ff9972211cc4096bf048c4cd9007b52a98b8493ae8e3a605b78d0e5c60307cab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
Size

2.4MB
MD5

8d3b10b2b2cd3b333d0a09fa50d09f57
SHA1

d1ac329fed87f7f3e87a23b2f907b48327acc9e5
SHA256

ff9972211cc4096bf048c4cd9007b52a98b8493ae8e3a605b78d0e5c60307cab
SHA512

e9ef291486728747ecd9ce96b6993490eaa582bb0a606aadd0aa70725fe231c93bab027d63a66661384cf9cf4a1b4edec503088fff4de47f5858d0121c76bc75
SSDEEP

49152:4QM0WrzrYW3KHIU4idjFEp4OQHmQ/GLKZyf2JJCfsBxd6KFdi2Ga9x3Ek0V:9M0WrzkWaHOidjFEp4Oc/GLK8f2JJTHe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3332	alg.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1020	fxssvc.exe
1836	elevation_service.exe
2508	elevation_service.exe
2928	maintenanceservice.exe
956	msdtc.exe
4920	OSE.EXE
3656	PerceptionSimulationService.exe
4380	perfhost.exe
1964	locator.exe
5028	SensorDataService.exe
1976	snmptrap.exe
3476	spectrum.exe
5056	ssh-agent.exe
1668	TieringEngineService.exe
4932	AgentService.exe
4108	vds.exe
2872	vssvc.exe
836	wbengine.exe
2260	WmiApSrv.exe
1928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d9a6433f7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000340440f3a3a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015b26ff3a3a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8f10df3a3a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee72d1f3a3a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4c844f3a3a0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe
1132	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
Token: SeAuditPrivilege	1020	fxssvc.exe
Token: SeRestorePrivilege	1668	TieringEngineService.exe
Token: SeManageVolumePrivilege	1668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4932	AgentService.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeBackupPrivilege	836	wbengine.exe
Token: SeRestorePrivilege	836	wbengine.exe
Token: SeSecurityPrivilege	836	wbengine.exe
Token: 33	1928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1928	SearchIndexer.exe
Token: SeDebugPrivilege	3332	alg.exe
Token: SeDebugPrivilege	3332	alg.exe
Token: SeDebugPrivilege	3332	alg.exe
Token: SeDebugPrivilege	1132	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
228	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
228	2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3644	1928	SearchIndexer.exe	118
PID 1928 wrote to memory of 3644	1928	SearchIndexer.exe	118
PID 1928 wrote to memory of 3640	1928	SearchIndexer.exe	119
PID 1928 wrote to memory of 3640	1928	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-07_8d3b10b2b2cd3b333d0a09fa50d09f57_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4247b3b23167e13a4466f7f5bf742f15

SHA1
133b361c71651482580b9b85b1ee3fef7a038a06

SHA256
57dcc96eb685ca992b8c24de446beb3b8bfd5f814a88629a3b2b79203a8393d4

SHA512
e0f528be3b6446aa56ef85acf4cb1c47944ec9a97cd78ff6f799aceeedd5fec5d20fe57706a0f17675ee3d9b17feb1994d702efb0ac0270dad287df6b7bfe0cf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
f6f9cbc0a14a3515538ae7d23a119f95

SHA1
d32ffefebb1f2ee150f01dc5a448ba0dd93ef170

SHA256
762fa41a4492aacc0a26523fdce581eb6e46b27df5fa5bd15052ee22cf04bbe3

SHA512
fe2766bf07db1cf36be84073352c7a9724e4b55f9bb5b21d0c511320ad5ffe4cadce298e8685583dff51c2a14d4d9a31c131b98ac539ba89fc0be1c5b8eb9581

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
6dbf5ce8e1062867741bbf238140dbf1

SHA1
b50b91f53cfaac09c3c84c9132dc764ff755bae4

SHA256
7b26a32bf225405490232f94efd60b99c856ae95b5ffd4ff241eb1b497bb6ca7

SHA512
fbb864764a368d7be3d5d54a43ba0cdecf3912a5ed0c753e7b153f9a351f2557ebc2b71a12dab0e7ba2df014f4d8df6c9ffdcd6a680e60c76a87dba2347241dc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0ea1f54dcce1a92b1c9a5236b0218e50

SHA1
07b0548c6b1c88c7683fc37d45bae5d96a694ad1

SHA256
21cf85584c7b6eb959e71a0d8b513e35ae608f4c2eda4b41fe44ef85f0dcfb5b

SHA512
29668552ea4c597add403e365ace421647c2bf31d734d86c6790fda3fbc36ea156ce4fa5f633c32bdf46b5cf92584ba069376e5a2fdf708b3030fa38f70d21c8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b978ae7c691e343442a3a7ef7f881839

SHA1
f06443f6ca54ef678bbb610aeb6252e25f969f2a

SHA256
d7d2e581db4cc22cbc16ed3e077cb4de8139cc40be41a88bea156f593b82adad

SHA512
677fa20b921ef0d5f7d4adae520c0cdecdd470996a462aa723044b305f1bdaca7761792e26a78bd2f3819a8705d461b710d19dcd6b66b0f9359d424418a27202

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
8cbe397a9d8918ff38b81aa35a991d3e

SHA1
a202a8992acf13b927a58162fd5b2b48fe1aa1a4

SHA256
cff93d0bd13f73ac30af139cd6579b6728174fcc6cceef6040f9c8f07dfa5b83

SHA512
d413b07ba007073b5ca18535dc97b0ec7ec31eb7cce2ae44f4193fbda90cef9d4839f1b2776d9cee7e1833c7e2b29889d0d5b66e3cd8ca693c1b2a68d168c410

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
d26b5abf956966b38f191cabdfd30bbb

SHA1
c104b0ea2daa51b48484f0ba6d5f455ef3c49389

SHA256
e11aecc4ceec65593b38d2b64ce887a22f96113a144cd6c78682480cf2adb338

SHA512
4b6d094221ea623dedc3e2d9fde9a63b84e1cb22c843d04236444c97446b8db49d5197e39da8b8b82a7a32e48fd6852ea98519a9430203753ff231e9b9a4c9f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a77a9190b22b44fa48684a890b01f3a8

SHA1
e445fa359181f2fecb84786b537573d3befc1f19

SHA256
6d1494a7f6551671dd2885926313f52b4cd942c5642e2fab87fa6e6fa5a39cda

SHA512
33bbc451c60320d6c80f39bad61847dac29ea0b454dc5dc984534ba7522a5672de29c25d46558e73e21b43f4ecc25f926ee6024e13f36f5cf562ebe8853fddb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
4ecf201b47761833135ddcbb680dd5ad

SHA1
ed9ef97380807be1dcf9f91831fecc0bf8458164

SHA256
4e0c572a0c8e9f1908e6c577b14f4a655487240be132eee4998d8356dba682fd

SHA512
cd7071fcff8f546ee09d8b640ca1094ca69216a1c23a17143e18fa447225569dddab144471e4498593dea9157c36cf559ceace2b774d7eeb4f3ac03b70178db7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f8bb5717d9c59f861ee887d600966e89

SHA1
a9b38213e4c675b4235efdcdef2247ff93cc2cc8

SHA256
a3238c91f4d37d0f37861b54e397032c7ae5c1efdde050b14b75d78789ef594a

SHA512
05ce90bfca8c54479c382dca7b96767e6c62048e583503f137a32dea61a18c72ecf3d1a4d51fd07483de4683eb6e5d82f81e80231c629addfda5b4e0eb207462

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a91550bed83af876ce7a877566096a24

SHA1
aeac3d2a434f1105aa894d8d609208952b93b4f1

SHA256
dff9f6b92a360c09eb75172a2e8c4d4c900ce64db08776e68614e37f8704f9d0

SHA512
8a7e086a1aea44c88e820a6c2cec95179da0f45f9ec741f2d52bfc948fb4beba977212199b94727911748894858c2d3743273d57d71a522124181868e23d89b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1447929895649e89dc34947195d6df5b

SHA1
35eec529b30f6059d38de2d614c59653c5d45032

SHA256
0ac143f482767370551130c96735185ea38d6fcbb7041c0e2fd9d0e4bcf9c3f6

SHA512
4d677fd7056c2ca1fb34bb0b9ed4fea8372b78418619c5fdbcf070ec58d1c41297509513ba8822871ebfefb6e2446c07b89db07e8ac8588cf19ac42ee1c9f721

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
03e56c70f6c938cbfa7bdd11b538ce04

SHA1
63a1c2d2395a105a0283bb57a2be5847575e07cb

SHA256
725bf0cab21595226adc583370c366be4e7ced6b43b8500276352fde715db520

SHA512
d9b0faedb0a674652e5e9645886a5cdd2b532b59737ce5d984d05a5630499988b8f21a2ddf8716def46040b5ad6695fd84858f4a763b3919cc06524c773e78a7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
482651120c064b201803b7fd07ed82c4

SHA1
e693764fa8e7b2813749df37866f6504de32873e

SHA256
2fa63ae030e01b80457ce84b5c85cc7dabc16a804b5918b6dd23547bc5493c08

SHA512
3d9d3ed278c1115ebefd8bf3971f3bae6b704309a7e5f345a448899c2f7a89bb29046c3ce60e0b4a6ab0153ab84fe9b82c90bf0dd1e0055e5bbe96d5adeea6dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
52541b75c7aeb3597a4b5352bd0a4e23

SHA1
72199bc496a606bbea300d45d907963af55b2410

SHA256
cfd570468b159095889aa0d51c83e575a285dbcfa15326c70e2f8536650a0e5e

SHA512
055c3ddbd098766877789d5be343dd85953ef4d7c39f582c0f5d28442d03370df14289e80bba5eae97f59661e54d92bb19f6e49081414bdd44859d46781735a8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d6e4f1b3b9112d6bb6c3d8de2a8aa003

SHA1
9bdd2ff427b5a35e955386433000582f23582590

SHA256
ddb5cc2e35289ff3d57c878e5b5b7410e9869817f53bfafff7b6dc04fcd030df

SHA512
55773a0c474611402831bc239b5658ee74edc384facdcfb735ab1bb409ee10d9540561dc8b586bdd62fd738d0b4ebb9f9859dc88def515ebe043f4998039e99b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
185ee5ff5b5df5c261a1675c072a9ae4

SHA1
702e0bb9c06f908f66d5d686ca11f029525aaa84

SHA256
1eebb77edb8afbf7ebc6abed56f0266f50e99d8df9ad506ab97ae69b6fc7534f

SHA512
93037edfab7922cde2a07e286c7534fa0edf86e120a7e90342afac8049543a3e7e69966627b5987dbd219fe9ec2106ce665c1aef2d430386fe816ba8a9546836

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
94a285db218dbb1754d1cf64f5a9d94b

SHA1
c535cc5ae99d25af35a582f88b2d89e04d7308b8

SHA256
8bfa262d5258ed3829d347642e05cf07f10731bde8f9f169fc3215e69cfdb3ef

SHA512
24fa5816a63f13eb0f76b07bc74dcf6abf81313819c71cefa6afd5509a0cf05fc166fc1611f6a1ab9e944ebe5ff4b8af948ac3e3770e17b48d6a9350fa1728ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
df5947327320d438157b3600337af0e3

SHA1
7921359cddd550a1d37898f10d09c2738529e455

SHA256
6a584e59f4c0136cdbe3217838b41735d173ed26b330f6ca3e10b29997324fcc

SHA512
10e06a07195779333bc36bc1c438e6bd4c4622c353e9b4dc00aeafb43f62e4435f935c9e79989e3c8b01d06c619bc625a52602b3727d463037a016c3ce83c2e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8099d2b49c9e78b8c57ff9d86eaa4b22

SHA1
53bad3f38d5016d22bcf1def3eaba64824cad276

SHA256
e74a46dc3a2c1066857bcef9fd8a2e19f20ab82b37aa9b7e59e58e6fd8d86220

SHA512
0d50834e93002d537af8cde608d4edbf180ad1c85726f7a34d8c69f14f292ed2e9e57f58c91df78a534dad32f47d93b150dc8bedcd98b9f7602c2ce380f944f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
a81ac5ec00eb8f81b000c9e5f174f488

SHA1
137c7979dc298d6d4411605b4d8657fc7693417c

SHA256
3280a24107afde9bdd06c05bac55257ab2b529c85171519b44e84865b67b8b87

SHA512
f7a2502e5496e619c0a02c7dbb49acf59c350a9e3c5c46bfd04c36de8b9f74c449a1382cf5d33761d513b50ec15a9539ce886b93f4760d5897e35c4256992b05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
70f5f8553a276fc36acbbd7982d892eb

SHA1
d930c57cd5a8202b5c4e05b8a6726c6250ee1c3e

SHA256
269afa0a63248af9769e6937770bac500d488b845f2e43fe82430478e9f591cf

SHA512
c6b795b07a2de46586a0d376afb53df66d77981c5f071e70380692dad7c417c3cdf4bdb54488914f533785063754ea7bdf737a9d6d3947861559ba1bbb37bcc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
4e98bcd6afee73ba165fdaad170be315

SHA1
b4c1ba86b97e76cd43f0d25d14afb338e87e5e17

SHA256
ea7201edccb25ebfc5ead6d8195122bfd9746f6e0a185012cf88923edb8add99

SHA512
458565f1a108193e38477a0680ae1d8dc1ccbc1103a4d7d90ff5d4cfe6d3e0bc4d3d520f4e61a959ac6d603ad80fd7719320c8e688edcf18d6f7b5ad190167eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
be0c47687f27f6c16e4b0dbbe9a8affd

SHA1
1edaca950ed66918fa4edfd25df007220f15197e

SHA256
f2e2b709d9f15982ca85e5bcdb99181cef8fe58d1f1e87f605decf9139671d3d

SHA512
1fd129387aadfd615f0f1e3294086bd799cff095552fdc7fd6ef2f3628a5f2798b54040f9b2dcc058aa0601bce5a4362a9812aa2299a078ff928213815ad49fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
c39260155dc164ddab1c4b5448264ec8

SHA1
bf0a7c237147781d798bc843f8beef20948080f8

SHA256
4cd33cf1ab622e196bf26cd526c6f4e6f0a37e72c07848030823a1b0c1ab16b5

SHA512
13adf9ed4e1dabcf62b22d37c2c609f83d150d4798abe8d35c05385b296b72db2ccc785802ae9dab21be33729bab04265f400f90e1bc2a710a0a211e08138498

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
32fe1236c77237e80dbd6e1932d6b87a

SHA1
0f072107436a268bd61e705dba08af168c8617d6

SHA256
ad357bcec009179ac8049f5cfe1315f803ffca7b6a8cca8c41d38502f54aeab7

SHA512
6956d39945f2a5aa5acae90b427042a849d38bb15ae7f344859ee4bd70410f1159884b81e02834193d66f7321ce47ee439e803bd5c07aac8b5a619ba527fdc79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
4e22e9989539e9389d95d162520688d7

SHA1
e7cb1f25ff2140817bbdfe7ee4d387695fc94747

SHA256
eb8c791095d4458742ecf8761fe2ea566746973803b432dc2e2706e0f1281222

SHA512
e3019825a56942ed11478dea708cdbe3a6d3fc93ae256399b02706df6149d0002ddadb1e6efd2954b1178b71e7ede602c7601c95e621c659396b4661ee2b3eee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
023feec37f9c193e754a9055c2f95291

SHA1
36e6b5631da6f0d785522a35ebdc4505b858c67b

SHA256
9a22734fab763b6fda770f6416628d9f0d7075b4d3254836e86c31d0496ad751

SHA512
ed437f935d34c8bd5319f12e95751455ae3031c4bae6335c160b2d0617e4997d030ea3111cdc8dcc63819e488341b1eca86b69b0a0047995c007a692fdcbc676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
c05d56f2e3c991765a6a2cb18838ef8b

SHA1
bf324107ca01859211399134341d063e14b15fa1

SHA256
566c70012bfa14a9f66a2841adb62dbcbdf0ce46e410d03672c3f758c4ce42b6

SHA512
cecd8de4cee8cfedacbe981391350d41bb5e994c6c528e545dd3572ab737933dc0b93d43fe273af1d9d6750d8446282081308f013f924acc9e727489f7713b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
fbcc5973725b7694e199c929de1d65a8

SHA1
d80216f57133569da5db04e7200edc0a05e32b61

SHA256
2c8d5d668dec3f0bd388d80c5f213321ae9c41db03a952abd41e6ca788e5a9e5

SHA512
e2a9a9e6a39203ac51b2d70f7d97b7c6153e7035ea9a9f4397e0a2a64e5c8caa4250ec2a94611bd7a1c2226357ade7529dc14db61bbb421f654964756b11da31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
c49a40dcec675dffeb125830a6893c05

SHA1
006978f503bd1942142b9fa041ba7da525bf17ab

SHA256
0bfcd845573d2134f9c9bedb19059ea67dc2f8d02155d51ddeca828db01a6507

SHA512
d3f8ca977b6cf829a09900e3defb5d5ef28efbf1a3ac3bc496a5b4f326362e1ef29ae3a9ad0ae9d3b895669a6876ca9cccfdfb021c80cedbab7a01a162507fe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
dabefec3d352634f507f5152f6fbea6a

SHA1
8ff8cd0ee9cb38b0e5c4f7f3af719358529391d2

SHA256
541f2dd1595927ec960eb137f6c76f83bee95f29507f8904657087c70c34eb91

SHA512
c7fff9d0c954604cb3b806a337fae71da29bf9f5f04c01051ca6822fb8ede479470fbb3c8c62045ef4e7b7e25ae4ea3f35fd9dd368d857bb8943bbc81a2fc0f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
0c81b007fa74664ed48a3a844d4f42e0

SHA1
779f05126dbb76290781281df43815222827edeb

SHA256
21bd980728f7bf47fd839986e3ce271dd2c3b8c1b5ae3d193bacf71f0dd3cc88

SHA512
dbf5b3cf379452ea34f954dd600e287cffe0faa1401b3f7e1ef8fbb035d9ab9c3f1f531ad76cb6bc8cf45194f84c317c66caab17915f3b0159230969fde2c852

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
648537d18921118d1114df4af3297bc5

SHA1
8d765cf1dceaa55c7448662b00572abf739f5caa

SHA256
23337633e2c02a1e468a07fc9585e3ef4f1e14cd344f28a9d28af318f7e0fcf1

SHA512
511dd235f0439bb54deecd9a81b5da4ffc21e259006e4a35eb93fb346fda6f8a78d32d845e57ba8a5a62d77987967bdef841fb4601f4aa21acde42e1a649d067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
6952536e4085cdee446ede968e1f273e

SHA1
a8e1db67c58dfd9e18b35656a8a09ee4066015e6

SHA256
1cda87965010765e50e13071d4a809c2e43b683058ee4d963c7331b53ca89c06

SHA512
a84183344f96db9576976fd8f8fb68d8c7715b92ced104c768b272c86d5c2f1e7419ffc8e2f11cabe9121cc103fb9d7a6bacea1babc9424022e4ab4ee9d8e384

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
a59f39fa10a1e4a66fcf0a60ec992269

SHA1
6c2c3440712f14e87d76a600f7969b9a40d8c00b

SHA256
4f3c503091736abebd64142bee4946a65568db151222f471587adb825af6bfd8

SHA512
3bbc50d2d2744955a5a715f28fba3f66f0e4038c700136f44543440722c755ce20c50861c5cb966435f4707391faec44850d0f714f6ad1595493dede912251b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
504fbe461dabfcb351dcc524fad22a9c

SHA1
5560b856374308552ad7600dbb50baf2424ae087

SHA256
4c80766d922f61764b75aff1ee24c844bd20d882fa6cb92de435f8f766d47835

SHA512
7aa45d4a364c861308e0b2de2825333feb13d16de880d0432200b73af24fd7396887534f034d516751bdc49fcc7779a795bc1a80ac9a479815470747586df72d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
624bb9bfa4ac6a4da2dbb9b735232e7a

SHA1
7d849e0d5cb33c9cdda9d94980361e889bacfb1e

SHA256
c6b4b8eaa21d10bf9ee84868eba56fcf2f59af30fbe793fe1bf515e9e2361085

SHA512
61909984e11d1861baa13ef969ac77be52838386c3a378caa912ccd74f68a38d53efc2db5cf5454c4addfabebaa0d000f065f98689b92a70babf9c24774a21ad

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
79248c25b9fa932ea55ef3b2a3c7ab9c

SHA1
07b56c419cc99bac4283ff4ab0a2120345361290

SHA256
a72aab0a2c6869e10fd38e80b43d80c343f6877e3fdde063bcdbbf1486fd680b

SHA512
0b67259c4126f9d03564c49b80a1c943385a4fe9ab2f7757ded3dc7ba126a8ddb006e17f95e7b7732740f671624779b5da9cb76e13ba9bdcb416b9a43a618c16

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
da233394cf971d77a6bd303223bfc60b

SHA1
b31aa811cddc515e2042d61eb332b95fef798d00

SHA256
da55c8c38adb32a75eac5e82130afa13171e8584d130d2ce19f25edea901c812

SHA512
94bf6c92735ce16b1c83322791d81e3c4d4bd49a34bc54b7a684e4adbbf5ac270eefe89c9609d16282143a5d246d9c6dc342d8fc149172dfedae297c800e1c11

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
caf5361eb6c4cd8a8ccdc79e5aab4c5a

SHA1
8036fd9b390757560ed2d2c7b027ac2bc265383a

SHA256
4c59af8644b5695fb10c32b70ff404f0307fbc4f9e4000a8710c09de4e9519ad

SHA512
cdffb750848cada801c502532c29e603ecd9cbbbf3915b44e0f91af6f659d3da314eb1f97c97a60b0be132d7d34684c8353a992b61e63f5fb9f9a0e3ce555533

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
e43b0d3d434899db53a3ab565dddf5b4

SHA1
3df11357af8ca1a9277852dec8aead8db01fb061

SHA256
e6c110f3b7aa57038b2904be3a29120a5d13ea5272e3b667083da8493a3771d0

SHA512
4b2fc551351c3f1d8524eff53509b9fd870ef4e907639efc0a843971003c6d0317bd858db814ed2285cbdfd31fca0eabb58474220b9cc76aa9ebcf366796cbd9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3ae6f709433adef80b0868c472b1b6f4

SHA1
a4333e8fbf5e9f2fc9eb4c33464cd5649f3a408e

SHA256
8bdd7054689537e463e90d0fbed51ca2b62919dd3042eefdd81ed98bf1345b60

SHA512
f5d59f881242e16b0e12be25a8e449bdaa67c185579c4f9d906b3abdaa584093bc1f0ede9aea64c6778c6e46ccba47f8e4bbb8f5bee8ff57318dabe1b5e55237

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
6448fd3f7b1cd0e2c3b449bbb0355fed

SHA1
384dd183933d7cfb2846931386d89b97f0b76fa2

SHA256
dcbc4cb2c1cb9cf811496669698f07ddb2a1caddd5d2bbc8109fc2de8d91b490

SHA512
dc6723cfaefe8d71f70e07a8849c960f455b96f5ab15f69fb9298e209b5971d09cf88d5b0d2981776d4e22b88c7014b19eb4ce3dd92f6e70530228bba28606e0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
9bf2036296fc03aef04d5de06e2466ae

SHA1
15739f3fafc5d653991ac7126a81e3e7268cb969

SHA256
42e492e6e88ceb77ff3eaee2e5b0bfabef303faf9a44cea59dc0a065463b73f9

SHA512
54604b9de72cc4dae2322acdc64beeb1363bb4ea7c3e9f95e2955f0a7305a4d26a96e76ee2a9a111aa5d025a7d36dffcdd25aa7954295b1b3ca5048debc89c74

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
e43713c41eb1dfda901f7d0cde02ab60

SHA1
92d018bc2a7bfeef682a43b1d613bdf022272d18

SHA256
4980379b8492798dd81e9d68ace36d5aa41814a89a833616282d8330ddf892bb

SHA512
22fa32e49bebbc43d238f02948923577e1f47c29fedb04e194b0de7000b427296aebabfacda07e69c28f96fa98fdbe6c9d6aea19d0e4dcd2c2f13f6b13b5d650

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f2ff09b0a0c164e7132a75ef66a16289

SHA1
812adc64bd3992fdce2e466dba195d542707adbd

SHA256
afecedc8e78fbfb81cfcc81fac6de2d31d24164ffdf8499255f43037001b1de3

SHA512
97e40dc1970f8ff6fc6a9657833f0610d091e1abf1dc015ff4227234f2a33e0e3587de21354b2a5892c3682fa0474039899e779bb560337826ae8fde0abd41cb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d2985db428ef9569823dd3b0928e0122

SHA1
cf42c46e6b30695e1674e9b88906fcdcfbbcd8d5

SHA256
649206621fc69415d8a7db466db525ea88661eb25734ddd2987d92936d93bbd4

SHA512
69b497445099bedd2a7beff3c1de48f2cc65147ea6ac83c59d64b2e20e20f0962f12a1550a9370657e15004cf84ca64d0bcef4a6346d61afd038ecbb379ae534

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
84c7afe5f831a771e707890388accb92

SHA1
7f091acaf4f684d26d0c9e0924cf7be396b0969d

SHA256
3a7ac623a0a8d80a49e4b1351f23b80d48228a2b8ba6b17a2b13729fe020940b

SHA512
fbb72cb57db95dfc27aabc9a126828fc40a449020e4635633420e70c96412f69e5bdaa0d1a224e9e2f4513fdc27be11dbe79137229ab4f026ae86fdc6a50ea5d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
719e8badb751bada7fde2a5cab8b5352

SHA1
67b0707918d2051da18ab61cabad8e30588da4bc

SHA256
9e38450e5e746d3a18db2e6bb49c45ca90de07b948114cf0a3af6aaac1f75bbb

SHA512
ef40632248854b24270c3799dd48f1b4ed9eafbd677e24211871438dec18fc2d135575ce4557a9a52e99f02642b6d4224544f08270bdf0bc866c2af220aec8e2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9bb89fd41af52b0e22ab00eda4e1ed9c

SHA1
225248aa547b70f9c4044a5217d4215bb14f4813

SHA256
a92e512cad9e1d3908c8bacf17d2f1f69b62799ecd2b907a8f53716556ba7b05

SHA512
7cd385f1c4114ebc2911aa9e4012f5cc051823b1e314cca50ffecc774220926b4da465693f9615ba12b7ee83c856233542ba71c430a7e7c3bab07157a840ed96

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
94a6ae238a3c5ed4ead025bbef92350f

SHA1
95da368ab8c1815627e972f77e1ea5b694fc08d9

SHA256
0de85f651aa5f794f8853af491e6a94c8728bb9781a2d3eee46138283d81bad4

SHA512
c03d981171e1b7711628d9bae31718492fbd991144c2c890b7cd4e8f3e33543089db3f7c99aa8f3f520d28e5ab148612491b7e0b8bca963787f0ff5cbcef428c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
ed1fbb3234b608b7119b8fbe9fa1891a

SHA1
da5e2ce52702f69cd96c0b8eff370f2fc003fb1a

SHA256
d8cd165e68264158ec6505f2a71173619975c2b65c771951d0c682b75067ee0a

SHA512
719a10558646477c6959b3805c9112cedddd110b6f5ae12d21e942a1c5a51e69449bda8aac6b25dd77fb7cbb8367f9a94f691358c0026d2d6ec20e332a821138

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
d2f5605790e37358c4cbd0a75c3029dd

SHA1
a12ab1016b26274027df247106d982b84c68c9ea

SHA256
1cda05784aff7c9271a90725df4743b7da3446c3df136b50c0c73ec180e8e740

SHA512
df2482fa97ca47314240262ed78bed657e8c07faf51f36eb1e3f94a614d0cdb193408b88ba017dc38a083490af7fa17f58dc9bb585b686296a9bd96bc0cfbf3d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fde3938e0ffb20f7da1902078aaf7f89

SHA1
ff6b2edb417898a0ebbc25c9d40523f7c97701d4

SHA256
7067d42363318b37a604c2e8bcc43a1e1f2f6a4dd1553a5eb8fab52356f7ea1f

SHA512
d72460c4905c1af7638cc1125f809c8399c6cb66dacbf26d5697e3bb934389e891a560046271691478a011fce1a7be922cb919eef6cdaf0c5afbf9eae8e5696e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
96e6c418b850c18276152b648fdb9ef0

SHA1
7b1eece0724376eb32d07a1386e73487aa516237

SHA256
85377429a1421ac2828b7034d069489203bcafce3239a78f886e7af03e27ee86

SHA512
2a547db1f3b68a4b449240a2e67b4549605de5e2e7949c9af40d3ee57b0a651d8634ed2fa42e24d8be94f393dc5a87bc4ec28fac4aa505aed63b7dbed94ce482

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
43a6b11a224e880bfd933a8217f0ab9e

SHA1
f6c48a9a6faedc6d284ed407f0b0e66aa93dfd73

SHA256
1142d4ccb1fc2af6c165f776679915404c5f4295e714898a66517cc26f5708f4

SHA512
fc7e277eeb6c779412f2f8d861fc18cd914d75a60b29b4967b0d06a731df04ffd4fe0bf9c7036ac28b99bbfb23318a33a8670f3400174b752357eae745a96b73

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5e09d028e12a36d7c374b459f7a054b0

SHA1
863cb7eac2a333c1ee6dca625fdea1d51a553aa5

SHA256
904b20e8e6c08ce27cfdf739593a412b29a001e7dec1b51b8dd43029c19cb353

SHA512
b909a5b21b55b6150178dadfdcbb1dc00f9df60b626be2cd1d6b9dfdd07b4303f7a25766447195d7adc3e559a4d8915fd0af4a2c496646827013a5051686620e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
faa556d687cb092534fc6424ffa1aee2

SHA1
9bfa8108a1652605799d1a064a8acef441f7f13e

SHA256
c60ae4730a508abba0f40e510ac20a44c484bc74d4226d0798366bfe4e311843

SHA512
770251c83beb89436e60d436b6799e62a9a68b781fdfdb2697ca94b8699eca7784b854282a3a783482418edf30c8f1142953c840869a42d23c1a42e4cfe95607

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
f552af04139486c6887c17a74670b279

SHA1
7e202fc12e7977b20f0a44688b7fc62e4afea713

SHA256
cbd8adab1fb211c32022b93c9ebc042602af155d30853222379d809dbb7db3c9

SHA512
39bcb2e0627f3aae56d3056fc31d4fa95134d8da4ed2ffdf77c2a611dcb8db623ca5d8cbcfd1b2d82a6f003c209295f91eacdd01ed4ef5c559e5f6899571070e

Download Submit
memory/228-1-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/228-8-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/228-362-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/228-112-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/228-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/836-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/836-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/956-89-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/956-90-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/956-202-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1020-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1020-48-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1020-45-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1020-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1020-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1132-131-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1132-32-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1132-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1132-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1668-582-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1668-191-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/1836-52-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1836-58-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/1836-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1836-172-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1928-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1928-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1964-132-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1964-252-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/1976-473-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1976-155-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/2260-591-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2260-253-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2508-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2508-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2508-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2508-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2872-584-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2872-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2928-84-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2928-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2928-74-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2928-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2928-87-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3332-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3332-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3332-20-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3332-128-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3476-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3656-229-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3656-124-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4108-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4108-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4380-129-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4920-113-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4920-217-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4932-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4932-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-491-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5028-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5028-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5056-549-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/5056-188-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download