b7ea7fd5bfd153f565ec0c39292faf5a899a9572c13d34620ed32490b2cd996b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
Size

1.6MB
MD5

9a8a90feaee25d618d709685a20315ca
SHA1

448ec1a6545721f625e473e05a9bc6a729f54832
SHA256

b7ea7fd5bfd153f565ec0c39292faf5a899a9572c13d34620ed32490b2cd996b
SHA512

47faf4af6c8a4d1c4a65d5d90fbb69998e8dd70a64c09a95e6d3a85cdd012536c2340c055b0efe2d9de3faeb9e8fc5979ea976ab2e7835a005d04ba2181b9bc7
SSDEEP

12288:k2lWRPhhA9PRWg9OxKXfxTHP5vDDtbxTezGwd7EM5dEfp5MkVK93P+SdkSS+C3/B:k2lmh4RixKvxTpDD6qrf3MkIkSFuv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3628	alg.exe
2480	elevation_service.exe
1596	elevation_service.exe
1540	maintenanceservice.exe
64	OSE.EXE
1848	DiagnosticsHub.StandardCollector.Service.exe
5012	fxssvc.exe
668	msdtc.exe
1488	PerceptionSimulationService.exe
4612	perfhost.exe
976	locator.exe
364	SensorDataService.exe
3124	snmptrap.exe
4044	spectrum.exe
1204	ssh-agent.exe
1648	TieringEngineService.exe
4548	AgentService.exe
3596	vds.exe
4460	vssvc.exe
4556	wbengine.exe
4076	WmiApSrv.exe
5092	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exealg.exemsdtc.exe2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ec890374293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a6460e50daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000198f0ae50daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021b9d3e40daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000497dd8e40daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d6803e50daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053f4cee40daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db2000e60daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000556bc5e40daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2480	elevation_service.exe
2480	elevation_service.exe
2480	elevation_service.exe
2480	elevation_service.exe
2480	elevation_service.exe
2480	elevation_service.exe
2480	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4764	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
Token: SeDebugPrivilege	3628	alg.exe
Token: SeDebugPrivilege	3628	alg.exe
Token: SeDebugPrivilege	3628	alg.exe
Token: SeTakeOwnershipPrivilege	2480	elevation_service.exe
Token: SeAuditPrivilege	5012	fxssvc.exe
Token: SeRestorePrivilege	1648	TieringEngineService.exe
Token: SeManageVolumePrivilege	1648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4548	AgentService.exe
Token: SeBackupPrivilege	4460	vssvc.exe
Token: SeRestorePrivilege	4460	vssvc.exe
Token: SeAuditPrivilege	4460	vssvc.exe
Token: SeBackupPrivilege	4556	wbengine.exe
Token: SeRestorePrivilege	4556	wbengine.exe
Token: SeSecurityPrivilege	4556	wbengine.exe
Token: 33	5092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeDebugPrivilege	2480	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe

pid	process
4764	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
4764	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
4764	2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5092 wrote to memory of 4364	5092	SearchIndexer.exe	SearchProtocolHost.exe
PID 5092 wrote to memory of 4364	5092	SearchIndexer.exe	SearchProtocolHost.exe
PID 5092 wrote to memory of 4972	5092	SearchIndexer.exe	SearchFilterHost.exe
PID 5092 wrote to memory of 4972	5092	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9a8a90feaee25d618d709685a20315ca_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:364

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4044

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4364

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c1251712d07822f6776bab24820d2d86

SHA1
e8235bf605515298eb4f8d6a9f0b241fd73d3bb2

SHA256
96e45cd386ffcc4fe0e5f0a4c3dae7a84f07fc4bdbab3c0e78d4e43682f8e200

SHA512
4d70eff35a26b6580469aced2e170381fb9c24bcee998a2aba0a341674176a8f31331b8999a8ef1f2eb64200177711450edbf827785567848434d89ee891d53e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
9b6b8cc3298c225729282e5716bb4c26

SHA1
792c54fab69ec369720af72a062242445bfdd2c4

SHA256
abfbaded98085128e9a76b9fb1d7c89805ffbefe4ebe6aec3a8ade91bd026400

SHA512
c218dede5ae10342e2de189428ced2a9544a2731cdd0eb9d6f2f4ede4887c079105f123005f838aef1ffd942d4648cf5f86a7ba64bd2a911bbf302ab84b27004

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
f0e82fe2e3ea583e4f57d5702dee1462

SHA1
ff6b8197db29b47cbca8df0a738d2f35eb8312bc

SHA256
ed8b1469389aaa12bf4150badf60dedd203636286a50563b650739d2c82689a4

SHA512
de750b85103c94ace3f5d921813fd8846f9c01dea4f1699a0fb6e43a4d8d4be23993e2f9bb82735caed32b63f06812ef7a08928e0b5beac334825804577af7cc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6f57d56cd7a38b53d8e9e5b097f99d0b

SHA1
7638d164753a6a7a0f087740510d30524b4adf1b

SHA256
0f3622d5fc7d173a81d93cb1ef3fed5175030e83c4f08eb18e75e06da7e143b2

SHA512
001ed365e927821f8c0c04698919d0683cccc88a4ddb230d144077c74c277cf68df066df602e30a863513900bbe6ab7423c3f69c220005893cce51c2b1e4905a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
fab5cfa696c7ecfac373b8c2284c13da

SHA1
0abf9fb2e5834086e57a5be8156a01b71346bb52

SHA256
64e2bd35852923f95c99e7cebb2ab3c9edf61a8265c070799b1521f3097f27ae

SHA512
9c87d933b9ef7677de33fabf84007be0a59dba058cf8d7e07409cfec12455ea4b9d8d38288bcc97e0b1a8e3725f4a16cd42215f5ab315a4173bb139628d6d6d0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
4266a55568ff0c4efab71e3d33eafc57

SHA1
f1f4fa6bc17e16cdc77d699bf9ae28b28443509c

SHA256
a213f1c13c9234e076892ddd278856ec4d754fabf9a31e2610a18aea5d29942e

SHA512
74fa7fc81c2c6137ada12d398897b36c9a7f4694018473d575929bb9f235676ad8692082685e06b49c1b1f607e1c42ee627f19d93bc6c913342a20e38f8c24e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
4780beecdd6d44cb85c25cfa5c0fe047

SHA1
ec4bd9797a453f36e23b485ab113e3293be6bb4c

SHA256
c62ec4211ad1fbb85d8fbce7d982af9456306af3e03956776af834b989b1f925

SHA512
33733d0dad00cbcd153eb78c2530070e689af68cb645024039c1033d295bfbab8e9efbfac283d6a16776da36d3af3fb089c85e3170210ab97acaf42a6abdd391

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
a54f724490c701d400f5d575dc9194a6

SHA1
894865d7e7a46396e19f8449c96941029bf95164

SHA256
db966b01aac4f1db24ca89a8dbfa7e3f441ef035ab69b3b92822bd09461d3666

SHA512
e959d2c66ada8d12b91bf99b934159a3a5de5de754f3633730bfc848b06796c3f883bc4cdc4e22e9200355f73a055adb2ad5317d118088020b95d917381d72ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
ca222a48f3d6ac171db24d87bc0392e7

SHA1
70b64b3a71920ac7a50977be808fe58fbd55ccb4

SHA256
4900a46aaa5a9db7f6321837042aa66e7513ed18334769eac02b61dffe173aba

SHA512
df003e1e2eb64d8820d32285c8ed0c97f253865f2473211016610dc477c44ee88a592202edd918493c3e09690fb233378208d6def525dc0c455874e19d692fab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
febafd3d4947f24c07cf094d6553fdc7

SHA1
1b0abe49c7c0519d9407780d6174c2cf0125a654

SHA256
72eaab927c78908078963b3e01bfba43c85940b80c946dd9b2ec4aea4e688cb1

SHA512
0915b622474951f485f3ac61193720b267ac5f23837e30ba3e6af5822fa21a7f1dbee600e1820c4c3acf6a75f4276d854a9cc31c6b209a4ffad0148deefde7f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ce16f901668e68c51f13c9b97b6746f5

SHA1
e97ebaa5cd127e7b49933b6847187073ebd91ca0

SHA256
fb6b027bd7e70a3215595534bb6b8486691f0a8aafd2cfecae6ede6b1e3054d4

SHA512
ce37344b92ed6d1fda0e2a4722259e7358b0859ab413ba23947509a9f811916f43d7a75cf82f763ea90f56e871fcdffb6f27f58b0bc43d3fe33fd183f980f048

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9842c1804a34aa2062d9d9975fbecd14

SHA1
abf6fc89e63b4795ea6937cfc60bdd4755cc3ed1

SHA256
d74651d870b6b4c56373b3afb5d3d81bf5adabaa243bab47b429d54eea6861f9

SHA512
cfeb6fae3d275488be9c954f9cb6e7e1256931d85de5a77fdc51896932cdd44d172285b06ba7d05a68906bd11910b950c6854a40838bcd8d083b55141bf2efe7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
172fa0d2dc6ca2a8c50adaac584f7cbe

SHA1
c6016d69557c5ff77a36695c6d824130250effdf

SHA256
e8bdee63eeaa82a7d38004765b426213fb608f49fd412d0217e7105e39ef5d7c

SHA512
223cc3049401ee7ecf193fabcce52903747b3f2b91bad2d75d63722c687faffd70b3900ce3aa28cd41c496371433302e16679f179b40713dea778f987b1a0802

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
2195040fa186b24c9faf69e3a8ea8530

SHA1
3985e1362ee659ab4aab140d7f30d5ea6b442013

SHA256
57311480dc5f2813710d0642d5db0b766b77a5cb81ee80dc623c9dea6c4add6e

SHA512
002c995f421eb438b0d28241aea2b5044c664665b7eaaeffc56b81f521fba1f79ba286aa547300596b7f4fc15f1af6fe55f1b4ef73200d6e1c5a5cdfa461f32a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e4df21549a7526ff6878f4c806d1410b

SHA1
b445210084653440967ef37890d63d2cfd81ed27

SHA256
4499c6ef701e2b8cd2863997d6572f26fd26a85f6c7790cb3b20d2a8b009931b

SHA512
02d597683f5287f91bd88fbb21017350c5e90c09a52b3afa3856a0072932332a74e548bcc02227c67ff913cbb39568bb9c215cb01709afed8ef32a3b51e9a96f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
2b44ee7de555670a673c34e32fa4793b

SHA1
4ecd92c999bf36813c27720c44fe42118070e10a

SHA256
f2dfbfa468f4514b76733678ca5b8a11bc976967eeec44aec53060795bf9cc9b

SHA512
1b6a660e4706146d404ce6679ca4264743d8bba6a9c5f72c770975d5b47eb8d8e5daa7affaa3e5ed26d3be7178ef60c363f1e12bf5472380d345578690a89e86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
5f6e71e465df5a60ea51ca1f76533f1a

SHA1
5a2f2ce6923e822631a1d51fc43f743228e2fd6d

SHA256
4fbef12f25e175431b5ec22beb7543457548bdf3a34d73797448feecbb4d3690

SHA512
f647aead5b85c68106944794c2631386d14e2c4c591347192f375b98ebf6cce8276e91f381e70efbb53309b0304781c76e6906af5528274bfb29639770635336

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
f931331aad2beb291705aabb6be4fb88

SHA1
f6a6237e1b01ab03c935d5b3774cef597f43e1a1

SHA256
a9f42099492fde419adf727b87152fbc334aa9bd5082f3bcfade0851f5ac2e51

SHA512
3cf627667ca5db74e32fa1dc57a9c0efdc451e4b1722318870db6097227cc9ec97e7393151660fda826d10d68f75e768c52e3e0aa7fe5e76aee53568e6f54173

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
c60649cb3c6b0c10092a93270a4081bc

SHA1
9763e3aed9a18c4227fa96028652bfd2180ecb99

SHA256
cf767469ed81c169836e65f038b877221f75a53bbc9b5a32a551fd51fc6ba6e3

SHA512
510b10c29fb6a68f332c3bfc882e3228cf85c9303b95c3b89d09cbc2077676943c0114b190f61bbf8529866c43c0d00cc3b9ab2897db8d17068ba3534bc46118

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
c852ad6570d1693f827c49a8f8f950fb

SHA1
6c526adeb78eab95f3f2be938cf629d3074914ed

SHA256
9b8ff570ec60db11a730926ca96c9f4f6dc4a2a50ab776e5137b71d76c18561b

SHA512
03d7a11985950632b95032a9d718053d65ad11c56a0b06bc633c551fd9e4d7656ef35d07bec0fe833d9f8a205c62d2447eb3ef8ba7d7a1e9fde104940f43ff04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
0a4061361d3f3cada9ee5be210eb64a1

SHA1
a475df9627ac41e9b612b4b93fc6686f9de452ca

SHA256
b41055fe68c642fa8e724b63057300d88c8188c1101b00f3376311f84cbb9d9f

SHA512
f6b74e03b4039e4dc1539a28c503dc09d22f5ddab2e73a1b6848d9bec0c4216deebf21b8a1546b9e260cebd6b155349a5e89ddb56089776e5a11acfb55107555

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
35b86153a611d571d4c74478c46bee9c

SHA1
813b8138756ce0eb14288e260646e0a136d4ecf4

SHA256
ef8bf53b2094b92072d7cdb91d587c3de7c14a71c9c7fa56317bcd4a27a84623

SHA512
d4dc35a5a7abe1a11b3acb9f71a69bd4ba04fbdfe302ebc4bea12319eddb137a41a1b8f51d8e3b162ced4b874695e19c015d19cb3d30187ed1d0b16929a60736

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
3254c47c06673e504c6807ca46d6e31f

SHA1
75b3b1fcae9b7f5a591efd4daf372f4132f26996

SHA256
cfe0a815f01a521dd427ce8b7350b374a8edd4b3709c4ef9f49801fcbe8904d0

SHA512
c77cf4169fe569dddfc82589c3e82716753319b61a965601effddf9e840db4244251f55340dae201d5f6a3d6267484f985baffc964b0122403022e268be9f365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
586900374e6d669782644a42cd54ba78

SHA1
4407cef9833e6063578055bb5dfc85f8a43171d5

SHA256
5de32bda947f2329841d91b27d1ac9ecea32c468c5e3b239b8768657233e0680

SHA512
a6a2ef87403f703b1faf63eba107117e62091503eef1981006d8a16c5acef823b98d5d4f3ac7dae592a0ec66577ff9207c1667bed0375c788d30190d9b9da0a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
4d90eb831b47808cac3b9019ba6dff26

SHA1
eeb5e02df4f27128e2158d7f10c83a0cf6b0f5b7

SHA256
b054aa14c95ff9c0ee68c0843c3ebad9aa73fff54686e5df9ec48a1c3cacb3ad

SHA512
c1696cdeecd4a8e021dfb8b64153bfe7c84fb04c2414eaca431bdd7f5dbe7d24d5bb6407a743a1a3f9abf8fc45b2460cc07e05c1ec780a9ed1c5133af22898bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
b8f232f31348f89c0b186e50108ae4b0

SHA1
4f43ed323b75f7712d69e7c9c2f089876387b416

SHA256
5ab99b29a42d5705142e5389bb1404d75c2fbb288ae8a13c23ec747bf5dfcdcc

SHA512
fd9927bad7433f6af2d215b4f8728f56a39dd5a42e8111fe3b03ea479d158c600b56ec697cb820fd709a4e797f6d9e0e4f00495c9821bb5f260e01bec85a1136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
2055c5a1cae85b0c034422a85c251cd3

SHA1
3b6d2693fccea9685a2dbf0a5ba113577941938f

SHA256
236c615f08883e06e1f9680f0667e6b88fdaede25d5f2c6a6d4b401966148003

SHA512
f3000c96577bd4a34df3834b1440e4796a419dbbf3882df2a718133d5055b7b628d9b0267fe345892c14ac99dd6b325a98a4e320d27ab47ff2305519325513c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
2430a72926f7c4c63c1998c165cdef86

SHA1
314c0f06ccd4054a3597fbdfb4e2405dd51bdbb6

SHA256
1f3d68c0606d673547419e7ef068433f23e7f3c80f2411de5815e75da4789865

SHA512
b6d3d321b32354bbd0d32ce4920ca15dc9d1a2cd0a857d42f8ca8a0b6e8ac787e5ce3fbe40d4abae60ce408b1b3a3e34f18e93ec9b00238fc004d264299f2f6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
0bc2a16a792e02ae18886150efd3c1b0

SHA1
21c94ffb720b23e47a16312d73ebc177a5f78159

SHA256
2be1ea9e4a8b7a64b04cb4106e7b614631c558b06792d98ae931824b77101081

SHA512
1a381ce341be9eaa3097ffea20343254b69b5535bf01d8554c473c3e491bbdf1dae3cf42a020a99c2aa72e232c9fed9ea498e46060c00269c8480119cba02c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
01993d4d4a282a75138956b99b04a6b1

SHA1
5a3ad46bfe19abb38d6b59e815b477a34992a4b7

SHA256
0233f3ad0bab4dbdda30a29e9b832045f65979a496240d5ab56d14d4473815cd

SHA512
450f646a4fb51dc9286eb23ec5452929d026ad3a1ab0387ee579a0da0d3814394b6069dc95253025f3c0c761444c05c067172cf13c142ac3c824275752a9f119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
25fcb6ef785d912e286f13aa4e6e5b5f

SHA1
17765551a13e6a8e6f4382cd788e34247779735e

SHA256
a7ba0b3c05afbcc86984df1749f62b30c46d1e774ab14a9d9b932feeb222a027

SHA512
c50f450ba9378525deb32793c3a7c0de378dfe544abe680da45702832256a8f4e5710306fda5f095e91eff296336b7a2db7e185c02fa732104cd093d981aba86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
51df87832d6bae3cb423b285eed20e54

SHA1
938a9122d235a271c4a6c8b76622d13d8d970f53

SHA256
a0033471a8641d43b8cee88a7c930c79371d3dba41f069ba1628c16612b997be

SHA512
77c14816bc3f96c426a0f5d894df4b0a50e5b4f10ecad559e53d337c7048245ed07dd773044fa216a39c46f7de7d4653899678978ae09568e7fcd8003674b350

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
d0d1edf16947598d16c8c5dad34a161b

SHA1
c265e8de85a616ebf53ccb4a349c9685971dad5b

SHA256
8378bd7b56b60919e14a52c21b6782c44317e662e3e54cbc7d1af92cef3676e7

SHA512
e9d3f6575ea505afa6c82f34f9b5949e22110885f5e38f4787bbc2c18e652347206cb86d2028631b9d52bc2f1f5ab7b7798261b3a3deba6163bb9fb9032305ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
14aa72eb35585d184520804d02a78e21

SHA1
f7a2120987212eba141db5ee7ad366f3b3190c76

SHA256
91db1f85cde5cdd5a493ded2a556c2d0ee2e269d4d3b57c0aa8cd8168a0b1805

SHA512
e1b1f75b0bf105e6bc4c7b9b9b181285eeab277b24381830e5b80a9cd0c545d719dc99f2d3e469bf321213e2d54c8aeb903caa05839da6411edb814e929a0f70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
bf2f0c38531073ae17a5b63e0a834c6a

SHA1
bf66596c85642bf9f4229f0ff9942a694413091d

SHA256
10a2cb34ad06450255708dca53a4f0002d07465db0c065477d3f5ea36bd1fbec

SHA512
d83c43e99cd246e02a006d4d83e991fd7014e48f00efbfab11bd17eeb43118bf0626dbdfe593fe53708b31af9ea3c4fe75db947d3245976fdc58d10e3862936a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
9fd2d323cddd744bbcc00c830f107c00

SHA1
639e1c5851a434f4c3bdeaa5b2966d342623d39e

SHA256
4dd813bb2b7ccb1c2e31466b526c3b1b3c80a581b87e04be82ea279af786b347

SHA512
c338233276cc00dd36f714f6f8796e5c12d4d36ef8dba4bd7eb656d170e4331d14831b3c9c75567b6ed12e20cf4caa8c9f1bc5e45ea5c155298ee9dcbad6cbb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
a1704ca9d3d99e87ec40639018494bfd

SHA1
5cbbcfa729d80684152660e10bae51d9278398c3

SHA256
809a0b3cba04b7bf186d4e7c76e6a29ebdbc1e609c6703d0b0ecb5d1fdc86e06

SHA512
e39be0e3a1decc00eea2ef6f162ffa2034784fb1e996fb953fd6d7fc86241d7fa6a0383ea12acf8fd27701c65b1545c2e0eae8304f37d7011350f0fb26e478a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
c56c0a3d2f12c32422edbe86a2019741

SHA1
3a7fd9d7ab053a9d89ea127408fe6ef00490f499

SHA256
69e17e9eda6f3d566a4720bbd78408efb4836d23128e99888ad0e84134039b2f

SHA512
e4c7b4766223747478f00c612b5ee237bd200e64e086b2faacaffc363fba5700bfae97f64b1ff56540575b347cb176509839d9c81027a6cf9f25001775e0fb05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
14c6dba019a9c5fa4239879de8ea09cd

SHA1
4eba02b65472ad81b93c395961d077aead448ca5

SHA256
b7d0e3079266e1095e6512273f9b580372bdb4f9c097446b221434a70b5a1aac

SHA512
380cffc2b8dfbfe5ea7c4d6a6d76229d55d00cd4d9bbcb88a7aa9d1af8f648b5d924817e20f1131afba869da2f9c5bf2f4dccb664ee9f67d1972b13578930583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
cb0bb018e4eb4b83b6b61b64ab760a63

SHA1
7009adf0a33e2064dd07f7f89ae558ecd2ef0ebe

SHA256
9ae4ae6e8c21d578ecd838833cbf5214a9a7ec8e2cfb9780bca0ad82426f256a

SHA512
40deff52b80cfb14248d73417c2b89a59044e6aec2d85a6652c9991dc311bf026dbe5454f101bc1e51d3d7c4a23e42aa3978cf459ee800f084a30b69fb0e7d0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
21abf65909c9eb2353752a89222fd590

SHA1
df7451b567bac6228d14cbb15becf85c4ecb90d6

SHA256
dddc62f6382d4837040122016ed6573ee0f2776724f2f48b24e2dd3e3681bb0a

SHA512
afdd8cbb85124ca3d805dce0a7e7d4619410ad4ebea75dc7dce4034f3179c1bdff257127ce8a8ae2b4e64e7b3f897f4645608c204328dcb99a7352045a9d12e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
00e358b0b3ffb772e67babb688050aaa

SHA1
a744cccd52be5287ec2b5a7c8866433293ce4a09

SHA256
711321144f0d5becf03935a6f80b3b88a9e587f1e1c7e382056160feaa072187

SHA512
c22d2f67b8ceba9e03f9540f3d7d196c0c578dedf196aeb14fcc39735e9205ff74b9e0f901b208e31637cc9bfe8ec1ad7979a06667263866689773ae8618d8bf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
679721f2b06501e5d10da99ec5bcb171

SHA1
1b155fda579781afc71cc94b633e0ab0c6466402

SHA256
8fee474a6f25314c284787e355001a13711baf1cfd41aad2db44a918a88bbc39

SHA512
59b2959c1c5cb8fd00084c2fd6325209405494ad71a249984a799c0929e6cde7d194aa347b422306c80795beb671883a4aef13ec3efd3749cbf59f623ba56b32

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
f2380375e17d91482054121e3aca8a3d

SHA1
bdbfa5acdbf03e52b63cf7811af4dad5d01ba2ad

SHA256
45dae94f8fdb10fb210175d59b30a9f5bfd13e4faa26f75944a1e3944e918d7c

SHA512
b53e18debbd18b649e3ee86d9208dbe7811586ebcc5fff7ecfd8f52a142c912ebdea33cd684eef71ba8717b5971418a1e4593e3e2e09a0fcec43295b0c5e3110

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6676e9fa76257712d23ca8a81952fd94

SHA1
85e87e0216d9acc2ebc109a03fc2795c4250fd30

SHA256
0e6c5052573e28f1579a1c7808c411c54d13d62aa727f9ecd84ebeda079c8592

SHA512
00105041e0e3da208b7974d375adc4aad627c94b9e83c997a46c9e0043273e6ae1f26e62c46bd30c8c8ee5eb8911f9c96873cf37a0321bef6c1124e75dd95533

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
52babd13dc238f1b5cbd544a02f406d8

SHA1
a4a11de7d6fd3a7102971c644ccea82688bdc775

SHA256
0437a1ca2955a3b6ff84b6b65ee22af277f84ade05ff806ae324664b9958fb89

SHA512
00cce02f8df95e1fc73f6784f84f4ef6875f9fda49dc432b84834be35dd5e49a79b3465adac196bc93e1cadc6ef65f21a001f5fd373d4ca335844f83b7dfcd50

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
edc6525848216692a5cdbad99a76aee9

SHA1
3bf435ab5ce6d7502bc8b8ceb7b25cea545a8e0e

SHA256
ccaf442a3bfb43f9bed0aba08f34ecc4ae803b7a356bf6814366adac2ce861a4

SHA512
267fd3b320475df7bc5edfa4027bbc661ce1672e46152c12f4925b726647af91ffc0586ef86e3a5d226bcc13f5fe3adcd05a9a79cca7cf301e550c3803b9e0f5

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
ab51a06595d92f6d4b24735a699a136a

SHA1
e215a138c82c0854a455b90892a7657719721a47

SHA256
b6343752af423c6c87117297438a499d11dfbf18d4564c10d0287b598b02bf2a

SHA512
9af67c62eb59162f30888037c2aa5d97c6c87e85366cb7d79736cc8f2ac9f8e0aafe194f9e7cb70fb5e898a126eaa4f063e1c665ab22240dcbeb89cb2330637c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
818e9a844ddf4f8d70f33774d167e72b

SHA1
fc9ac50cd5044c8018bfd27b019bde3cb2852532

SHA256
86e70810f9ef616cd6567376f1b5ba60b1a5aeec764d7169887aae9dc916cdcc

SHA512
878f62a6b90b4804fb57f2ea8853b5c8795a4f7e4ef063e904fc24f9fcf36480dc5b5e550d78425aa61a1b51b5fd727e8e176a50f3c3c89491eb89bfa164f5df

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
60a971511e512ba3e4be4cbb5f472362

SHA1
57064a34dbc2e6d9df7a04124d6c4aa431daeac9

SHA256
0e57c8d9ddbba3122f6a8f612784c0ad0084157ba4731c8cf4cf5c8464ce54f3

SHA512
8d035fc12271130077a59d5b03579ad0a2d9be91659ec57278972cf50c56b56d773991583e3510da74c816536ef9d7279c85e8a50c1c3c43d854aa8f840e75c5

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f3fd0769382dc74ee9c11db079988332

SHA1
cab96d208e629b3dc4a5cabeba3d10000e36b851

SHA256
095bb3c19c78b420a14ba769ff42f4f381fa8f91224ebaff67e7beaade3c5da2

SHA512
3337a5ef94911cd7975cb79d7bf2eef5c5731a69387ec5eff51b92459bd7ebd2652a4066a0f9b7b639c46e048c147a4ebea7d312710746872a4c171d6c4a49bf

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9108c1585ae65a2ee293ddff03d5eeb9

SHA1
b99ae0db827c6f2a29d7687a00fd5745091d2d90

SHA256
600bf167ec11d58bb9d22d7ad908d3fbddec7e605a446e8d05a88cf730f74f19

SHA512
7dc2327c49bb623f0e0666a78f3799beaa7dec4bcc57d04b0b4af7bc05fce45e684003e896503ce2c9c382cfd7304197e826a880f7c3cfc0af55467f53dc8af7

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f5ffd69e698c30fbfb277a0d61ed1056

SHA1
11944ac27cece506d3939225327b59e1ceeeff2c

SHA256
40056a6fd871a9acdaac156e2f880b5f362d08bfaf18aa4c81f23fb7be610816

SHA512
5c1e04169136a0a3fd5107dc77063c435f1ee37d4718dc832689479d4c8be34d7fa99d5984ad8981018cfbe9ac60e7c9412f08019a189865bd15699cffb256a8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
8bcac10a5a0817362c4449ae71fed2a2

SHA1
d177494c5a4cdf20962c59653ce3fc3fec00e1c5

SHA256
f81b564ed91e41a96fea0c864f437d613389cdec65d925741b0739dcf7bebaab

SHA512
7264917c72eaeb2e4be545951c65ccf55108dcb74345bad14e647ff507e2c9672b3cdc15f75fb3c50d1dc5e166a50e3059609c5210c33eccb4ece2a5559558d1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b4b7313f153db3bbd1f7f341573629e1

SHA1
c9cf832315b0edef7d609e8e133ad0935e5f7ab5

SHA256
a9b840669dec4935e9b5a5fa420d073682fe34edc1cd1f746cd15af13b5addf1

SHA512
90705aa5812ef9e3975eb694ae0f63857618b76838be9b17027c6415edbdc1b5e9b56e91504cacfb3c15a325b253fcd3b22a9712261a7f91ce275e19892f30b6

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
177f151f054602dda42205fa5f1e10c5

SHA1
af27448a7cf0b02f41e3a6fc7a791b0544f4404f

SHA256
cfce80ca06a55e3ecd6db7e13a3a364e2e82dd05d9d5c7263c49f1ea95ff6ef8

SHA512
63c6e0a9f9bcc69dbe8a03527dd3f1beed3a91efc38b75a91e5febb3a7bc2cd3dbd69a3f88056e2908a9087b02d2c90a429fd80c11f48217cdb8808d19a1dc94

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
c429d57273a566cc574411a05402e062

SHA1
880c615bdd427d5670a2869190e623fd892d1b44

SHA256
4d8402888acd641a1545556ce5770034a8c50140ea3c1f90728f28696bc13c7b

SHA512
ce42b410f789e62df79a786a2c07cfb8cfeee0cebde209cfe03945811a1c020f70ac23394bafd77297c4636e3b1039a201b4d85ef8d8a59fadf4a63e9f962d08

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
729498b8dc744047aadca83b4e5d1937

SHA1
91f5ab6ec955b9a9b617321b87ceaa50c33658b2

SHA256
737a4665dce21d35711b429575a5983c8dafa5f7690a07e1121e8837d77ed742

SHA512
af34f5cc02b5b7f52eb77e982d404d891267f090f55d0733ff3704bcb5efa05502fb8926a3b6f25e24a147b8e6c33780db1cce4d338f3240aefcc62d29da15d9

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
62b137dc585ba8e05774dd3ddea0adae

SHA1
438e6dfb07f95c062cebb4ed658a62116cee0799

SHA256
905280f1caff8d8ac4f8dee7184b11f04837f3ad4bcfa1c09153a82349d78bc4

SHA512
1e5f5eafa4ca3cd2880a6339cac245464d3ba4f8439dd060a587846318d56393670e76f94fab5f27fcbb3f13156b40dd2ec19dea0840f87a51f925714574ce3a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
60b875bc7d01d00dd68c659a60f7c68b

SHA1
aa636c389a955c82d80c924579a1c91c28889c98

SHA256
f3289167f8da77296dd77ef56db033c64283193b6ee30e6266600a40ad0d9a3e

SHA512
ab51d05d231a7853d5f3ed5fec1a6f01ed5e158566e18f5a807f8e97f76b83759382745b5311ab80f9378e30842f92e6c17df6e0d011d12f6cd0979ec600facc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5714f887297e213cc104ca8ceae0fce6

SHA1
5300fc586a74be35c16c4aa8ad24ed40dd71184d

SHA256
34846cff1a405f20ff72236c7763a2ca1d7de1a9b017ef098c2281123621fbc9

SHA512
2d563b0257d3e5e673e085861a86e29646b294c85de057a7e0d2dab6570d63714dcdb18433d9b4a41a61e9e663872929cca31bd37fd422dfbb6df6737fe59722

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a260e51afbbcfa50038bd83d21a7d685

SHA1
1bc2ec2396139946724ad125750acfefba64557d

SHA256
e0a9f019dd0fa12bcdde23b3872c2896c6d622cf303c4dab06cc0d9c054ac94d

SHA512
3f593e4856cc3e796093b1de350e0dcda153adb85cfcb8fd1c5d2d0e654aeb37c77b944b43e0161828fafd8130767c5eabd2d9a463eb6715c21849152685b36a

Download Submit
memory/64-72-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/64-68-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/64-62-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/64-236-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/364-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/364-442-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/364-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/668-385-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/668-266-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/976-421-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/976-302-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1204-638-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1204-356-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1488-286-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1488-397-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1540-49-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1540-71-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1540-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1540-55-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1596-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1596-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1596-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1596-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1648-368-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1648-639-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1848-241-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1848-246-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1848-248-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1848-359-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2480-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2480-28-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2480-34-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2480-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3124-333-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3124-551-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3596-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3596-642-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3628-231-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3628-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3628-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3628-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4044-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4044-637-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4076-422-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4076-645-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4460-643-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4460-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4548-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4556-418-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4556-644-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4612-409-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4612-292-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4764-6-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4764-1-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4764-25-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/4764-0-0x0000000000400000-0x0000000000645000-memory.dmp

Filesize
2.3MB

Download
memory/5012-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-252-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/5012-264-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-443-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5092-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download