Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Resource
win7-20240508-en
General
-
Target
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
-
Size
712KB
-
MD5
cc51d98598e19213076b45c35ca9a810
-
SHA1
e5945b7ef2bd2d56bbd8c2f84ef184ca51d7148e
-
SHA256
1be5ccb39776c73f5df6bcacc76ff5f6357922b8228c7179220f6c90ff7957e7
-
SHA512
6ad3109346642266838a11cafd3a7c7114dd2f8adb29d5a76dca9454800409835de296423fdb5e2453aa78739d5d089012fc9a32eac974f7b725f100999c5b61
-
SSDEEP
12288:btOw6BaYYDeWyJnDawHnwyyE17GdybhWV0Um8CDY4fFYhn0ojkVT+48GdWQKIMS:p6BxYDfyJJHwyyU7QJm8yPtYhn0PTt3I
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 2344 alg.exe 2540 DiagnosticsHub.StandardCollector.Service.exe 1952 fxssvc.exe 396 elevation_service.exe 4132 elevation_service.exe 4548 maintenanceservice.exe 2240 msdtc.exe 1276 OSE.EXE 2224 PerceptionSimulationService.exe 1444 perfhost.exe 3280 locator.exe 1588 SensorDataService.exe 3212 snmptrap.exe 1660 spectrum.exe 4292 ssh-agent.exe 3196 TieringEngineService.exe 1164 AgentService.exe 1516 vds.exe 368 vssvc.exe 4332 wbengine.exe 1704 WmiApSrv.exe 2380 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exealg.exemsdtc.exedescription ioc process File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4142d61b293b476c.bin alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exealg.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exemsdtc.exealg.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9723d4fdadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f892dad2fdadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c36750d2fdadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a775a0d3fdadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d62acd3fdadda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7f4dcd2fdadda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exepid process 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exedescription pid process Token: SeTakeOwnershipPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeAuditPrivilege 1952 fxssvc.exe Token: SeRestorePrivilege 3196 TieringEngineService.exe Token: SeManageVolumePrivilege 3196 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1164 AgentService.exe Token: SeBackupPrivilege 368 vssvc.exe Token: SeRestorePrivilege 368 vssvc.exe Token: SeAuditPrivilege 368 vssvc.exe Token: SeBackupPrivilege 4332 wbengine.exe Token: SeRestorePrivilege 4332 wbengine.exe Token: SeSecurityPrivilege 4332 wbengine.exe Token: 33 2380 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2380 SearchIndexer.exe Token: SeDebugPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeDebugPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeDebugPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeDebugPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeDebugPrivilege 2280 2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe Token: SeDebugPrivilege 2344 alg.exe Token: SeDebugPrivilege 2344 alg.exe Token: SeDebugPrivilege 2344 alg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2380 wrote to memory of 3140 2380 SearchIndexer.exe SearchProtocolHost.exe PID 2380 wrote to memory of 3140 2380 SearchIndexer.exe SearchProtocolHost.exe PID 2380 wrote to memory of 3828 2380 SearchIndexer.exe SearchFilterHost.exe PID 2380 wrote to memory of 3828 2380 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD5f764245b2f4d6ea13869ff1a30c06110
SHA14553eb0195913c0a57d60d6e490693962441bbcf
SHA256c05a8b63311b0e7426f1e6a9370b8d63e372a79326d76893c2710f50280f63ca
SHA512d071db31cfa005ec2bb2fcd9cf0d3fb036d52f4e12057d1bcf6c228320ae146246e43db3d1c587c2a127449e197bfdec674e6ae4550dabc1bcf42f4180ccb5f3
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
797KB
MD5cc0d9b25dff008278dc8d11e381df8fa
SHA1543a0e3e18e8097e3355a09e29dbe281a7213739
SHA256c6d9fe2818d5450e2a4f80d57d96ad7a790bf24fe90ee6f47f294a35ea72eec8
SHA5126acbefb9dbe6c8e3be265bb4e8b894a2658a17abbc614841c609bdfd7ad6ecd5e8129bf361ad4aacff3f751575fbf09ad8e61507eca5bbf6885e8fd4cf1560ca
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD512bb47919be1383f0fe435d6ec029207
SHA146e2bb7dc452a8ee077067d014be330b89316df4
SHA25681b22c8b979986b7ac3d6314c4e0dd89704e6b3cfb696b64e506402dca870334
SHA512c0454885cc7997f742e79eb17ace80f0e0a4d4134714f3099c3720cdbc64f6a63bae736d702dc7e1892b0193c8add43d1e2238ef4851f3263b136770e0768862
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD543127faea9cbe78d3a8bd90bacb09e23
SHA197ec35e17b6503d50f44daf4066e730312635549
SHA256e366108ae7569d8597638996275a775b1872964cc7817ac9f169e4bb804ce216
SHA51201c48e85f88a74e6448a751cc04df101d5f3c201a8e0a46b775505d3942157c466a4858013ad0048690540e5e4c6164b170d461f2c307a112386e471d324e2ab
-
C:\Program Files\7-Zip\7zG.exeFilesize
1.2MB
MD5d0bf86b7fe881444e052c359c65a43ea
SHA1f926816055b47db1f2b0c9ed5f386b12534a1fb7
SHA2568e1b45a545bd5e80b5595c82e5034bd5a203d9403c3407d55ae4ff17e9c447f2
SHA512e812c0a67ee00b0a9b8257ab75c9788f6e32282bdb44d1363202177b402b1348561566ce4e4d85675a7d944767f4318a8cadbf2b052b39333840e64505d362d6
-
C:\Program Files\7-Zip\Uninstall.exeFilesize
582KB
MD5b8849068e17f78e9d79b676380c8daf7
SHA1d2389ed2fd00f60e0fa255de38d4b2d0ae557050
SHA2560abab2a06887c009f6c8b84d17332f27df3fe83b5d1a6d8022bea7bd52c710a0
SHA51264e6e6caa92d936159b7463e32e2cf7ef48db8bb391fd348c8d87b0aa79c9bcedd4ccd430d28566e8a0b0ae586a5350c40b16b343fc30d9c0939ec238d67a718
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeFilesize
840KB
MD597d6850c1ddf597042a10568f6d2429c
SHA1f2e2b3153ba898c1871bd0b232a027974fdbe6ab
SHA256cb802c344493767d453e9a8259f9d53650a7140532e9a7d9dd5ab619967125f4
SHA512628fb1e02ff830b2e46b9d918341e2e365a17d83e5bdb852b59b56ad0ed53e6ef243242aa6392806c1f373e7a95db161c0707667dbcc399e1b4a09ff2c994483
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeFilesize
4.6MB
MD5d650d50acc37532510c3ea237015fea1
SHA15a71242968e24fc878edc31193bc5ddcbb0c706b
SHA2561e39c8b2127c6467ae6037e66ec6b765f9821c46f76c10d78cb27b5e4803ef86
SHA51225f4d69748757d4fcf2bf74b31e28c1c79404700ecc13361a81cd88ee7c963bdd472a3e8253495325bc6e593a29fe9e34fd9d56b1b298daabb21bf436050ea04
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeFilesize
910KB
MD5b9f4b0ece709c27d2c73af1fa118c5f7
SHA163f1ccbce0fc30c04809519d14f15f1a8113be20
SHA256bbeab2151d1dc894c5abb7447dba7fedb90f3d94c0cc3768120a8a414df7b42f
SHA512c6e0696d1c3f36c0bf5b2a8123205a78ad94a69cd1b09d3e23e247aadf6d45ca3a1d6c562a65a7ba4a4a962f3517f9109694950c03d4b67229b36b97eb244ce9
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeFilesize
24.0MB
MD5b7b7dbfb0c64efaa37122f25f90ca929
SHA17581fa3dd113e37dedf3115479639ac02c44eac6
SHA25616df3c503c2b3a78168a6c6e9840b64ebeef2911023a13b4c300d8984f02c729
SHA5126126a26e0d3ae00601cb7fe3f2c893627524afa8e200741e660f65cd761c6604a3205cb24a0fea3777de1c31afbb37fc45e2b02281a07b4d8d49dd4c18582a31
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
2.7MB
MD5f02dab71a63cfb4a428c1cab6caec530
SHA12ced99efabd0eb0bb68112059ec765ba02a784ac
SHA256b3eadb38fb588d5b4a5ab819e8dbc00b3e87b8218bc68fbf3fac0be593f8633d
SHA51261825566102b6023b103ef8838fda39636f8b30f629aa939976f1fdf85c5fc56ea099495413ac0764d4273f32048914417fa532bbc3e2b69843d4a8ef2c79542
-
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXEFilesize
1.1MB
MD5aaa07bed5d72698be2fbd61bab42199b
SHA10a865909d2655d9ae486e621026105c58da3f6b2
SHA2561be1a19574f4a0726e26f7e2192b1d4398ecfc053d1e56876e5fa09fd2591f12
SHA5127c4299f28ed204ff3dfb4d741b6666e13ee7ae1c62bcf8c2a1c0baadca5b28aa354188d37dec0f4f867401d9582f558a7a7a1d9c3a214dd4a143deecc5da1194
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD5eef0178704d50ede8a9acb95540e373a
SHA15adb13bc6b2182e86d3812cd6d69026f26a76c4f
SHA25629982915688fbfbe038c7881c4fadd0c39193b58b2447cd86df53e4fbeb330ba
SHA51276a982ade05efbd549e01d54eb90eb22a8d969381595f1f27710412ccbb9498313a4db241071675f8762be17085cf29adf04c9ef44e6b2e070fe810bd881f97f
-
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeFilesize
656KB
MD5e9537f3c04db307544f2c5c8f61d0a21
SHA171965e05b95825418d152a23623758212fedfdbb
SHA256bc0c3618eef9fb66d290abfd784731ea0c3856a0afb354a962aa73ef429c0175
SHA5120a4f57dd61eba53aab24fafbe758977ef00071960e536b57f9805d35ccf25bf50cf3519544ecac86c2d1efc8e4026ed3240a12364a977fd838d0e3d6944c0bbd
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD51379a8321d3e09115ea29539b3ad6725
SHA1f077dc53344107c2dd295eed47132554bd412bdc
SHA2564608b2826260eaf662f0fdd18805d1fa53532059c529cc18a10f0869df88a06a
SHA5121051bae2e0d7b4ca55f6285c7e5f9fd39ed19d5fb5fc594daaebf64865ce8487d17df2beafcea6e2aefe49f98f34039d698a0c8ba16ccbde38dd027bb6a2091c
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exeFilesize
5.4MB
MD5caead8d085eea33667c8a54edc40a8ac
SHA1cb21c9528f1333cf45b1517cc38e69b04d00642a
SHA256b4132b88c7128a054f4b9687c2203fbaf0bde3e5721244d4a78ebd9f6b79d586
SHA512943e9d58ee69b7ca728b004c1fb5202358ac907f25cd9d61c6227c645c4c7c6e4c86345d5db39246cd91cde37885abe2d80cef0902fb54270fb85353c2ad9762
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exeFilesize
2.0MB
MD51b1084e58a7b3c8d473a50221b69b590
SHA12bb93c81faa32ea2d8eda87f62b9d62fe10c292f
SHA25604f0337dea81560c008be5b8dbb24bc5257a38856bb42e694b2234aada2f4743
SHA512eb535fd5553384b45443787ececf265bcfbc2302eed7c84b2f73ef85a2d141efc39b42e1b8910873b04cf1b45d4e7c04dba0698e39d355d63a96f68fd59fbfa8
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD5d65f05f7fb8295b8878b5b29d90ebf81
SHA1cc9fc7cc8e1723b334a0d0ba0d0ae5f6fd0f6e2b
SHA256ecc9541e8d4dea4d092a6db39aec09ba2acb9448f28dda1afbc250ef84f4afdc
SHA5123ac6f5ea51267f75e4ba0ba50ab3d89b07356e0cb4f0dc4904111b3ad72b4d0a5cdfa22f26166ac92387a5242aba8ff70ae23b0e7b9052ce6314546aba3e3c50
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exeFilesize
1.8MB
MD501d4829e925ee356e03a2726ede0e2d9
SHA1851ec97a184af7a4413f5fb69f729176a395aa75
SHA25698d6d0ce88b9a5c11a44ab540961193bb1f160e6a7919dd72fe51e6283bd1476
SHA51202945c447c6064df81d3229873545161adb0c417fcab90c5b5ce706f8fb516191a7b60e64378ea2088841214923c66ff6c6d600ee6d038ba318cadb0fbb284e7
-
C:\Program Files\Google\Chrome\Application\chrome_proxy.exeFilesize
1.7MB
MD54e3763cf547bd1ed5902102578197904
SHA172adf59cbcee63ec53152bef509c0658bfbef853
SHA256d65ba27db2165c776aae6830d2e329dcaabc0b5f9a8be84c3c1f88f24dd0df26
SHA5121a17a988de414e21d3d66e903461471fd1ca7342412bd3a330a71ce9356fc8e613bdcec191f00e36f041b17e7fd74bdf13a20a7dbc2bc9e9d9a0cd3cc69dcad9
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exeFilesize
581KB
MD55442ac871afc952d2bda6deaf3dc93be
SHA153758764a6f4a3014a49002f1b276ea9357fda84
SHA25644b2b71bbe5f3d1a14138a6368ba0646f0a4bbc339e1786b94fd64b2b2c5d38e
SHA5122c8d9bc688f915fcbe4fc6b608a4215a1b57b0e2c57405ca3236252eebe32957941de2eb594c7e3e835e335b7a5f69d862d3307f48d0d64943f741a448036e28
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exeFilesize
581KB
MD5b47aa40533725da198b858d843b3c605
SHA1f26a71562501715bdc2ec13db6bd510f008790fe
SHA25634d08a288dfb63dc21af53de0243c6f3d50aa72df75eb06427f628756310660d
SHA5129793caabaef43f1bb59e371f64bf5d88da80c3f52e9eb4f7df55e0e2429fa0e831e7b577ae21d38f9cc83b982919582f565a603202f12c8b1649198052da229a
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exeFilesize
581KB
MD5fd22975aac48494a5f7236ce25e04aed
SHA1ac490db9f4e710cbdfe09d7deb658cd3817a4b73
SHA25612fe9897d479e36d3bc1a5a50a564dde9a60a2a1c71f1dd7962338b7f0abd3d6
SHA512eb1b0be1500669708ac0dab0c09c6dd87509e16a26f9b9d201d6494026811d7d332dbfe554898f4836517d970e51108e5d74ea15e3c9e4cb5d4c1edfdf6f8f77
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exeFilesize
601KB
MD511f9ae599b167625dab7e1be92990c1d
SHA10a09dd9519d7bb7ca6e5c73b534d904522af07e9
SHA256bee291c6ebd0caa92170c7b7d725b960771ce1130e99a399613e740fd52c28cc
SHA512b76307dd47f0df62917b8cb5a2194d397464c7a9e354251200b305b23c8c2d9ee599a86b666d09b68263ceb2be54c50f6938e78d4dc572e6fcfd86563de83c80
-
C:\Program Files\Java\jdk-1.8\bin\jar.exeFilesize
581KB
MD5e90e0c5f7336810b5f925742e9426953
SHA19ad959335440daa361c15c54178a1bb4614fe211
SHA256783c344c11e994bf0b7120d28d12e86481f0cb9daf1753ab9a75e6e9ced60aee
SHA512cc1c98bfcc8dd0e885427e6f1104610c246e36079324d7d3c2ba53d0c54c51c3271dda624b62d8f86830151ba00e4aa4fcbd28602a7b475ebea6755450d090c4
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exeFilesize
581KB
MD55c28c0b515f81ab308ff9978f668c751
SHA1aafafb89fc520d8c5e3e86ecfe467daa11181456
SHA256da85a18f3c855f29c740b25d43510efc7514a078e63fa744f9a324dc082d465a
SHA512ef3052da2956083a0e19172b5686d4a4de214492cf84c7736922410d6e111a8d0ab4328d28e06182c7e1135fa7da0e713e399ba8893f55406b197fa841a319ca
-
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exeFilesize
581KB
MD5c5cb359b07c3b8702308b4b55ea21a97
SHA1edc343178406be7e0896f2f8f62e7517ef8e83c0
SHA256e66f92ecbbfff42cb1793127a2f6997634d476dcae297bb57677631e3a544982
SHA512f5c9bdb92092a8f1ccdff7b6a2ab75bd4c1495465ff97c1fbf0990e02da0d4f2b2d543498f6ab6d6d4775128827a4209e09913dae4f1887cb34d29fb50d74bde
-
C:\Program Files\Java\jdk-1.8\bin\java.exeFilesize
841KB
MD55cb0f3ba73fbdbc17f2a10ba4b9a04d4
SHA15f551413366fc1de5f9d84538e84690c9171532c
SHA2562948df16267f70f78f766765a6ffac2e4d5964f365cbe1fcccb6df1dee530bcd
SHA512b81810fb7539f75f32793b51ad6417116123842f852a8afe94c54fb1b30ef52841754412488c59bb5e2d034e1676d2ac3e411bf3bf3479a88e899ac86e6763b9
-
C:\Program Files\Java\jdk-1.8\bin\javac.exeFilesize
581KB
MD5e92416d2b027063d49ad9d78e9cf4457
SHA1f01a0b920c9960928c005a975e261d3e15eaca95
SHA2569ba51e4076ce0388265c2fa14ea42f116f45f9be695a9b47c9787cffcf5bca5f
SHA51280e7b9c362f9ede0867b3c77cbe3fdb73b667a24d4e34e12b9911ca81faad8528822535797136ead4d8ae6deb55dc87fda2554e4cdfc46283e891fa093780cb6
-
C:\Program Files\Java\jdk-1.8\bin\javadoc.exeFilesize
581KB
MD5124e39983b1eb6d218f82293f3978150
SHA1223e536e76e18321955e3a2158edfc5f85ce60e8
SHA256340cf63843721bb2847314d7abeae756c202790f5ec40b10368982088e64896b
SHA512b55866e35e8027a1dac3e824c729bd9069f062bb184d436d0e52951aa5361d1e27179666eac2e64159caa351e180e5d918b6e84434028703c3d3531dfdc07835
-
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exeFilesize
717KB
MD55c39da04d9a602e60ebbb33bf860118c
SHA1708f5912a5a680c0e0812d7fd0aa73ac256142be
SHA256aa0d00eb16aed1bc0612c122c177231db58a96189cd15a39a9501ed826e8af09
SHA512c9fa4fc0c0bea5cbec307b31fbd8cd35494384f5955c3d8f31574030a53a7564be50f7c6c2c16cc3b8e04da6971488a8694044401a34fe85607b7083655e014f
-
C:\Program Files\Java\jdk-1.8\bin\javah.exeFilesize
581KB
MD58aa50d61a84b3adfb3dc71248b1253ca
SHA14dcf023df43ffe096f3ccb1f577e950238afe0e3
SHA2567ce29286c087315eb730e03ec92da696d60b0c61e52dfef1eedad77a5f84714c
SHA5121ac214dad36764d67063f596cc1d7f2a2e466e7c5ce949973c5a82d1572534d0a41a7a11c625ee00921e846831162031a7a54e29df7daea25910d469b2521bda
-
C:\Program Files\Java\jdk-1.8\bin\javap.exeFilesize
581KB
MD51f0db299ab4299c78c59564dff58e1ff
SHA18897abfba1dd0deffb37180629e97f5b9b2d6125
SHA25678911070e243d265b1f2d5bb5b89f528e1a3ad193f9f6e88d49719ade3bff854
SHA512e6555b4eaa565b293a7a9c0d0ea50bbe1d8ed25f7bbfef9dadffaec5ba657978f490a6963fee2c5bedb59cf5b8fe1d6caffec8f78f734cdbae6c483f77d9c3f5
-
C:\Program Files\Java\jdk-1.8\bin\javapackager.exeFilesize
717KB
MD5a9fe4c3543a1a886bf3ce58c26038426
SHA1e1d64fca18c352bee0f6f49ffda7926361614510
SHA2565f89a76743e8856348da01d253685dece1dc03f3f7bd7a31061059cfda6ef627
SHA5128c28f645875279b3a252a7560f6ac29a9c1aed01a14a41b682b80263e33d666c92bda7660bbe25b5221b304bcfcd33bb6d7dea01a9bc16e8c678d5f1095578ab
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exeFilesize
841KB
MD5f22f107ecbb5779211e7768cb3ecc170
SHA18ee9f4c9d7e152be8a338c8db3f8f2578f142d6c
SHA25641bf2b1b56596154c2a2f52890a34fec666c3026c4385e94500923f3e9288987
SHA512e837f33fbb0552300d0d48a80fa7a07a9954f496baeb73d32e12631d7f06c4774d34a47e9772082b76c015f98120334ef4032eda50b64ee45e353a331e95f312
-
C:\Program Files\Java\jdk-1.8\bin\javaws.exeFilesize
1020KB
MD5216c2e9547e82266a615022118082292
SHA18ac1882b4f7f90cad7a80035bea3d1c76e68048c
SHA256dbbc51f2cb4218471be387cd5086f7de1b0731c91955713dc9b5ed69eebfe380
SHA512345ec5639fc38926142d8f961ae34dc6e668e14532d0d9be98fa6cfbbfe6b74e04ae4584bccac1403824aec1f7a60b7517cde9c36d8f1b687ce3166f0ffd4663
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
1.5MB
MD52d4d20370ed57924513db1d18f2d2c00
SHA14c90e5a20e7a5653ce5d88924164c46742186a04
SHA2567f8d6ec58adf40875371c28a8fa8620ef2593c2bd4daad83fe9bd7ded916b96b
SHA5125e614af45446a743c19448d5bda85eba6e4c3c2e740185d79b5703331d1b12b869925044f7def32ad0e757f11ffed151529d1f3d63e0e66db7e7be4bd133bb53
-
C:\Program Files\dotnet\dotnet.exeFilesize
701KB
MD54fa53eb111ffb14e2ed60f5b6e4b0754
SHA1a533e3aa4e02f76b85fd695cba51ea4da2dc4e84
SHA25684ff15682cf6b2ee93613f69a3e5cb20436122a857051eb33c3462ff548fc8ec
SHA5122bf4af4b2bc9b6fc751750845ed49f23857fbe24eebeb1e216ddb01cb24a17d90429e46f8a173da68cfa01214cc684c84b85f35e60fcd09b571e806e1622e9fb
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD50e44f7614953a981484cfc5665589fdf
SHA1d82c4924f8e2776ca1a766c1e8cc6ab16f42ec25
SHA256f32b577f4d34997858dc2fd06133472417c24dc965ded15fc271c7af9f662e8d
SHA5129f23b6a3c7ef2e5c5a9099f08c97599ebdae0fac319cbcc7117197f3953d82dfde1c487b0798b330463ef280d923a9ae80452aea2eb95091da54441ca5a37b23
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5b2d5e0fe26cbf661ddc12be251d766f6
SHA1df96c13691af88ab7c8146264d002d6ab7b82388
SHA256302d272cd6d0c636c8e617329895286bb9f92f2f810b924e863127d0105e539b
SHA5126fa8b8629933177b0a733031d101fe08c1164060e2cc468044a9ffc09235cd745da5003921e32291d6627e6cd3a4399cef35464de61d19248e9ae88c19afa47e
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD58062fbc99a40bcfd6f8f10fddc2fd1c8
SHA13a573cbfaa9d2c7f45a0454af7370628e78a919e
SHA256c24ee2310a5a9679b8f404d87f14defa8168f26d4ebd4869edacb596086ebcf6
SHA512dee473316411fc04b762a58e313dcd628bc252eaab8f5e3570136271c682e88e32d5a13ada0476cfe82541dd7c4969650cde5ec8343e3f44725a4cc3dfcdc7bf
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD5c4b1d6653acd575581aad488fef3158a
SHA1962de8a5beb8e3be3407d638719ddfd6aeefe4a9
SHA2565503716b6ccbbe9aee12c98b2328d43344009cad9228fde5a1bea18774a47261
SHA5128d27adf87657119762dd5861e60205fae80d3782e975fa24f796f6e5c79456398816198cc28201687050e65f0608d2b52c6efcc1cc07f8d1645fa3a4eeeea304
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD56dcd508eb3f233a6a7d9f8de0c688948
SHA103b4b2b19aad5d44e5a80575a174b273c4420a68
SHA2562b435d0948da1dde1caedb96224bdaeb000622f4388653877544f31733b4be1f
SHA51270d0da176f1a37b134a558120f3181cbf06ecc5cb8ff0aeb326ec2b46de3d22dec0aba5639e0cb57af51897bdb004bb61778ea7342c6b9a04b3c0ae2bf4b0f68
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD5ddf9d29d5e7e766591fe9d5b2c5221ef
SHA1748fd4238b337ba8ccf0c688b0837ee716d2015c
SHA2569cf7eb78837e0f527ae6c84c18ca39e3344d581bef4cb886391f031252169624
SHA512fc2d06902b118b9d8c0c9e16316dccb05e87b45c05374e26ea4eb034eb4fe10437ad06ad33c88cdd20139e415a59cd1e1d1596b27d3c2ddae5c30e37e5683eaa
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD533999e3d645599f354368f261c5baa09
SHA1cabd0f9f175607307f0c9bfa7dbaf3138e58bd49
SHA256cb88cdf8cbfc4d36ce0b48d43143b239c22c1bfb55b59fb77d716adba851da13
SHA512f1de351a44cfd6e199bcc0ee31734bd7ba010ec8a6db43ad3e39c4e09fc11f30b7fdd7665bcfdc05de4d6a9a6557415d6cc781b8419ba452597baadb2df433f6
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD50349e8c34fc0b6b7c26745f06cb61803
SHA1fac9976e0e32b18ce6cd2a4399ef88927d18141c
SHA256e295720f8b9e5f78beed230158a0c65d689b8ff79f188253edc74a3f07969510
SHA5124609fcafb6fd974608512b783abf41aaa8fcb79316967da6d37f17bdbdf7ceaa5cb090fcab4bd618387ac5d9c9fbd45ac290a39cd12d94cc08b311e6385be84d
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5bf504ae384af7af1f20971f9b18fd2a6
SHA15ca2fe9371c3c5bfe035df7223e5be9d49e2d805
SHA25686ff1b5f3a983028a6da3c655e1ac0a7cf8d2d8638016248687d6d9ea8c05498
SHA512671aeb8f4f129fbed487b8b1d76564756b3a84dc1944e08f87f35002edf3a9c68d7120020652d0618a5760a7f3b528d94e6d84c47dfd0d19bb89137e07bb5d3c
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5fc182742cf60ec3ff5d91e9d2e0212fb
SHA1c758e26d995b31e42a6748a2e029683e88bbe2f3
SHA2568b0f45a34316a604e5d507fa38b678dfd27224ea673eb92692bfbaf280a23a4d
SHA51292ea8c315e044ed00d4fa55ccdd9bb9ee72e5396a6ceaafae704646814485d222db74fbe87586d5afcab223076c74a5e8c11b9eca8005bfb63735ffa5a1ba79c
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD560b8dd519735e8b5eb2c698d53cbb8f3
SHA1368c0457163d1a12cb6d4b3d7b88f79b751fac6f
SHA2561265f5fb2f3f24c88a99dd892289d8a3970595bfa7580ce0110299a9a970fc7a
SHA5128ac7d8673b8cb7e1cea5884961bb05df08dd61398bcbaebb662a0ce30a0e25112ac7348198bcc83093ab11c4be6881efca025a4d14409d05274bcdab258bc8a9
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5441edb3e64096bf746ec60ee85d5d79d
SHA1642e5af0ce3de1dc8ff05c3c7e3223505f910e85
SHA256d5f1e709c48381141165c97a60f455bf6a683027cae5dafadcb97ae33b0f1245
SHA51257c7c385b0ec941c69e29441ed7b54b86f20b337efdd34ff0f49b62a3f65246f64d012dc55a0e274b83f4c576902bd9501256043bafdea699162f8a6656fbbe8
-
C:\Windows\System32\alg.exeFilesize
661KB
MD5babeedf03d936b7fc2247e591101b4a4
SHA1b199bd0aed6fb673d84f85e1a81c469a17319d86
SHA256662be300e741e310d7e3b399b4f24488922cb2e6867238999720b3837b320eb0
SHA51207871b2dd83c13334ad6812517ce7d58714d98b8f846711eaec0b317e3ada99ab5f607a537dc0b1b3a7980aff12d36c8c775ffa19f286e2193e23f60d6bcf4a0
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD5a0f1f8d0e6eec683b4f79e77a1c83904
SHA1ac08454688c614b87306412eadf863e88188bb05
SHA25657b7a1683bb7ba581b9009c4e11502a34d08c2b0e61875082ac4756c42ec1d98
SHA5124bb5972f9f238b901069287456bf31e3665f54738831a6aab2a02e9c5fa39be560ca06691d188361155bdd3d6a79e52d81827782a1d859c5f6964edc7f145bd9
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD5c1421ba358dc91c3fbfbb46a8822c37b
SHA178168eb35814f610b70c050215381457c059f3cb
SHA25681900d366f654c0328f916204db9c37516cac760b9b7ed2cc4698e998144b0d5
SHA51293ab9a855427f27128ef3cf7be5c41982ee306ab02ec352b92e633338fcaabdfa296d2d8524a5c274a63b417937e0eaab1643f657ba95f9d7a3a9ac671cee917
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD52e0e3dbf46b37a5d66d7fbc90707c1af
SHA13d02d7ceed617c085c707e87f26968586d0bee3e
SHA256ed38f58f988e65713ab90c31c76be8f51fa70a73d14af7956c76b9a9f5dac6b8
SHA51290310d4bb4d7a61d65d565e82bd7b928dc7af8122c7124bfcc6352cd64a101ed42875882ff08ebdc382a6e0ea5ad40c15b2ffffbdaf55427843fa0585e3d664f
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD51e920e3597a14a6919b165778fd3f4ec
SHA1e9878e23ca5327130b3031de38c94a5c39a1b8ce
SHA256c4ddf9d7612e2e0e825ed44f44364c9c7236f5f4c46aab5531b687c0e0e2d73d
SHA5129ea32197ec5c85ec0b9a546896e6c63c51231d8ec1a68393ed7a890285ad84000422103eed16610379b0d2c32295ea504b85ea101fb9fea0e453f5a039c630c0
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5ccd4763e020bbc1268444495acae652f
SHA15327a80557ee608c01092a63f7752b3813211f4d
SHA256fa4c0435cc23db46f86630e20af4cdc6939d310f43eb6810e4746ea10156083b
SHA512e12d78fc008ecb2293d6cd12c43d87fb568f62ff2408948752f22954061fe3bf122413c287ff9c54cf5eb9e92ef54974f3c61f8495adbe8fc1fe782be89b1e38
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5a5dbc30421c90ff61798d498b15087c3
SHA18a01e905b63e3c0f29f57ec5836d81544b7089ed
SHA256449581a9a9c4ce20d4b36fffd2324b65bd19b9d034602190b3f3b8b85481fce1
SHA512eddad07e2b0eebaa6d55f8c70eea7227b5612d218f4d9738982aa61f2b8692e3676d304ca4b840984ddb888725e9915e00e70345ba37b3fdb7b721f8bb089ee8
-
C:\Windows\system32\SgrmBroker.exeFilesize
877KB
MD5569f3d874c81921fc8efbf87da57943c
SHA1215c693755fd79f1fad8a7f74844bb358a8b819f
SHA2568025f0ebd7a93ae8b12e490dfcf00dd1d1b45e7d48129e18f9886de1db98e762
SHA5125dc9f95f2d3b7139f17ed29e4007abe446effaefbc4799ff5087ff72d652915764806cddb080da4caebba297205e185f944f9632b292034ba9d9338e3de6eeeb
-
C:\Windows\system32\msiexec.exeFilesize
635KB
MD5a7650bff45f46106f270570903ba0652
SHA1c35531ec08b56a9e6b08c007177981807ed96244
SHA2566ec2791896195dc99739253efeb786c8fdc46e891d4e722e266c660de1e907d9
SHA5122e2ea73ad183a078658b9af3b7042545307d63398dfae4290df02f9643357d5edd21b7f7e8d0ddb2d0c798f48ebcf10c91f06c1d10f43558c13b4ccc6a0abc9d
-
memory/368-525-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/368-236-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/396-61-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/396-165-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/396-52-0x0000000000510000-0x0000000000570000-memory.dmpFilesize
384KB
-
memory/396-58-0x0000000000510000-0x0000000000570000-memory.dmpFilesize
384KB
-
memory/1164-213-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/1164-209-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/1276-102-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/1276-224-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/1444-239-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/1444-128-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/1516-524-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/1516-225-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/1588-150-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1588-264-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1588-520-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1660-465-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/1660-172-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/1704-252-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/1704-530-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/1952-50-0x0000000000830000-0x0000000000890000-memory.dmpFilesize
384KB
-
memory/1952-37-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/1952-38-0x0000000000830000-0x0000000000890000-memory.dmpFilesize
384KB
-
memory/1952-49-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/1952-44-0x0000000000830000-0x0000000000890000-memory.dmpFilesize
384KB
-
memory/2224-235-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/2224-124-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/2240-97-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/2240-89-0x00000000007F0000-0x0000000000850000-memory.dmpFilesize
384KB
-
memory/2280-1-0x0000000000790000-0x00000000007F7000-memory.dmpFilesize
412KB
-
memory/2280-6-0x0000000000790000-0x00000000007F7000-memory.dmpFilesize
412KB
-
memory/2280-101-0x0000000000400000-0x0000000000584000-memory.dmpFilesize
1.5MB
-
memory/2280-0-0x0000000000400000-0x0000000000584000-memory.dmpFilesize
1.5MB
-
memory/2344-11-0x00000000006F0000-0x0000000000750000-memory.dmpFilesize
384KB
-
memory/2344-20-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/2344-21-0x00000000006F0000-0x0000000000750000-memory.dmpFilesize
384KB
-
memory/2344-127-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/2380-273-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2380-531-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2540-25-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/2540-34-0x0000000000680000-0x00000000006E0000-memory.dmpFilesize
384KB
-
memory/2540-33-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/3196-198-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/3196-522-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/3212-439-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/3212-163-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/3280-251-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/3280-137-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/4132-69-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/4132-63-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/4132-71-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/4132-187-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/4292-521-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/4292-188-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/4332-240-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4332-528-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4548-74-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/4548-85-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/4548-87-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/4548-75-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/4548-81-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB