1d49f96a72daed71a99d0afeb8cd6cbfa16d9d0e78bef632a0bca08991f794b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 04:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
Size

1017KB
MD5

9c4e36290c30fb9937f146fd85d2e852
SHA1

9402654c9fae68f38048570e6880ede261968544
SHA256

1d49f96a72daed71a99d0afeb8cd6cbfa16d9d0e78bef632a0bca08991f794b6
SHA512

2689ec0d298b58fa36d5ec36f4ed64c7eeadba7f2afc6a7e7e174efc29b358123e1c00e76c01ebdf9ee783ce0bf6351120d09f05d35f537bc4cd74f1ba055ce1
SSDEEP

24576:o2lmh4RW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:o2Mh4RWLNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4572	alg.exe
932	DiagnosticsHub.StandardCollector.Service.exe
3988	elevation_service.exe
1332	elevation_service.exe
3268	maintenanceservice.exe
3436	OSE.EXE
3116	fxssvc.exe
1920	msdtc.exe
4268	PerceptionSimulationService.exe
4848	perfhost.exe
764	locator.exe
4048	SensorDataService.exe
4272	snmptrap.exe
5084	spectrum.exe
4700	ssh-agent.exe
660	TieringEngineService.exe
1544	AgentService.exe
2392	vds.exe
3272	vssvc.exe
3268	wbengine.exe
4172	WmiApSrv.exe
3576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24eb37b0bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000590a8f38fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000face46f38fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc97eef28fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f982faf28fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067f54df38fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7942cf38fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a35b12f38fb8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd463df38fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf312af38fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
932	DiagnosticsHub.StandardCollector.Service.exe
932	DiagnosticsHub.StandardCollector.Service.exe
932	DiagnosticsHub.StandardCollector.Service.exe
932	DiagnosticsHub.StandardCollector.Service.exe
932	DiagnosticsHub.StandardCollector.Service.exe
932	DiagnosticsHub.StandardCollector.Service.exe
3988	elevation_service.exe
3988	elevation_service.exe
3988	elevation_service.exe
3988	elevation_service.exe
3988	elevation_service.exe
3988	elevation_service.exe
3988	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2640	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
Token: SeDebugPrivilege	932	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3988	elevation_service.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	660	TieringEngineService.exe
Token: SeManageVolumePrivilege	660	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1544	AgentService.exe
Token: SeBackupPrivilege	3272	vssvc.exe
Token: SeRestorePrivilege	3272	vssvc.exe
Token: SeAuditPrivilege	3272	vssvc.exe
Token: SeBackupPrivilege	3268	wbengine.exe
Token: SeRestorePrivilege	3268	wbengine.exe
Token: SeSecurityPrivilege	3268	wbengine.exe
Token: 33	3576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeDebugPrivilege	3988	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2640	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
2640	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
2640	2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2880	3576	SearchIndexer.exe	118
PID 3576 wrote to memory of 2880	3576	SearchIndexer.exe	118
PID 3576 wrote to memory of 2132	3576	SearchIndexer.exe	119
PID 3576 wrote to memory of 2132	3576	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9c4e36290c30fb9937f146fd85d2e852_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1920

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5084

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3968

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cfd50442d79e68d65b65d8efe56c2d8e

SHA1
440dbe85760a995bd99d2e0d20088ad2faf3547b

SHA256
9d3c6b7d8e10d41037d66a0297db96ca1c3d6d37b5f90d839261f37f1e0f2ecf

SHA512
cb6736776111ec84dd4e229ddb82b4f6dc529a2605e1e57d4a7cc564f3af452fb52f952758752b776393b8d2282107fb347eb210bd489b36b3329ffacfca5a66

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bd064aa84f8aafc0090b48e2a6a81213

SHA1
26bc7be8c4a65489848efbb6307d955f70b832e8

SHA256
b753b519099ab9d124cb29967684afaf751bff0ded84d3076af7d2a884599ea3

SHA512
637dafa1b13e859e02a6dfcfb3fb16036580d403e811b29e74ec9f53f7422a3a1c4380d588b66a713731c06218e94da80761664f2bba7ddb4ab4628283906c95

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7a9b7fba72cbf382c8685fd7eb0640c6

SHA1
a7fbb53e21b9dcf547b450daba768f5e31309e25

SHA256
d6924f13b98dc1bc3844e4a421f65a2af9bf9535d0e70f2a299f708a9a5d93f3

SHA512
d3287432dc6b7616e98452bf1ccfa8624472161e06902bdc7294cbe0c8bddc7b0008a20abb12af64078345b4c408f8575a2b695dbd1f8dba79c9cacddd3a8eea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c3a2e83d7e15c8a3734fc69e66c7a789

SHA1
908602317b7d9c240beaf0b065df33d0bc52b0cf

SHA256
54fb243695646188f4cef64e8fe0fa5cac4dfdc199e265c42bc840ed45129cab

SHA512
079a02abec9b1fb036a732614cabf86910e3c01f98619062aa8b12a203b4ef857fbe23453790361798a85e6ddc4f453de96f7e8641cfc2abdeb58ddea20e3051

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2bc6e2f4b4cc45f0b81487e80747103c

SHA1
bdc4cc5fea880997e970d4c4feef3657d3989c4f

SHA256
0798a423af60c33f8e2f062baf0a5486c14e9ba25766c7c85110dc0f11e38e9e

SHA512
ab8b075d8baa2c89f292e463380cfd7c3a8aa019bb1706f7a3db9bd2c466ce5506f0623813f0fe64283c0c8b3a8692daea310ee6d10c2e3d1e096e438a301697

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
40e3440bce9725bda1025c20b4a005a6

SHA1
88004b6d83d8042870274f9ecc25191dd6a7f6c7

SHA256
fb1ce2911ef0e9a226ef241711458094224427dc6401f115fb4be52d640c0a86

SHA512
712d930ab5867acb0cfe8bdff9a74a3c016de170aad43b5e929101895d2fefdac24c6d95a0f8eb17e8ce977c692c4150d259ec5b6236b3948615ea1aefea8e18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b5817621e2b2774c63f3a502bcae0641

SHA1
b689df04ad973585e29cbf5d6ada79a35cbfcce8

SHA256
55fc693c52aa90538680a907ac7d57a2dad50f900e0e414222b37243d0b4d534

SHA512
8fbc4bd97b9b85b37a28028886f1e2e7d41cccb04ae9396a9728b0ed93ef6ea607481264dc7d7d65747eecfd10d15d7793dbe366365d276c72df5510a0576b08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
05e6b5f63071938cb4c101c28009056b

SHA1
c77deee1a0b139f338f11bdbdd5471ae0da4e94a

SHA256
f540e88e78ff6552f0eaecb437d3caba060b476f8065aca17237195a6cc64625

SHA512
cd55604476732893dc50332bca7d74bc07ec414cf8f90c40dd43a7a2efe8d10414bdc108d1e7ed59049d521b8f3dd1beba516bb966e87af2e88d7a643a747b3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c11d771ec6d46994fef31d1af087d18c

SHA1
8bbbc988d02cde3d3563f244013bdbc8b712ef34

SHA256
3e3f22d9f36eba69ef4449624f2e21b349b82d5c94bdeffea9e36bf12cefcc15

SHA512
1042052a3088997e3f92e4b1f0d1451591dbbd07431bd43ab0b18360d33520f6277d9af12e2a059a84c07b3d0e03c43e019ae8a99138bbffbc6ff036e3b3665c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1d7e85f1a21c40e17535d1c049a01c7

SHA1
a540a461f815e58e41d95d2614175854fed21fc4

SHA256
e3ab132fd3ebc81f02a5a166c034efbe3667bee00aac5113fee4c6ccd9ed429f

SHA512
4895c5cc0b7f712b5e432e5bfc627eeab8c10d1097a0acbaa2e36e6c7f2af0855b7ab0c53527832910882571bc38e7049cfd8f4d6ab2d950ad6e54a082f8b995

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a642f7cc59ee55c66fb322ca18dafa08

SHA1
57638ab5d2a27eedf661acc033e6e3bfdc5b4a7f

SHA256
9b5b10d52d0499c4b5ee854fdd7a171c7baae8bf3357683cb8b5bcb6239dfa94

SHA512
005d2c3840b2040fff6a938e4cdc99b89a52c7afdddd109bfc7fda29ae262317c763a08223396315d94f093c42d518184a93efc91d3a0aa9c4279900f668d4fb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3e85b35e851ff866cd158270182b6c26

SHA1
009c573a24eb280a8ad7de07fb7d24b2b7933404

SHA256
95037c06c2326ef6d7534866543e3c4c77512aed1f5296fddea6e13f5846e49a

SHA512
bb94f4fc2c2e0fe2d2e87009208373e635744d09a6d77ecf1c3c860680f57dcf48bdc2f502d0d3cf0c94e0f9d62d7edf075a1e20e2e54a07c561964bba8841fe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
294d80e0f75ee056c4a02250e9ef684c

SHA1
3376e4c946195391674f4da8cacd205c28603bb9

SHA256
517855c5044bfb50fe83f728d017698e3d4eb9ae9df4da75334c9285c64de213

SHA512
844a488f49aada4b00a52ec75dfa7694b1945a15af932b041ee51d8b4eb16fc8912811703eb7dee5ef6cdf5a271f559fec7c0253d412fe115a067ed88b0740d4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
93cbe00c4cb93976805f133437bef6eb

SHA1
b6e64307298cc7bfa76474e1650fb249cf6e7203

SHA256
ff0353b7f1be657d2101f6e41cc02d886c63b62684344810382fb8b609afb027

SHA512
04b3405690081b8908d14a282b1a7fe5788d2f9f4c876b6a76f9abc4a142a76bc9364cdcf2c383b40a766fb1d50f73fc4ca1a5bcfb3835e4926fa73bc19aa6dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
3.6MB

MD5
31a1c25105ff92691a81bb18d890108b

SHA1
f8c7e05ab1ce044bf21cfd6af4d21640a72af2c6

SHA256
0df1a43a9b7438416f955331c611199c1aaba42c3250f948f6eda7ab25ece32a

SHA512
9888fdde3cb436132e1d6049e2ae59635d4025157cde4f9e5c7375bee808d9c083f7008e01875634d67e89c19edd5b4fa486683ca8764f20004721b536602179

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8e690016ea5737c8c44e951f60464a29

SHA1
0ee7a67bc59723ceed489578731effe13d740402

SHA256
358fc05c4f2385523a37aae9068b1df7518d84fc0ad5d5306f94b5de00a64c72

SHA512
9062ad37a77447a917ffb0a6c7efac2563041ddc9dfc4b4e4a5c427d3b063f4624a148be0789e872a4ab179b96657bd18d16b7b1c63df901688ae5c8cc239294

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1cee6e3da9bde4ccd4fdd96687699741

SHA1
2aa9f7617370d0a29f71087615a2bc98e40fef86

SHA256
54cca1fe909ae3b1b0e86f4740f661c7d528eb2bf26a7e8b7118e6d30f10ceac

SHA512
a581ca2e6812238c8b6f125559fb8ac843df38dc733e065c10206e7eefc5df765a997ae780fabe88d836785bd71b0355f8e0c96746dc855ae2efa7fcc64ce4f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b2f4747b355e1fd147889454e224df17

SHA1
ea505338cc3bd9ebac1d2c8693b8c16ba0358e48

SHA256
b26fdc7b7a40757a12932aa466a13fe96d871a051d89c0285fa215cc8e597862

SHA512
68c4022bf1d9f451e897c47e1274b94a38ae81106471f3934a48fb8ddb50a934ef214507596e46c2d2742377575bac0fffcc95669f3e61fbed510621bee43a92

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
49b4778439d90ca67fcf6dd2dfd2453f

SHA1
64199830633ef35079a2147747289efface03ca9

SHA256
1f5f92aede764ca3aea2a1ee8f6c19724e7c0909d3d0460a5d023e075dca03b6

SHA512
2be5a99de3e4619bb19b5e826417976489cb0d1a71a0d46aeebcfcf16b588aee2abe5a24f7a5b6424a66e82ad6249540a01dc837e8acc37120c492e0618c3b1a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
44055fb17f0bbf999eaa593889852a80

SHA1
083a3475ec273bbc1f575289a3713dde7d42a799

SHA256
57213fbd25e1e4164bd644e86747bf75e904f4931ffcf14763da6595a8741564

SHA512
9f0e4dab47ad59180ee0d6138186e1dbfe55a668cb87368b717798f66b07f384ea95a1f2c343574afa99a94b4474acb0844d0925a5b32bfb3516a14a5189d717

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b57e9139d7c6fc81843f585324d33c00

SHA1
9265a59dc4c0bd7044e6fa324286354cb9988b94

SHA256
a6a7a241b87216777157fda9751096f7e5e396288b6426d0bf55a29df73cb61b

SHA512
3484d0162784953875b03f7f8b2cf59f7b5f6e2d1aec81d9df1d87e638db71aa5f8b5ba9fd95f9af9eeb958479eded4464f392b143f6a6c3e784a41d69e1e639

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
71c2eeb2665a7390419952f958bccd48

SHA1
d5044020c99bb03a5613fd69d1e4203596c27a97

SHA256
d86ecb0b815f5f07f59856fc95aa5c1a5b943c69575880630efc17ac9f622e8e

SHA512
99530a36ff2169db60413baa351203d51d0678afb7b3f175c61168cacb5d369e754b31e009fe70b240fc0b6b454d8873ab7aaf4f8a9ee81dd4a4bdf8ad1621df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1137b67f798c47d6bc2ef7e29ead03ad

SHA1
2103c44ce489512f0c63ab37e97131e6ab029121

SHA256
76e88154efac58e71098c9d5dcf41806f70145facf92fb545e716d177a9f55fc

SHA512
1201295f1ab6c80d99c0648b08882fde492afb9025e3d8f1103ee50c7e95b967cc5ec4fa5559a56c56f9aea065255d6d854433a0abe9e09ae3d38b732816a1db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
861cf568665f1b642efc41373620f1ec

SHA1
728a45ae29de8d3d1f6d1d6626a91f46b6ea2d5b

SHA256
26364ef56d6f32eb788c6d4548af8db578da68edb7dab98d3b94dd4870e3b924

SHA512
006f3c2c068fb9464f3aa01e3b5efcb64cc5b92d3bd903cb548f1575b45d832f100f60bb9a658881106d84ee2901fc930d29d328834a0d663c415d260dde45aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e4eab9e4ca8a5295ea87dd424fd87505

SHA1
a7374802f7f25e5c3856b7cb08d18f19333a6f3e

SHA256
f8c3b6b642da895333d933a5db72838ca76834f346ed7d66f25591747a586ce6

SHA512
46239a931f8885cf660388fdb4dcf70213b0bf346765b064564f498ac731873c37e16fc76293769eb490c0794a1ba4d8f40eb32ab376429b052e7da3956b983f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
666df32fd8252e453495aa2be82ce18d

SHA1
1bcdde2054a379edd02ebe9a5663b2f7c943af1e

SHA256
9846afc8861dd8dbab3ad43aa739bce40eb37c9afc21e774a7e380b0d2356376

SHA512
a8d01466f956c316d2d6e714a004886472b929c8373c0ff0a81f4df9f7079143e2d1117c139dcd278045a905cdc247a154a8b932115db35497b92e29fec79938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
17b2ac988ba6f7bfe0af623d41409993

SHA1
da25245d3c28c3c1953b1087268ab1b6a4256204

SHA256
37631301731a451f190bdb82f8682243b0ecd59c4ad2e8a95156378ef361b911

SHA512
4d35ec7fd601bed90b83deaf35a6c7e759c26d82e9016c77b67edd5d2d2b9d56f01636722df2bdb03d80e3e6fa29e256fe87c20e22fd41e4c41da8ee190c8b7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
805fd5c72faa58e7299a258f913f67d1

SHA1
cc05d15ea40cf719f1fb45d65e6f621b9a326758

SHA256
fb246f1f1621c7950f4b5a70be2dd4f0e4fde49f834d5c02003252400c0ed05f

SHA512
207cc7176afb60ec7d35c2823b847731506b84185c1c2df106106cb9adc7eb569d96decbb10aa4a43a16ea8159e9be414a36ffc6070afe7eeba2c26e47ab3d0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f9b7dceebe553eb5e06fdc04222088a4

SHA1
b8dfe105db72ae21cf04bf72138cbad0d8095b20

SHA256
0b53e4809d0719fbdb1847523d3b3fb3658abd2a34ebfba1c549cf21f4039c88

SHA512
d8a5bce21522351617597f5c078756a22009049bc456877423a28c8d6ecf6403a0d8f487274d8ba42e09e703430bfa42c63c1cf80e482ee37b74023027259c77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4b70df7752d8e822a71d7150b506c173

SHA1
7b26a8b96999cd98cb4bb4129e13f024ae4f665f

SHA256
174e8efb8fe9225865a93a166165190bd4b751c8944e112a23013fe54392c14a

SHA512
49f7bfb6aeafab7b36691cfbe2c81c6c63bf072854799f32d40b44c06a60ab08f27295ae37b015f6e3fa953ca04402c8351f17d2b947cdbc41eb19053b40f781

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7e6bad5ddaa151d7ff68c15843ff0b27

SHA1
182e40d5d5ad1a7903b294a467fd0bcd773b5756

SHA256
40e481eefafc2abe8927dd0ecd65412ffd930001b49b4d65dabc32d866395cbd

SHA512
ec4e77bf971e075c488ccb07e122901bd932eb75c6ccdc15adab0c661fc0535c8befa13f998b52b5dee4676202a73f2ce564ac0bdcca792236c3b4f1d03ba275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d67c914964c8ab56300d94a4bd62cd8b

SHA1
157db4bb7d354b824f1b345c671d1715b1e3bf0a

SHA256
89e66d5469bd93b586d14994bd098244187ec339a2df93c7cb3b4d6bb4a3bc58

SHA512
d51d620073126f498ef6ff25c06f9ea50a6c51e1f06945b50f12463f00df7db43b2f9e3e37a7f49d6337815fc37393089135b0d0b2689318348a46918523cb82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
58679ac504544e275713ac28d364ac3f

SHA1
03760771829bbf311dfe545008d7bb6c18c55ebd

SHA256
5965b7ca98683c283724755da140d8393953480d7353ef876d1777088423806d

SHA512
8dee5285e0211f56325d11d96ffd39caddfecc84ec92fc803167af75e328b73d91bc8324df8079256cd578d7238f9128853889634e1800e0ab5daee832a5b689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0e0e6ed10f5db45e214c922ef643d5f1

SHA1
60a0d5e2d6eeab53eb0681f4c0a2e94ee882fbe0

SHA256
2e9c7bf5f86c78864431ac22e4b022035e183e21d1733a53b41bc8784caeb826

SHA512
716f3d18ce2cbad4ec0e4fdc6f5b518d2e4f43ad5c273e908566e31871674d2a829b9efd8fa9b892a11a9aed7a54b41d5f782204febab6029e1a00f50d64b3c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cc4f2dc2e2c5ece3dd8ec5882dc9f975

SHA1
5f93ba4a850a90d1edff0a3c9b42394e70b1976e

SHA256
e2884dd0922102e3ccfc550cf68a09e33b1f9d8bb9c88761942382c5b5835f15

SHA512
950cebe247d9a66f28dd8283c60270af094ada1892c9ca2a8f994ab6a0e4d9d33f17df0a452dc0a3a51f7fd9ffa5807ee03fb05645387f939eb4e92c5d1bc93b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
989eda47eda1513ed366a384b1db6386

SHA1
0c02bc3bd993ebb0015538c1215d1797221de511

SHA256
5f21ecac049e5336ed31b04620f1441201d6decddabb62df76fe21b95b9a7ad6

SHA512
6f9f570e82ab01c3af8be47f2c887ca57285389466fb692e041d09956c0cc918d8ca24d2ff19d48b73c47b748b7ec3a7feabb6cb4b75e14c1c386b63e9e583ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
7205ec1a90a87e89ad577e9407be32d3

SHA1
06bca345faeec955aaedb82e4ab441986b50d269

SHA256
78a5b305ff3e32254c3f421da789c529e23d80cbf8b2aa124f8c1451237d9c91

SHA512
84a3c28a664578a7e25040dce4ef4da4903182ebae265c6bbc42a495e26bf01aa13f3c5c2513dc789ee2632d4d0d69dc3688555c1f6a7b16b061ea972de05ea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
4d36623c30ab9ba96d5811ac3f4b43bc

SHA1
f7ff32070406fc5c91123fd0eda10f2770900f4a

SHA256
82038758273c6f883406dc0e1619067cbdc38b9077a57f704f5af7a5d70e45a3

SHA512
6cbf315c939de660bb1e9aad16f1de4232ca56889750c931f15637ec3265e870c85524cd838878810de2eade8395398c5b6bcb4d764f75484bab86e3f23a6b7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
2ef7d30f3f257086127c0a6bd861040f

SHA1
0dd4fac703d58310cadf46b5a63b15e82cbc220f

SHA256
208041e038a1f24b089fcb4c1e5513d068a636dcd89dd09020e32c9ccc9ead25

SHA512
572b1f5779fb6f4daf90b472c07b5c82d8635c4352e64919cca1d2809a4da8b1149d027b1fe2289d16507108916ff70f4f4e2e2dbfe1f4e59035aed0b4cc8823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
e20d4003fd0df14e9ff4d409789dbef2

SHA1
42669f8a01752d6a288826a6a68af5573e3dcbf0

SHA256
ea5e35e03804e2a4e2ffb22f8d4b2c36d255def4393eaea9bf7f74e915fbfb21

SHA512
c980a2627997e5e8cf5497d706ec32afddc0382f7c8252f60c38bd53f8636feaa367f782901b4ac431ed7b522e099949f6f5b226522f6c271643bd3da2538cfa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7eb1acd20ed8023799c81b0d5e8bd1fa

SHA1
dc6d9e261bbc6c89c22e349df1e77ab1fd0e3f07

SHA256
99e83cc831bfd69fbd86e1c5b8f7e8f653bbc24db0268e3bac9d3b19eb9956bd

SHA512
c32bf892c4bd5de289e5ef578c641eb839d1aa1ecde19b242777a88aa2e4339be890d1fbcfd9a128ca8545972a8f88edafc16ff1a3a5441587174899f6b85967

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
93faf9f8292c9dbe363017bea73caac3

SHA1
39c44a20cb73d4f9555c55ee6b34760a7c740b19

SHA256
9089e65714ccf62880221ed767838dfd784ad23ef35cf78a8baa6ef4d24678e5

SHA512
e3883d24acd58e892da49ffc02d6608a9ab59686a9b9092fb0ff002f6e7ffb64105fcc465dc7937965dcf3956598fcdb21feb23616bf046f2f93099d3367eb08

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d2508732afd81c885601854faec0edb1

SHA1
32d45324a2e1846910ceb7afc243765ecd889c6e

SHA256
e44565e6cee1419f0a63b022769e9eee39b30840b3c0ae2aadf4a34410157c92

SHA512
2e7f0e31ca2ecfc119cd35ac80c6e27bf81599512c53f1ccf5db587d302127a5b5062fb29ce16fedef83a770ad0c2672fbb650a68b61b74ce28293c9a8cadf7b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
34fa8bafd1715951779364d6f0151f80

SHA1
328a972600335c7fef2183eb3ad9b99188a9be3e

SHA256
0e47a1d6ee0b161b85ce88d538c75269a9571d736a373f72222b352d46e81f7a

SHA512
8869cb685bbc7ee4f5d49dd8560c1291b4943d836e766e764477b2d4f9241b8546f01e580f7caae9067812ef013312c0ca7b0e5f8eaac4b94cda4abe3ff04422

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4460542d2a34b69599f7180a8c9d6ba2

SHA1
96ff257fab70b96afad77403c2632fbe25207b07

SHA256
1d0abaf0adfc1e865651151b425467e8108913ca6172db0ec57eba6f8b4fb1dd

SHA512
e3f50154d4a6450796ec04b3836d389b21b77b5a81f7dc11d5fae35552d77039e1e71dd448882bd30691d01045c203520bf6aedb3b535615d1f33eab5362196c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8646f5603396ee24ef40d42f8e2c3964

SHA1
bcefb89bf5303f768bf3080aea9da990d6cd6bae

SHA256
bc9d8e76602a96fd96460851376a9555d5ec0efb56ee2f36af574f69ac970ce9

SHA512
1604d869b9c3564887bb840e964356578c9a02788f2afd8fbfe4353ccade4e0ac989d3918a8fc26aaf60226193b90efe88731791dbc64200d6d57ec3f3d18851

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d3d22d4abc7bc083afbdcb14132a6096

SHA1
078aec82a2e0ea707d89f770b9e2e9313eed653a

SHA256
e758cc9e532dd90ad405ba594549106179a6407d18eecd1066fc06fceaae8e85

SHA512
eddfc4c9051284e8b5f53d1cb83c66b4f832b74f6cc6aa0748e5715292ce83ae029049d9ccfa5de291432d2909aa31a9dafbbc968b9d22b0ae10fe834484a74b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1d81c74a0a584047ff26ff7b56debedd

SHA1
5a66a74eea1bd91b5f25ff1681e2e21d3820a9c9

SHA256
330f4df6466cb34518c2da6d29e045928bbc5026d5277b824bd86a4eb2eaa5d9

SHA512
65c302123aea2b5a63240837022afe81c5f0ffec2bfedb7812ad48d7aa5301fa892fc99c1dbc63998594a7a0f16134fa73be5f4adfc4bfc1c2a7e89c9407e7a3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a3acf00b6d012b4310a323a262c9271e

SHA1
1ef62d5bd2ebb2b41a96b6b1515afc8a01352b63

SHA256
d210ded19ff9e5ad5cb8dd5e367a0763315e6f83050143b467ccf05155b7dcf9

SHA512
3cc6bc4daa7118749463f003fe4e64bf6e5b4821f5772c95594bd5e3c5523b235930cc9c43d0d8407124d0909036db0e228da2a60cbc76ab3dc67265050d1675

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
055164fb56410d9b07b06087590ef2fe

SHA1
b759bc0317d2f8893e3c0ec5c1277fd91d831c2e

SHA256
cedcd1f2993dfbe02f72e1298ce0d99b57432578a1ed88b5e1ea6778720afe27

SHA512
515f01dd166b275d2bd75203e60a1b58362b1ea344e5e381636dd80d50b57f73e4d07b41c58311b9b527757842bae7c25c5a97e4b11a881ef5e0be5f7111e331

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
567b72a013b3727471b73e3a87a46699

SHA1
5b17f9e8131c6562e0527b20b5d192f48fed4539

SHA256
cdadb74f189e4627683e385d06d0dca21f5e344889904c58b3dab7e5ee60e9e8

SHA512
b944796ca6680a4cf163300a20e1b70fa5d64df39503ebf786f9430fe913394020a92f9d63d9076cdd70aa96f968cb246994e5528ff5b80e98fd1c8c08b949bd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8a29f1d2157a13b1abf8a780a9e9a149

SHA1
1252950592d7e86dd58511a042bc78a957997aef

SHA256
0c04e95a61972d39f0f297859f86763c1f14b9df531044235fcffafe93de8885

SHA512
532abffdb61911cee9bf99eda0f0fd93eb5fc72ed306bca4b2bdda36935e49472c31c898d8fb1c22b4b335aa5c14f5e3cce188f324bd5c0623205bcd0a482930

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4d9a35364cb06421ad25c011997ea1ff

SHA1
59e3bb133b91013b3f43dc502b948cd27a824a51

SHA256
a596bfeba9e154540d965091a5e95083d059a1a3d4ed9797375870f594dd6bae

SHA512
82f9788c78f20f67eb7e34c0a3722b889303b38bb8e27dc6a398cbafd8e659a2b412ee8908b8c2d6220f9dc76ae02f427e1c42b5ef393a29bd71e1958d737497

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8b1d3df0d6aed954f2d7951a846bc4cb

SHA1
23aefc9768f164e5f0a65d02970a026466b24425

SHA256
265ce324bff6e653c489761cfef61f0de429416e00d4e247933a2de28f502bcf

SHA512
93eb78c2ad262afd157e5f36aeec4fd3dae3217ab077fa07e004f8b991d1a16783cb53d662e412549e06ea869b68a6a433dbb59986e842c401cb135c5d19c164

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
701757d1c638a385ebb81d359e9d2c46

SHA1
6f5c2e13e790f85e7bdf30ef9e313a9f09cfdab8

SHA256
3141c57e10313bb6027a316bec0647d0e4f72f427410827075fabee04d434e6a

SHA512
e7fdcc89d64de893523600c44425e9b854b5a8512021a208dcf47d815a20e363f156bc77855a13cb06b99f049d8f1fa526b50cc7f71a49cefc6addfc463a79c9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1846382b27c285fd06ce9a39ce01e0ea

SHA1
d8aaf59f8d243f32b0da041b5246f99ba4ac6876

SHA256
3b7a948eac751f37d03a92cb95fdd9a1390bd44f1f987736a754bd1194873183

SHA512
bd672065a37561084614e053cf653e1cb9707b609db337916fb4dd168c307927e3b0b92ce82525fb8e3cd93e68a0cc614226c539bc41de17235a1c35200a030f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d50995c004f4285a423337405a6e2ff5

SHA1
c5921da5ff25fc8008b8d3840dfc40edfa7b80fc

SHA256
5a42b7abb3c2edfceeb5062bda402fe40d810aebdc4d02dcd2f66cf16e0c01a4

SHA512
68b58e51c8036498eba2c693ebf7bb78c4de1d860e2096fadf339211d23712c8101489fe6f9527fff98cf76e5c4cef17f48594e695dcc39e485cc9e3d0d5fdf8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ceb09cd60167d2ce3fc0b506f3467dd0

SHA1
83e338891d3d52f4eca4f0c1726ba5dfa615547b

SHA256
d2629a4e5b831de1c245d37bcffa4ee4f2260865af33ae7a819bad885bd3cbbb

SHA512
b527e51c58cf5ee829eb373de31fb461efab4e43647cf67adec0da2a1163a2bbc48ca9b4fec52754bb45bc6393201db833f537f0b058cab532c37bc87893b199

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fc0510d90e62c25293271fd812d319f0

SHA1
64b0a99690b6ada9176a2c520b137a115fdf6066

SHA256
4f3d86a8638c1aa97405f6a33c8bf4bda0079796b9533bbc5f192817a81bc436

SHA512
e9440b7288182b9cce05b4db39e6f81669f2c530a066bd02e3970030c37a2bab03a4a32e8313bf6051092ac3d4aaac3b0f03dcce7f2f5fbccc952fa950d4e122

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0aa9d0993a1af5310909bef97e5ee8d4

SHA1
ef6b992107b82fea4fc65c27e4df7395b1207dd7

SHA256
b1cb5754366428cc877129543b6b8598fe26a3166356c584ba0aa28cc5123207

SHA512
6cdd80a43c055b348cf3e09b8bc1264d5bc59d55c9316dd542201c6be89a2a9c1caa0fd336117f03a20a62e86ce43b23f75df1e26befaa63f99fc25a4f459e11

Download Submit
memory/660-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/660-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/764-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/932-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/932-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/932-16-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/932-237-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1332-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1332-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1332-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1332-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1544-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1920-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1920-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2392-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2392-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-31-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2640-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2640-6-0x0000000002210000-0x0000000002276000-memory.dmp

Filesize
408KB

Download
memory/2640-2-0x0000000002210000-0x0000000002276000-memory.dmp

Filesize
408KB

Download
memory/3116-247-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3268-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3268-54-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3268-61-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3268-66-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3268-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3268-488-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3268-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3272-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3272-487-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3436-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3436-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3436-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3436-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3576-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3576-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3988-39-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3988-33-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3988-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3988-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4048-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4048-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-489-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4172-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4268-256-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4268-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4268-262-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4268-263-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4272-460-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4272-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4572-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4572-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4700-481-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4700-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4848-270-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4848-271-0x0000000000830000-0x0000000000896000-memory.dmp

Filesize
408KB

Download
memory/4848-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5084-480-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download