bb9b220c4a2a5

SHA512
e4cf93fd992413432939f8b7602cabd1e637255c48205982be5288403b9888d7078f8c97e31cedbe87167ddd13ac4dbc5a27d55d5b1fb3bcb289564107801aea

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b278350cdf1a5562f1fbf7c6aa91b32b

SHA1
e7a59be358f2555da2cbfd7a85cf329ec785a12f

SHA256
290cf291bab77d4aa998acfad2bcdd1820bdbfa23df57eaa3ffe4a86acf3139c

SHA512
c854df595238252e0961b6d91e0653a14affb72dec9903664ed16eac2a55aa38b01c88347af19fa3de4f9659299260757e93674a241b5c02a4cc9bbdeae0381c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
24ec1a0806d666ff43aea91296c710fd

SHA1
5a6081547c426571f80c36fadb12383537d7d7b8

SHA256
a98ba6c77861382a3c794b20d65ab5aecc8107fb1913d221aec194283509a263

SHA512
c4da60c6c6430c1c92174eed22c0d7f2cf4c888786d8564cbc3048c423f8441f6c30196df9054eaa3a3e4891c47aaff054336690fd30a4ce85f0fc8d78cfcd54

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0fddcaa468f4452cfa279801b92d2f60

SHA1
20deafef0e5c001cf85ab146ef76f6773269f4bb

SHA256
7aa0561b08d27f42080cb95c797ec09142625a6b4775ae1647c7211dd5e1c209

SHA512
d41c4ca5a775da9289259357d3af533e5ae7ae62fff3bad6b3d81512b596e024099d995f2e5f80a181583f1827531b62f421a4121d75b287ba8f5054252be182

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e1cc8531e43eaa6b95450d9355573893

SHA1
768801a2b27ad27b6d0a9afefea79e31c593691a

SHA256
a8801669c4e6a94b521d066b86c962501bba9a1fc85c18a32896b6aeaa3cfed7

SHA512
ff77d57905e172f01c95f04819a2f52a9cf5c20ea9e99802ace6ed60161a35d951da8f3ccf82edc439597e916fd7c0da7dcad2c4a6fb4a532b7fb925d3fefb43

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
69b3b975ee236b9b6041afeabb823297

SHA1
029678ab99bc0caf2f9256847d9f93104e7cff68

SHA256
33e9d045d4818b79e191c2c4c6c0aafc294450fff8c01c8c0a6ae9adbf4ab36d

SHA512
82318664111def9fc17dcc9e113ff771bf1f3c1b90257787df98153680f75b7fc145aa368769259e87ce591b5575921f786f302696718fba6f5985ea7613e59d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0b0d2b18b813512507dd6c58aa20ab3b

SHA1
2eb762d2b9a6c3ea1054ea872806280c9adf6b4b

SHA256
c2829a8390dcae7f0096ddbcd9b97c3d963be87288dd9d3573ed2841abc1c29f

SHA512
c28282b362d212ed598f3c2f79c235d78343c434b203338ae688e956bfaf86b28c29965ee2572d0bac7e2bf40491a6a67cbbeb1cef6f12b4e48be3a789675181

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a183609432d47c96fa59bed40a9794fd

SHA1
54b64363f668ab540b9b5372e21b126b6b499802

SHA256
6e5b78887fa3743d10bf67488cad955bbf6e849c3fc6b5334317159252e42874

SHA512
317169a408147b5ed75d4816ed6623ab34d76e13af283dd9dfeaeb74981b9ccd8f8a3bcbd9ace1f9f9ba6b96a9297273c9cdfda4ed1309710bb0a87d93b50d3a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
35e52a798a18407884e20776a1c9ed9d

SHA1
9dd0030094b7f225bb558ac42df00d449f5d372e

SHA256
23c47d941dd57c9822b95c3c863e0c865f92a76ef1f8d0158158e90c375358a0

SHA512
cfd129bb0eda7275ffb4c9cb81b898302dba873494045add4c6f843778777d6d582ac0e17d12ef9e112706084eb3ba69c38de2951cef0a7f00a3da71b850e33b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c6be9d10dca63a81b72e7a2313588d9d

SHA1
79d2a4c64ab4633c69bea999011b3fcb7571e6e7

SHA256
0ca5f8ec6c9138df08d4ab009a97492b53821bdd7d7fb2daaa326d09f92c8b5a

SHA512
267a7b85ddaff869555effb6f11551932a6bd68a8b1e3dc637fecf76215c8d958b959084c098dbf59e35f701e4fa00c691b87cfa395d47c04cd9ed7da3fdff85

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
28a1e643cfcf7d64542b48f643e8314f

SHA1
d6895c1a3e7ddfb30a99d675cd3c403800ead75e

SHA256
dcd9f6d517908e596355e3d7171a7019871909ab311b1e342715b6f483962e9a

SHA512
be0d92198279c6b50750efe92df5ec3e17add665ff1efcd328f53a5a7de65913184ed1e1bcb2341fde89475cfd8b01c019cbd9091a28b69ecdfc84fb04e3e9d8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b568bc57bc30cb80bffe2354ed9dc43b

SHA1
9de8a8e5def2107693cc1dce3b43a84d9f10db24

SHA256
56ed3987507a6a29d869d7eec26aa1fe297b366676d37810cc693e4eb7a53cc5

SHA512
d662a5e75551e85f07afdfa3f86b28bc676e3d921b8dca267aa4a29b3602523882fbdf55a1238aafb3428fdfdf4030cb2564f78f6f4854fc78c37f5abd92035f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1f1637c5c3a79d8cf6cc51a8b1a2f6e4

SHA1
3f065fa535997c269dc48d45bb1c1d050ff6ec77

SHA256
2bf76cfdc8445ba4cee85693fcc45804c89384a65615f01ecf6e09f7d09835ea

SHA512
e2fa81b2fb568c6076179419aca689b2d91aa42d3c203ddffa5c7818355ff4c85519441668a04aef1347d32767d44253224a625a0a9dcd385ece16e2c08898cc

Download Submit
memory/216-468-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/216-6-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/216-8-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/216-1-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/216-183-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/216-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/380-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/380-681-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/396-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/396-61-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/396-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/396-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/396-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/680-682-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/680-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1080-187-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1240-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1240-674-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1240-48-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1240-54-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1432-188-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1512-186-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1708-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1708-544-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1728-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1728-675-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1728-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1728-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1928-185-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2264-680-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2264-272-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2572-279-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2572-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2572-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2572-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2776-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2776-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2776-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3172-184-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4200-679-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4200-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4376-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4448-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4508-190-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4728-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4728-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4728-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4728-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4728-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4808-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-683-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4908-280-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download