223507ecbdb911994c72e2f91f5fdfe64d4c9508a4d939a20606776bd926460b

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
Size

1.6MB
MD5

0079a5dbc66132b89962f01d25797e34
SHA1

5090ce39c8c0c79d473250360963fcd085822eaa
SHA256

223507ecbdb911994c72e2f91f5fdfe64d4c9508a4d939a20606776bd926460b
SHA512

e99f20d7a944a533b47d7d46a2caf945cd4d84bb2eb2164b6987ca3241656d2e28fa802d69d3086cb3ead0f53ce6409e96132fbc8c057d314350e98e2178dea1
SSDEEP

12288:H2lWRPDhA9PRWg9WUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJz:H2lmD4RSUMj3C/Uvw3B8atQVpZJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1376	alg.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
4584	elevation_service.exe
2784	elevation_service.exe
4476	maintenanceservice.exe
3396	OSE.EXE
400	fxssvc.exe
3920	msdtc.exe
3956	PerceptionSimulationService.exe
3220	perfhost.exe
2588	locator.exe
384	SensorDataService.exe
2388	snmptrap.exe
1088	spectrum.exe
1380	ssh-agent.exe
2768	TieringEngineService.exe
2824	AgentService.exe
3948	vds.exe
1260	vssvc.exe
2224	wbengine.exe
1652	WmiApSrv.exe
3060	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exe2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a078624db4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017b6cd2fd0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6e7dc2ed0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017e9bd2ed0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003686da2ed0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d9daf2ed0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e52e862fd0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
3520	DiagnosticsHub.StandardCollector.Service.exe
4584	elevation_service.exe
4584	elevation_service.exe
4584	elevation_service.exe
4584	elevation_service.exe
4584	elevation_service.exe
4584	elevation_service.exe
4584	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2812	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
Token: SeDebugPrivilege	3520	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4584	elevation_service.exe
Token: SeAuditPrivilege	400	fxssvc.exe
Token: SeRestorePrivilege	2768	TieringEngineService.exe
Token: SeManageVolumePrivilege	2768	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2824	AgentService.exe
Token: SeBackupPrivilege	1260	vssvc.exe
Token: SeRestorePrivilege	1260	vssvc.exe
Token: SeAuditPrivilege	1260	vssvc.exe
Token: SeBackupPrivilege	2224	wbengine.exe
Token: SeRestorePrivilege	2224	wbengine.exe
Token: SeSecurityPrivilege	2224	wbengine.exe
Token: 33	3060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3060	SearchIndexer.exe
Token: SeDebugPrivilege	4584	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe

pid	process
2812	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
2812	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
2812	2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3060 wrote to memory of 3132	3060	SearchIndexer.exe	SearchProtocolHost.exe
PID 3060 wrote to memory of 3132	3060	SearchIndexer.exe	SearchProtocolHost.exe
PID 3060 wrote to memory of 2092	3060	SearchIndexer.exe	SearchFilterHost.exe
PID 3060 wrote to memory of 2092	3060	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_0079a5dbc66132b89962f01d25797e34_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4476

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3920

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2624

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3132

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
40368ea48290a814c710eab0cf72de5b

SHA1
4c0960f8795e96833ca1c8c86ba8ee2e905d5428

SHA256
2538c6069502ddaefa7387c9394807e83fb03a9dd2a6cab4fa2ec03722cda0f5

SHA512
50509bd6b07792539fb9ab7342d8f38b310538b9142753aa604a613ea7cf544fab2456681ad06666f35fb61400a831d6f7f6cf922daa51903a5c0b1775234e06

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
4b0dfede032d70cc8a5364fde6450a9a

SHA1
b9f74f001a9bed1d860e5bc5408e6d0904ff8f0e

SHA256
69c4ae0244096294b3672a1addf110b4477c725b1a0f65d9f6e3fb14ba4fc300

SHA512
2dec24b6e93a22ec5612f71df945755372e339eee9ca040d1a5ef1f818ff15b97a6c75f6240d184d21fe38c9768f815bbaebf15777b0f83962819220195475d0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
7fbaa580493de813806e6c7c2cd00a5d

SHA1
b63b70c060446285fba352bbb8b5b679f9713586

SHA256
66572cc1b8ff625096e5b4546871a214817e53a7e7c3b08b8d4a385e1a637248

SHA512
e6efb4e5435c4079b5a0e8a15fd8ea9e8e0caccbcb8fd8d24525f91d1e6cf6371c7bbb4bd276acfbac2c7126b0a42f9a090eae4098e38edfcab8cfc5c242465b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
16c753d63d8aef08764462e2e0a92532

SHA1
960e16852860d413f97de2fdf3b2ff90280cd5b1

SHA256
99560112fee53d0c422b1d70ea3046023e228f5f3b4db3c998201481d0cf19f7

SHA512
85b273305e3a24a315441004ecb0a470fa7ea1dbc941124a2ee4ef425a2a76707dfe5e60dff5b61928650fe9b2fcfdfac74353913c953d636911d22454287ce0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
33984184459f9233a834fc2217ea1522

SHA1
35811f54b429ab39b5bf7f6bb523f72bbf4dd069

SHA256
3f9091def05ddc1214066bd1090293ab7fe0df7c0fdad1387aa7b0a3d4f2c3e9

SHA512
9e4083dc41e34ef0a30698914900fe55b7ddd5cc7463bea0c764d9f0bf0df7e8513d10e2b623db1491acc6f6fb1b3bcebc059c6b352be5c9de4d5342549973ec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
b246f3e2e947dcd8028c805112289247

SHA1
24a115c606b4c09c42e7fee7484e00062eb683e8

SHA256
f285b54b1e50e8bea62d8acbd1d290c1afb6159c1ecc64eda4d4aeb5703112a4

SHA512
a8ace0873926312e2d62cb2461ddbc49b66a2ae4fd80558352c0f3f41b46df61bf816ce2ea0db37f71e51f0337615a0336520e9c321790dc5c4a4a533b9d9682

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
619a0021e41dffe66af8294938b3e934

SHA1
fe81ce415d64e8a8ca2ad8e646ca6a3686c22c4a

SHA256
5155923733770ff510a11f490865daff5089a8a3114b0a0a7946b8dd741fce8b

SHA512
587247d5b01926c86581351cbc737cab427a70d89ef4acd29a98ea979feca632d39e7cbd1158a6fa7d8ae27e45310ffd93ef875da6eb8b64232c3a3951c0f767

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9cadf9908c6d87c897489e50a7ba4bef

SHA1
85a9ad9f5a52923c135afad7205dc5455393e56e

SHA256
11f9276748f579437924df1e0fb72c25a285be69ca58b6bac970a2fa8bff94dd

SHA512
0c3f6d06c2035ab004ef0391efd41f9946be94b972c580a1f259fb671adb24bda1c4ddce7ec70959a580343238992ca67d706cfb0ccb561a00ee32515c002497

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
9039f98071e71e8751ae85580214d6d4

SHA1
9cd41c0e602d6ab506cf8aa8967bb5089b092f97

SHA256
5520d1c0725cd9a8694830f1c3628296ed9963170c545ed7585dbd47c7b2c55f

SHA512
bfafc82425805d003d74f133fbe3b7e218a2eb21b2c791cc969b2b99d934380e12472c7cdbdd81a3cfb905d94471eb3faec1ba34c8e48c75b00058a68c2eaf8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
bf4c92bef3fc28f7661501cb64e376bf

SHA1
7cd615e4ec2aeda2358087bfbe4d2a749eb49907

SHA256
0ea54c67f36545919234e15e15e147b27337683c956addacdc216080e5eb3b04

SHA512
4d94d58e0276a334eedfc48d63c9ec73571199b5eab094b3e6d540d5af7b9ba4a2ba4218c00e5fa5031543da945fd6874d5c9db5c9e0ae35f99a913a0ba8b80a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
34e24af2c4a016d8398b363a43ad7842

SHA1
96937e41953ef25ac244bdd23a8679833c9d4c06

SHA256
ea807669360f00d7721cd323ed6644c396458318c99c807c8ebb7387567fe479

SHA512
112357c065ade98d8fb6cebfd10bf7e82d8a0fc6dcba4b4844214f03e46a219e01360ece0a26ac2d502f88e28283c542bf68c2592ee0ed0453f3329c0f6e21ad

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
13bcd7dedaf410e2210eaf2bfdfe10b5

SHA1
91bed84fac511e5511a0b2a69ca3d2dc1079472b

SHA256
492e80ed6ec5fbc08907d7ce3e0c05e5ab2c67a228081edbec11bed8bbdfcd4c

SHA512
ec813043f9b8760d50bf5d1fd9a5b6f31b6204cc6f86e00251ab99b99171ab1677035ceaad2dcf751eefa5f3c235236fcfdeade6f9810343570cbfda5a61bfef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
e5f1a6379b117d72fbfb358f0f2d1427

SHA1
12cfb9b89427ceea1ea9332220d93715d3f5608f

SHA256
f8e6e313678223f7b1b278f98348041e0a2baca9b1aa9484befa5f5679cb2665

SHA512
61e2918d6f130a43467d56a7688a38c697ba2283b06879838dd0e27e9fb3066ffa69eea4027390735bbfa9f752a4b0b98c6623b64344e7fdd4a242406214d6af

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
efd16dee32e805da8b204bd4666364f8

SHA1
6cc79d3cc0c3f08efb2d554976cab6bfaef5aaa1

SHA256
d820d77c044c214fecba12db2e20d3c44ab0c2009bf11deb20d6e505d67e037b

SHA512
2eadd1bb006232b8195982d59158b299e872963248321522062536fa6dd259bb8a23c45832ba7e10b8df6b31477ea4c46c8f0797fa7ad52c858661d7c609940f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
fcc91c98db4041ad56c8283484d39f76

SHA1
ac57c6153c2c3c2c25b619d2026d0c81f0e7357f

SHA256
8f083cd07e1c878ea41d177ffbf3cad1699482e5043a8f50e3a9e281587eccd6

SHA512
8d98117750f87654f5c3175dfba45fb250374fda45d740eca752d7cd10be4dfd02116039de785dc1ea535b94ab156e10de0d31bbd4e057c80dcb1ad57f440cd2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
6307a08091514463c7a5f77aaa2e023e

SHA1
829ed47f1ea3d61700033638723636efce84ba64

SHA256
8d8d0a10e5190a7dd9cf4c0278e83db1e6c060c7da4b09be2476244d102d02f8

SHA512
1dee5351d7f8ceb01dbc950390cb8ddb71b343b41a604b6be4aa39b61c9ca45b4163ae48c53411fb60e2b9d5c2185846345841aeb09332a08433eeeae0c0c0ec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d2d21a961764d2047605bf2c2db8d3d0

SHA1
cd4a8dd482308814d5dffb10097892e588b82eae

SHA256
cb6b327b1472facfdf8d849ccfe7d0e803c6c130baaf7a3031de15d21ac81622

SHA512
900a4769e39f6c672ad3aaeef67d52da406bf328c8c7324a6e045204a75a67716c438d4a5b95e36bfe4f93a08809c76fbbf909aa0cd3a0c571902f8e3ffd142d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
98eb832bffc00eaf925a5ca7fb5f45f0

SHA1
eac8ee08a38c0a37cf7ff0c14f761f2f98b85a99

SHA256
68df777c6280111fc99d66aac71bedae8f9e885aa4ffbe4056f469e8bb67aedb

SHA512
d6357874429009cb4f6092c3f555662eeb4c8884fef421e10e3dc486a06571e7f7d3aaeb65d1275f94f70f91fb8ca8467e2b390f668371735396f434813868d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4416654112a2fa1196ea875d549c5c91

SHA1
91cc0865ee861a02a54a087f6f4cba8e2104b7ca

SHA256
d0015532c365f58583858eaff7102adba4cdf2d261fb6edbbd59467e1786ce01

SHA512
2be14c4c0b12c533290997cb9bffa9ffb072e1417dfa29b1dae50f0e933844f1cda9572069970627d2bb923c03cf627cd098106d5b3d5072814d44cc3bd01676

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
8f4b4b9ecb173837702da61b001c56b8

SHA1
c055d07dde3a19bc9e153f5bd541707fefeeea10

SHA256
9a26fe649c0fbfcbfa48ab0aa49a7de094d0044ccfaa5a8b0f2dc2611336b68b

SHA512
47c1f5b65f4a98fb0ed22e0d26a1506944195cb3a36073953ff176de616bfea826a1615bf6b88a34d1e90d1b56211eb02308ef33eb001b251db917e619a69814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
e21a85b5f303ebef0b8ffe3f317f5d9c

SHA1
1d5eb4c6df2e8235022b47dd7738cc0d9bf3efaa

SHA256
64adf9672dc5c96ed7fd6f37db81067b0161433814f9ba4f3246f1060696ca08

SHA512
7a66b9d29b628389b84a55eef220c60e35940e8db69c0e1a855ee5b8f182f2810a1d23a2b017b279744c281663a8f90457156e2c40e8882be2514697727b4bcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
c9dcd1d18766ef9e41b65e2d7dcfe1f2

SHA1
26af8748afe5c7d82ddd82efc97a9820e7a2d52b

SHA256
d9b9f9d06d889032201a745ff60e5fb37686fb063d1ba2c4058dab287e15731d

SHA512
df55c0074c2ff9d4dfff8a65afaaa5a2cd6b48ef795dff46c316c7285d92a942e405fee8b9fdc4a88d850a30b261fc209c90e608d000a2649eab3bef0f3690e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
591f9a4f65dfe3aa0fee232e4048d336

SHA1
f5e1ddfde9ff7a3031c50589e5709c6c93f52dfe

SHA256
4279ca88d4d941e875d3a22bc63942f6b6f0386e8784bd2d2965cfb49acc4ddc

SHA512
8d79910ca87f3be653823f87f0d86d678407346b4de137362261e4d6d06c50d7b41268dd7b2adb7d2b59efc88354aa3496e788aead86762eac4599cdf325b501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
aed28aeaa919efa64f4d79c307a4f0d4

SHA1
249c5ac41cc9602b8b02842b4690dd6183b4c16e

SHA256
f83d0626dccfb3e801bd75ee77e5a3698abd1dfa22e8adc2f9575bfd2045d634

SHA512
cfa047d585ccd84befad07d1ded8b66a551b43f09bbff13b4163a19aad66c90932f5bd85b7184f961ccd9414f6b128a2a042c382504020b36035a3a3fa348128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
784a9efecb7b3f8096a49a49fee74fd8

SHA1
5886b1f45f877c5488a98e93c07a3873bead0579

SHA256
bf1af4bb226c06da7d81d35dadb231d2e2fc93ea844b3e7db0e4fed270358a62

SHA512
e8f33c412536c14fee0fbb55c8da89eb2a3269664622fcf8aaddc944b6965c7e63f1fb6a02fde17395c1103e56352af4f8b63976facbb4cc9bf6878408aab626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
e857a6a2d1b3374403e12a65ce91e669

SHA1
3e29ba760dc2edda1e7147a8dd5faa5c78b41533

SHA256
0810618b05804439b98b2be4592e870c5bf4a62dc43437d284529380ffdcebca

SHA512
26efdab222981e8aada9cac1bf7d2ba39c3a0a5c1043554c0afe4d547081f8924d8239f92f3c72540f3f997061b5ccec83a7bf6faef0f15db51bf04914f07fd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
6cb434c2764face2ed1575fdf37ff8b3

SHA1
79b7726605e5db46bce324c36ee5b835b668acd6

SHA256
41d17b35f3cef93f289ac5fa6b83a0c306a778ed3393d0a3606dc12ba49befb7

SHA512
b68ea407b5dea132bf28f648025f7e5da77bae07f1ebfcac59ec91c0dd6818cb5bfb3dbc229fbbb9a0835ec91346998a2c1320ef88068db890306f9b17ae9fab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
b3f4c946384e6962b096426ea38b8de6

SHA1
c4c8e9144c3c7a7510cdcb37ca124bed54943211

SHA256
6f4c05fce2d2c1ab4aaba0090bd5f63facc03dcf870c7a9d4a052756a99ede86

SHA512
fa789c1e3c9c06a2d450c17cdca735f1ea0374f99822ef3ab8e23b3b0c68eab01d67c9bb791a336108e1846fbafb735125f9ebb4f1d1d4ecf4ec618a614ba3f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
5920655948bae51b140ab75fad802ce5

SHA1
0939c9e87fbacb7fcef350ac5e2d88b35858b6d7

SHA256
923e61ab4e986e1589d2c3907b7d4cde8e88c8b9512b886608908a06567dfe84

SHA512
3a688f937af94a5c5d133012dd8024edd3262ee68cea1ee31c54a41a1462879c77cd423daf147c77b3fa22a440d3fe88c9a1ac4df54a853f746bdfa12e2207de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
2f9bba84a2fb14853190484887fd8c6c

SHA1
4b96b04fad61565f3047b2472801f3e565b18f0a

SHA256
cb90ffe25e7be00d4a1a139ffefe2e23fc437cc813a6479373d65f77575b55cb

SHA512
5a8757aca641d220d2cb191619ac9eb391ac2e8c4eb9ef5dbe3ffbf8aa02160fcd554c646d50072dec40200d92558338e8477389d614dde25bec76b54207c996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
2164ae6d7b5db737bfd615b56ff52058

SHA1
06a6a6d24bed9bc1f624fde78305f8bb8e6d5dd0

SHA256
e30ecec29d2002959a9d58806f1c0c88d53c01954626cf5b12770ab9bd9830c2

SHA512
a14e0d990170dcf6ed764e64bbe0983aeeb1ffc3616290bfb8bdc9c2673afd8aa53100f00e814949f52434a217764cc72e2a6e966298a410358fab1f0a6b7536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
d2c9918c5f759ca5cf20e6131117a4e7

SHA1
32c9507b4bbd2c845263da3ae7a74ec4c18c1d52

SHA256
a95e1028cc47ab3b6baa02d17d61f2204b5999ae8d9d807040d93a7a2cd12edb

SHA512
c6ea61b36e81e273d73b31f093e0fb7fc526bb5d3270f6c79206afddbec88c4dea1909f186c26b88c7e5db9dbdaf55a3a3ff5b26d320ad6f91e1cabb079e09c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
86489447e53def4b3244bd9dd7051d11

SHA1
8dc7b9324c8060c83a7eb1976747da4d958d9908

SHA256
257a23a744f3dced10d69bbf2b1333baf2fdaa347b67cc016c2b88948b65df8c

SHA512
4c61a0cd5a7d183680821caabe0bf8c87a86d73e0bc01c2d1e4a759da7cce5cfa936907c61ed1be6bf12b80d27eb016a54df52232b6de9dce4b1725a71ca8c4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
569c4060121146b23275f2afdd100bf5

SHA1
1daad1e753d321c0063e04c685915df1dea8b4c7

SHA256
e8a0a2fd9af2c42aedf89424fa01144f8811002f4e123f80890b526dcdde33d3

SHA512
90e76b033f6300efeeb4d15589e0b81931d8411d5c3aaf0fd93e085eb2f3f9fe7cea593982066017d8601cca1964fbfb41ca05143262058cbfb739ffa959b6d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
003d760e8b48847612490830332ce316

SHA1
da502bebd48df83dea1164fdaec78a41d7d5522a

SHA256
b024ce4a32a227fb857647438fe4b8c6a0cf548be4f874df9c089271a0c21a57

SHA512
1153cf6b02d6e184c27a48d3e151fe7b5a1e81da5af59791d48b5c0172e770bf4366cd1be36ded7dbac4880d36c5ce065d3848bd1201a9762251f9109f57a351

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
7d5865c63cbb4e4fd9f67012bbada9b5

SHA1
87dbcaf2cfdb62a6af668b25cc540d54f09e3b1e

SHA256
79b5afc3dc0c4406a761db23e3b03d20b61a93012120ec5c7d6882507bdf4ffe

SHA512
33f74c3249097c38b568632b66167c63af16efdce9695f82918b9f339f5c0a55a9cf5fb93356cca65b01bee582978acd27d7841c2b706a99b8a726084fab9d3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
57a3cc015bff3f12d317c8f1275dfa40

SHA1
3bbeb9b4481509db45ec66dc03dd20be14e95a29

SHA256
11ed37e74546ddd23f62537b194c62511f644925deaabdc1ea8c60b736c435eb

SHA512
8eaa44931aff837439527a3de682adc0fdc108f86f324061025bd4b262adfbf3537c9bda57a37c15deb527fd1efc8698613cf3d0cbddedf790996ec69c826c1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
e0f0fa0d90817e877b4c6b343c1d87c8

SHA1
a673ea734a99e9fe4c963b4b85b5a4c8b2e840c4

SHA256
3d93313d57b2a0678632986d59ebbf82c75921d42f87a1139242069f2e204d8b

SHA512
c09c1e156ec4f74887bb17d5a49c4f66256594661c6fb17e913e688dfc239b87553b46cab260879231d7aa127cabf05d386821b167a72b77e22bc6e6e5a33056

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
939888a8ceafef365a0a25c574242398

SHA1
8e492a94e1731281f1e41d61ae9a545ecbbdf953

SHA256
d086f3dc7496c3c1bde044c837aaf67c59ef00e0c30dd9fe7ba494570c770b96

SHA512
938f42bceaa77f936b4fa3fc93e55159c9e32e7acdbf4d92e55ddd5b1f2ab91ea17529e584ca76bc02608b0a9d09739521866b4809836475d2117ab08fe185ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
efcc47b37e541ffd424a4ef6425985cd

SHA1
9e5e565f1921a2ed93bf91833be4a24d57e33b53

SHA256
66d9ce170563e3e818d7db593e37537da115d97ce1a4d6785c4ecd1cab533703

SHA512
ac5ba5a5e47a0b3c9c627ee99924b8c9c1ef51f9d9e04ca6e0ffa6be07c6b1f3c088505e8b7604e3f8ff2474cdc32074c71a3ad82a5d646ae23348b6cfbcbfd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
5dc9ad9c424fe12f9c894fc8f580ebf0

SHA1
fc8c283f1a4c11dadd63e248c6038b323c1ae4b1

SHA256
bb2a88dd51688f905c9b0ed78d8b28d752e3710f214ea6ff7b946e58f7a4f281

SHA512
66119189a8d02e1bc07ddcc40bc0651d2852d778dc13472d19fef8779ebfc1c1655080a2f17a2583f395ef54d604c2f843d297ada0b1733a8d8d097759e73c17

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
456dc077b87f1740726503caa4a0ac9f

SHA1
f9865e1d4bf6924cf8f3d44bbdac95acee87369a

SHA256
52d55976cfccd7a299f1b40a42f302369a6f48fdb120169bbd315a68e84ac44c

SHA512
1598213acdbf2206968983763b51c9228c0eab703fdf452c987a1cfaef6625575b7d235447f396bcaebbe0e87fbfb4b541aacfc5ea2b56f24ea77286e5468ed5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8f1d217fc64cca268097214becd0c504

SHA1
54152d19081b1425d71b9525661c245a635dc1c6

SHA256
1b315977c00f572ec51ca0c4abb6f39b0751c953aecefe6e1944e59ef691a6ff

SHA512
ec1e7cdc6c167f5a7216ee055f98b4234056bc466d58b00b4ac8e2aa15cb468820d6a10903cb5565646c1b32eca91c9b2b4d771021352d75cad2f7def03854d6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d6b53cca0320f2536ecb39c840c95820

SHA1
0cd370644963a5946ee35241b7f8b34f458044fe

SHA256
1217f7af4292a6e2b8242376bc7fdc59064690432382c0935246de92bd3e49ce

SHA512
b67c168adaa230c6f6273a5d9e770982df4045eb3e4fd3f1ab179ce910c74e621c1315fa7792445cac49f50eb13ddcd4b96e495b27a36d0b9ebc341063652b6f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
cedfa0d796d092ccbe22dd771b7d7f2e

SHA1
aa1f65c3c764285380714097814c30457c14026d

SHA256
1044a1b774dad3d3fff9c6fbb97eddd59b761b1393f8c131e380ee82ff835c94

SHA512
c94b0f248a60f7ba200f2a47c5e04c715c52630a862634024e5f6d8acdec1bd9e37531d4c16f92b8b44daede0c5808ab00fa4094eeed681c60f91b321dc1f40b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
cac3d856451c3b5ce93fd64af016181b

SHA1
5fddc22bca7706ccd2b13a31801fd09fc3b866d8

SHA256
305c3f8970855a82b548153fe2e864703f2b9c588a3dd1d71e1e28a95067c3b4

SHA512
e848ec9d9f0cf2a6e14d995d933dc42254ecdbcb51de11251d3008396565e7832c53203401887d989674e7c808a4384af2e5f423da492954d01817f8ab6e7a41

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
7f0a20d00569897c8c43059f2457b000

SHA1
3d4caf95c5f20a675dad00fe4f14c23dd7b88807

SHA256
42cc977c9748095bb5501a557645db0bd998f81859d64b85a7a1e4bafbc0bbe6

SHA512
7e6baff2364ac7c7512168c74a3a39c472fc113296c242f3605b25475d21fd905c275f79613b925b768de187c998d2b13a8dde4c78c5c9cbd663b9df55055946

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
ff1d6b4efc078cb2c19475eb175dbae1

SHA1
f35f6d368e8199e5923bfa1ff0a2faabc4aa7dd0

SHA256
5d7a13046c52ca0dea0b7180b0c80b08ca9bd86f966754907a0f59dedf0d79e8

SHA512
6b6029da83f978113595c9db5aa5f95988e8768a515a5146b03aee2396c34ea4c7034dc673ba52a2f17dffec1abe8d3f4180cab7ba4f0da03cf1768de4e0a3ec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
c3c15b2284d98c3d77cb5f47e4119ca2

SHA1
000e92fa4216e92b866832695d9cc818adb798b6

SHA256
1ff73aec97a0b077cf22ef4c5e6e9999c7c54e7df4d4dd3650768b4b0798ea3c

SHA512
127e24ebc4299bdecde332510d0160e6c79d3e0a3c53671281138f9852a38bf667fa29fe2e3613747cbdb4ef9d959568c360a2ba84fdbfa41e1e23fd16cf95ae

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b4a081841f1c93e51f808919eda988a8

SHA1
45795f0582e72051236ce0b9703d24b3ca67b22f

SHA256
e86bbcf28624bf96be12f607f0a76a2f79b260d053e261de896e8009b7c7637c

SHA512
3cb06a61dcda883930797c605849c0e2c35024e715c5ca134a67802b988e164ab9af4827f7898a81970c7df61ea882e21b11ba86a87ac5feca8d46006dbb1680

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f64b0130734808801b334879e98230d5

SHA1
e53b1ee4fdf1eb50f2a082320386667c78a73058

SHA256
2d65985d22d7f29f585c1a12c4b0d233810ba90d79aab4be8e5ddee84dd0b2bb

SHA512
e6d4882fc3fbd5605122b8dbab96e485a655a25275fe1d27cc7524e781c36089205d07dd64adf532f98b763dbda60d09db1d76af8369fee985844bd92e48fd30

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
638c1f13027b092e5c87acda620464a7

SHA1
e5910cf8a6f86426044e338bbb7cfa1e36098b7c

SHA256
1391b64f11b8ffc68865d77338b287da115547b9363beee759c8304633facbe8

SHA512
21d6657d8f17013f0da600cad3e7c9562277c735ea2eba4c05d17dab3359a56059cbed601afe6ff999eeec3a504530b5a6e9539951247c716949ae10b3d8c65c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
f48c31c7b668ec9acf9743c71160767c

SHA1
f5dee2bf6f793f335a3131499622ac88ed122009

SHA256
5efeca82fa7e49298c8f1d5c610df769f3ccfba435fa1214873b0859d9f7f4fd

SHA512
b6fec048ffeea6f3ba556c36252f3f206440275c160dd6596b25150ed6f509bd331ab5408e90ee279322a5e5b9a555c973092ac2d6e45bb29ce6e697afa5c3ae

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
49e320d93eaa5b78e0d107f3a4e4af31

SHA1
7edf472ffdc55a695924b9a1dcd110df1efa53c9

SHA256
c9e4538a2c69e9adc324e4b379c202d68266ad909750ea55272b95c00ab38ab9

SHA512
8074b1d85904fe2b9247dfdd2774e62ae2101d4edb4aa3601be321e1c158e06f5bd6380f9d860bd7f1ef1d8e634cf2113a88bff0f9d304735d16d78f063c738e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
f744c04eaa9d50c9e4fd7e36cc43ebe9

SHA1
247381f02e7b397cc6c46e54989d660415c0203c

SHA256
164725a0db3e4541bc7b927ef25ff9ea930faa39d94558278aad467348cd9fda

SHA512
a62fee1671889aa2f80679b0960928090a4637a5f3bcc64b4a52f22d83a75fbc0266a2d18964fa0d227548add1e2fba21725363fef8473e2a0aaec03def6aeb8

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
974f3adfaaf24fbfd0ca5c207b06a3e0

SHA1
ea40e1a56a091ff820297dbe974f04d77900868f

SHA256
9e8a3516f9d59ede462468561d6f3fdeab5f8bd07ea71cfa992b9df5d5af5539

SHA512
0ea58826f6e1ace4ec2320c24bed70669c0ff7df1312288d012cf3eba8c1ae3771b410f5d235ff129e69b6fc9ff858decd7655e69ff5c452f9be6298bc98c475

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
a8f976e04393c0ba24aaa882c97809e4

SHA1
a85173c99eb414dc276550d34851315c1281e0f7

SHA256
314ba8bb1779ce70437ac5de4e1b389540b3f24709543fdd0b15e3796e34cce8

SHA512
3b92049a760c3f40ce9d0229a200fffde455de3241649dac8bbb427c4b8e274796b22585f901287dd2f8786aa5fe8e5d429b4123ddc2a112ce977064a54985ed

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
29f8f7389d85d664958c6d4d389a4c02

SHA1
f9a9f95d41310c6a220c6ece4a53f93457122b79

SHA256
a9ac613255cc8e31fa1a941053b18f8212ddfa1ab9e00e907baa4e9c270ac94a

SHA512
de23e6e197d8cb8fd19652989837e12bc05269677042ca74aea4e411005e137c0661b02dc5b4f65ed9d944559cf344ea0f3e512b006262a7ed453224e10eaae8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
fa9c494fc9804645a94888da3698aceb

SHA1
5da64b203d9deb2fc624044ca6d54463d9fe4d5f

SHA256
1780b84c3956d5e0b2a016869dfe61b69e5d4fcfbc6a3af26dcc8bb8f0102a16

SHA512
0381a66ac357115776734ddf5b71c1c4f81aad9509d31cb27e2623e1e60a85ab4df835047d0c04801af2dfe5528614e4cf27c4a89b8c10c061a50c702276a41c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
928952da32f562ee1753cc06233a5124

SHA1
38f5d941f70b468372138835654602032ebf9640

SHA256
3a3d9eef8f158b0db3ad1af1ac25e28ff8a1c0260bcbc2dd0e249c4850e257ca

SHA512
cd6d5b81ccee93bbc2a7b86dea610f45b55a6f96960a9adf7a197cbc7a24b6512c4ce299c3eadb0fff11de03abd71b40aab9d01b6094bdcc8b19b914be671da2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
36a637d4381d09655a3004975347ec95

SHA1
aee788e69a8173ffd0fed93435202ffe55872683

SHA256
e7028616a2c32f81d6fc9ae9fa738968f4e16a1536ab6436ada087e27aa8aea7

SHA512
5eb235c6913b0d0991a14ea6d82b32052dff4cb2a7abe6acec94e34688bdd6b7686a2402fa9f06366af74bd2bf614d337b03933d6b8c4262a8aa8a7ed5a89d83

Download Submit
memory/384-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/384-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/384-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/400-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/400-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1088-579-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1088-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1260-585-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1260-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1376-13-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1376-239-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-305-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1380-580-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1652-587-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1652-335-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2224-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2224-586-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2388-421-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2388-290-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2588-284-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2768-581-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2768-316-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2784-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2784-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2784-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2784-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2812-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/2812-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/2812-0-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2812-17-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2824-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-588-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3060-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3220-331-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3220-275-0x0000000000540000-0x00000000005A7000-memory.dmp

Filesize
412KB

Download
memory/3220-273-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3396-245-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3396-77-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3396-69-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3396-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3520-240-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3520-19-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3520-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3520-27-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3920-255-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3920-323-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3948-584-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3956-259-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3956-327-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3956-266-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3956-260-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4476-57-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4476-66-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4476-80-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4476-63-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4476-78-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4584-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4584-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4584-42-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4584-241-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download