ab255f62931d033e18a0f6656a139218f03feb6181a1eab68bf0367c5300d214

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
Size

1.7MB
MD5

78613e9b896e8557366b83bf5e4192c1
SHA1

740bb8226ec941f37380b4489dc5492c36c69a4c
SHA256

ab255f62931d033e18a0f6656a139218f03feb6181a1eab68bf0367c5300d214
SHA512

d3c072b17c99ba63cbaaa7239eaffc162cf1f3740d051ecf01d9b49a83a4edc2ccb836699e8cbe4b5cd9f4918fe83ef61462fcd08cf29a42b2d9595e219e5f23
SSDEEP

24576:s2lmh4RI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:s2Mh4RILNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4248	alg.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
2592	elevation_service.exe
3720	elevation_service.exe
1932	maintenanceservice.exe
3052	OSE.EXE
5028	fxssvc.exe
2000	msdtc.exe
1696	PerceptionSimulationService.exe
2372	perfhost.exe
3440	locator.exe
4624	SensorDataService.exe
2420	snmptrap.exe
3608	spectrum.exe
4500	ssh-agent.exe
4472	TieringEngineService.exe
4644	AgentService.exe
3272	vds.exe
4488	vssvc.exe
5000	wbengine.exe
4600	WmiApSrv.exe
432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e42b6a364a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040eaee3529bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cf3bb3629bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b37fd3529bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c072f83529bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016a4263529bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003271173629bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002711f63529bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abab313629bcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766e553629bcda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
3556	DiagnosticsHub.StandardCollector.Service.exe
2592	elevation_service.exe
2592	elevation_service.exe
2592	elevation_service.exe
2592	elevation_service.exe
2592	elevation_service.exe
2592	elevation_service.exe
2592	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1248	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
Token: SeDebugPrivilege	3556	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2592	elevation_service.exe
Token: SeAuditPrivilege	5028	fxssvc.exe
Token: SeRestorePrivilege	4472	TieringEngineService.exe
Token: SeManageVolumePrivilege	4472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4644	AgentService.exe
Token: SeBackupPrivilege	4488	vssvc.exe
Token: SeRestorePrivilege	4488	vssvc.exe
Token: SeAuditPrivilege	4488	vssvc.exe
Token: SeBackupPrivilege	5000	wbengine.exe
Token: SeRestorePrivilege	5000	wbengine.exe
Token: SeSecurityPrivilege	5000	wbengine.exe
Token: 33	432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	432	SearchIndexer.exe
Token: SeDebugPrivilege	2592	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1248	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
1248	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
1248	2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4044	432	SearchIndexer.exe	114
PID 432 wrote to memory of 4044	432	SearchIndexer.exe	114
PID 432 wrote to memory of 3380	432	SearchIndexer.exe	115
PID 432 wrote to memory of 3380	432	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2168

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ce09376cce0f8828f458dcc03272d42a

SHA1
52df98c2f94de6e4a8eb7f323d3b4eb57785d4b0

SHA256
4232aed19360196adeff2bd2e9f595f096cdae5c619516f0e060891ba6972f73

SHA512
cafaab238820a70ee133039dba56b954efc8d7f4737b2d39e2c07721f7ead23a4acaaafaf9416e2560d8e1a70417d1f587311b4a4f6adacb4c0cc5cca6212d2c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
b4bb7f5fab14ca9e6b20c4ed74090b51

SHA1
b24fa6d11da54329e439f59ff0543811f7995ffd

SHA256
c345520f8b4b8a8c37267113eac8c2ab82e6b05c12b61b1f3ff9e42777480dd7

SHA512
32495b1a3fed9f5e534ea1f6ab075f17bc11d8cfd890e2243457e577557c4888a0e1ceea63bd160389ef93f1db12c8c2851d517a05f03aad22f6376d6286fc70

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
8473b6bf77b0c340b4a190d786905d30

SHA1
cf1151362642c4b7d407d6cc3317677a800ae421

SHA256
307a4a8c5e76120c4bcbde5cae21b966422897912ea3388d54d41014d702de84

SHA512
9c26a6ad25bfa5d03cde3dd663624434d9dcd67afabfdbb27ff7d95f7f2c0c4913b2ac2d7c99d8ee8d8168db7d67e751f1cd0fc96e382a3c79007e9b601ea292

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
91cccab7a691391b748ea1b39d4a6fca

SHA1
342f00d07403d916490241e59200eef8a3e9797f

SHA256
2b8666beb9498be4b2c2d020eb84cabad721e2a2eb5f8cd65d939a152f8bd4fc

SHA512
818a9fc5c444ff56fee5377e191f94979600bab171eab9ca60ddbe1665826d4f084aefbe0ad10e0e801185502dfe4152381dcb7de1690232daf809219933a8af

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1124969a3ff4e6c048deb0b544988edb

SHA1
fed3327f01ef2cf855ff0db700235f053b2bdf15

SHA256
c3e5914ebadc3203f7050342099b0cac89f0bc76d9f71b8ee5e77303fab414a1

SHA512
785c26943ed24221b641fa93ebad74c7725359faa9c3afe2147449751c3f1403c8f74541ab38b7ed572613b38be29d463a5a946700f0b0759efb7ff127d0b262

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
95f1102dbddd703e20814c02f524fb89

SHA1
bc8b6acc3f299415ba3c754ec83f3aad94772702

SHA256
2667c16bdb0a054c4897988760f1a1c1f3c60307b36be11c4fe46760137cba4d

SHA512
e29123e3929ff0376bab04fbc3ca135f9148f8afdcbddc3abed47dcf40fe5ecc5042875a73664366519396af6a634718502bb21e3d88ca2957e0496ff1580b30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
738e6c1d93674dfcff394768662f37b0

SHA1
703edca1412943f193602f522a35cac916ca3bfc

SHA256
8f85e9c53d8f8390b9428c06cbb3178347c34d5e85a068ffa8fdacef801d2b27

SHA512
dd3741ddff87848a5d8c7b27f67d026f01a07d80a2f85df08fee06bdb139c77c6136f1d02d4d9cfcc48a717e54f49730b60188e614ebfd877f3d5cee4f94515d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a734f1e254f9c0214ec119ecb6ae0611

SHA1
2bc443c8d823dbb4c169a6552babc33fe5cfd744

SHA256
80d245c5e49e108c7b3a81099f0bf7bc352c5658c3d0905dfaf30cd3b58728ee

SHA512
13887bff945378aa80fd38bc15c02400d593aaa9098ef26452d97b6a199214c059c0b1ae359a61e07bc227d2d936ea92603faccf9e784069082652ea93119543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9a860bac1478474af04ee80dcdfb62bf

SHA1
85be3df8bdb3d381c24f36e3b27b1f1561314e92

SHA256
2475976022f60adf0bbdd49e65061af4e3f30a6dcaf4735c8b982ea52c1e50dd

SHA512
be66f4e22f44d6d0763fad73167f45521a9d6474864081c726f8f4b6bdc63f2d608bd5612848a2733f9f385ba0a0ebc8522ddf6bbe3b9ce7cf3c65756f89fead

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b5299713f91e239319c74d5bb6a7afc2

SHA1
d983321e3f04ef3f4b1d8be2bc39ac23c1bdfbd9

SHA256
4da104adada0cb6e5aa4f4fa669b0dc0dd2b4696916ac4a0d69b2532815cfacb

SHA512
b722eec1d1c144a8fb22568b679593dcb02e7af9f7e95ffa33ba8552ba0fc202a5d3f3d44152f1e5fe44051c4399cdf5e3d514e3cb3d3e9f77911e756b9b4748

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dc33bfd4bb4f6e5fb16c77ebcb47f5c7

SHA1
d4cad9db44fdbab95101b290a82013184d53208d

SHA256
7f1ad905f59d9fa0ed105e00386c21e5ca0c6cf3bc0cbf3f74ef7571d6b436f8

SHA512
a9ed7aae861f630240d21377f07a174ec62a816e114b5aa2d2155a5e8d3e749017737ab050430f14335230d3727805470e83545f6e892596cdfec680723453be

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cefe899f7c1edb201b0da41ae44ae510

SHA1
a5752e56cbb0fd9c18a077f8f63b2a2795ef8607

SHA256
2cfa19b527577268fedec9dab5eccc0c38631ca401e6652fcc556d409f77242e

SHA512
fb4316686252317cb5cc8dfbb55a37a84dde078ff7fe558014f0e9d18739027091e4f4c90fc1a6613f8c9b6a1dac566a76cf9bf32ae125636132258fd3a46585

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
27b75f0aa01687ec3819546778fff95b

SHA1
6eaabdaebbfcce087290078ed5053fd47edf13d7

SHA256
398792f7fede7856fb0c0ca63e3169664e9b9e23b34904418c9727b693cd85e2

SHA512
cdca0ac6ba1ef5188c172e5f9bbeef4f64f1c96904f19d16a3c7a98d16d234800f63610b905f22f25ddd7f8aeb52137ca91f959f313ab6240a9ea9f90bbb6c96

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
7b0d9b156c2bc78176f4f2e085322846

SHA1
5e1694ae09064efad3d61c9469e33ceca6263553

SHA256
3649ce43a74252d15bb389a6cd5b41b5aa33e0c47da8d8b1764e9565e10b2a3d

SHA512
c5fb4e5cf9358c88dbfe4ca2162f5a59449be137384f82aae22e2e5714f97556c449a89814df9eb50b151d13f898b3f44f4a871f9fb8a7152ec24a3a23a1accd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7e314b51a7788d5b73c6a31f80d5ada1

SHA1
4ac9e7b0f0aefec4d9c61fba05039b1371927ef2

SHA256
7d1475595c2be2de858fe971ba5177835d6bd34668660a7ad2bf78914e72c160

SHA512
e62010f7f36ad2bcefd4606c32213c32d70765989e52df6c0de758729e2ba11daf8b806a87fd5de08c3cc86b1c7141ea2e25a4096c1bd6263a6ae6fcb2c45db2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
30092e88732b4659f9a14c7be9d74850

SHA1
0f6e6c23d7e3b20f8e8543a25525db99e06bd475

SHA256
8419ed9e775f698e7af04a541347da573e728b9fd2e20549fc39dbf7b1ab6cf8

SHA512
c86a99bff6d1979197bb3ad576f1c62fd1cf2b0a11166e508e97e1ba2eb342ec4b7bb229dca420b142b27a6942138fbb24042e6c1b95aaceac99d165cb6c2f4e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a3f32fdbfbe6d7064fa1d207142efa6f

SHA1
6de6ae934510122030d1e6b35d332fa7a8cee695

SHA256
dcba080cc3336ba253f92d9c6ea2e1d543f29865bf86ec53452b941db1595d19

SHA512
93b933ff09067c0628f593ef28e22df53c4d7fe16704c37fb0fa175809b9ea459cc40533fcd4ecc3f63d9c07eb78cc0996bb84388f3bab6df148682edfa0f40e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
531ceef5eed066b0db33bd49063c7faa

SHA1
c2a2856448368a89ff0235f47db9a9f00cf2f2f2

SHA256
d79820a1753760dccbe36854190fa701df2c135f5290cff5fc41407a2de81607

SHA512
c78e721f8cf0070ac4ae9f634a0c9b7f575c9ee8f64108b677194d6571386b95cef4e0dc173f4e3265b79954e88e0875ea88c603ad9a46c0e3222e4d014a1622

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
92aa8cadebc7028073fd1526fd093907

SHA1
cf8f748470c1ad7fbe2a1b15339a18adc7afc23d

SHA256
7e1a254a32c983ae15cf318110c6dee0f9f2e0b665170a1ef5d5577f9683762b

SHA512
921e16a43b4f3f8f85ac1f88863f13ebe3dbe57677a104a12c1952597a50130e3edb8f81c835c94353039d0c8d13aceb9e515e1d4785aafc4002fa59b73dc656

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
78b812eeea36e7c2d5b25c6b00fb3eff

SHA1
c886d77c2ae2e1caca346de01dc53ab126db9968

SHA256
5b6832f2331e203a339e3b76a4755ebf66da17fef74e2338001b54eb7ba479f7

SHA512
09be0460136e18917c41aed7bf8ea73f937194f530f56f34b89c5d5e694f9b7b89492f10368b6f77e436bac2ae5d027ca6b282245b6576a7a4ef2a1a8cda5e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
1eb93f4750b96f92922773e9822b0d1a

SHA1
07b2eb234045d2de883cd623e55b69cc059d11f0

SHA256
2ac485b181e381a0d1c019bfba8bf100f8f76e5ad74671244b265fa4b93dd5de

SHA512
441e786121984d6d0e4b962f97ce6c6f5de1958317733f3b38ac5564bab44fe00bdfd4488d0784a3a76b11e0e25a901a16804a1f047a0921a419d6bf43bcf33b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
f91dea9270c2a8d19012c4571567cfac

SHA1
c10413584c9770f37e8cf14a18035981c70e588b

SHA256
b6c04d7c9f1f4a70ab85cb2aea4ac2770abe5f610d3f3483c379e12b93dcd0a1

SHA512
03709ab3a2098917161b023e955d291fde3e9e49623c5b294fc0509ac07260829e19da6a836d6754917fe3763fcf36a3913307f11ab1efa5609ff2f2cebd47f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
b5803522824a76f0357e396865e86131

SHA1
42219b1f283006f1fba5e8ed3618281dfe9c29b3

SHA256
d0520bc982eab5dd99038920021a1d0e152f4375e9859a44323c7f139b8ba23b

SHA512
3b71d274c03c46189eec76baaf1025b21b01b42f77fd89b242787b4d22253a869d8dd2de7ba2c5835e53208246b46378d74b8ad3110fcdffc9592cd3e3854aa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
d1e2221f0be5b59ff959e0f57e979f31

SHA1
97b9f678dcd18ee5656bf857a5d1e646546e4c99

SHA256
073f2a60fed6e243b719149f7828dffe7a7274052ec51b20e29800441cb45fc3

SHA512
cdfcffa0f231fd29e0a5e4b7a1a031fc831a8142c7327b6e9ebe945ae1ab235cdcfbd9ce298fc20cd0dae1d36d27d5965525010d2156772b38ab63f069c3c0c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
59e8083b36f7462f80bea379ca24e920

SHA1
8c30a477991afcfa6dabe2c2eff1d4a4b4863fd0

SHA256
b918fde496fe25e73ce6e46b2b02f50197436c4351b068206f2832fc8da8c6be

SHA512
1ceee9cf61d93a2ba15b11961575e60f11e663162f589de720454304093220ff31e831b737306271d66cb27198d4b0f17f2880cd5b5ba62cc4a4bf1a12b4037d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
8b50dcca1b62e6e63f5d5cdc9238f491

SHA1
00afe58cadfd2e26f4de764e6ffbfcd5881b26d4

SHA256
c3d30e8135933d2fae4b9c4622b71e94f0c6ab204df63225093c0e4e5b4e1443

SHA512
a239f6767b976e26a29f292f44a1591e8d4f28dc6c410ccbea0055bdabee8cd3ebe71c454294a4e26762f6bb0d83f8f47329ee4a15ebf565580a9d5fe67d9148

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
507ba83face66965c9c2913b1b03c53c

SHA1
b540dafd459bb4be169355192d39efcbbd2bdc68

SHA256
9afa77b92052db90dd5f1ce001c9e3a583587043b5bc8e820d032c809b888aef

SHA512
4c4b5cbf16e69ff0cb4d7effa6d510b3ddc6d7d95574ac4fbd0f2687c01b560f7a12220b6803a97080c2d827ae7dc7f031d6af8a187e99660bf8f099022f13fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
bbc262b46a06d0418ea5867ff073a7df

SHA1
183ab43cab7190349072be73936022416bc5a6df

SHA256
9ce0d415b24c675a7e9260f27bc0a2ea1631517e6395f9fab307422980ada27f

SHA512
131069b4c463b6f29b70c52b6ee5ee3641ee573caa473eef8371db57bff3ce07776f04ac20b59f666c225204600610c7a03b9c238a4cd4f76c91a3f65e0ed6c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
5ba426b6bd866dbde4648db287a77d17

SHA1
aeff3f52f4659a9d60a2b57396355863013ccde9

SHA256
5522983397c0cfc724c5dec5d13e258af063cd73fb846462e99fa0474527e943

SHA512
3a5599dee394b6dc1817b1c7b66090772a56c2012ef912e8a31a514c5ea7755f63a38a04cc1b66235167468594f9dab44630e1fe0eb38b94f843ea9fbed4fcfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
f359db87a5c14c2c514e7b563317a431

SHA1
469c576f2a9178b5c379e1c346deb887170c0cce

SHA256
12d159a970893535601ccd65cc32d41d0e849db393488a45dc343e7e28dfc03d

SHA512
797b90242f4ebcf82b7e19b66eebef084103f4e368e2b0346638838f8f5ebc2c01429055f32f3038c0a58d173b46b209a4f8434e50e2027a0413efab2df1f1bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
64dbd8317b89c4b5a08cee0e6647193e

SHA1
70115aea64794d99784f5fc2e8f7eec04eb5f5a4

SHA256
b1863fc8ba5b029c54b61d7347362f57374ac605e822ab5dc1ce99148ac810d7

SHA512
3c7afb0321fa0a41b34a23b652e7ef0c0b6004c3bb264d020ec5df5bcd907f1dec42d713d6fcd70b2707d4ddfceffe6044d394f16406c8a83b609de6bc88551f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
c0ab6b6f17cb36e7bc97d3ef8bf13fdb

SHA1
c4d6520f437bad47aafae5c37d3a6178dc4dd54f

SHA256
ec96b06d735ed08fbf799b7d0a1245ad91a6eb76bf4e38bf86f3f3fbbfd5f004

SHA512
fa7e99c129f3e43916ffcc33e1588ec6a04ae00ec43110c7630c535c2408b62a91f03d12d7b35740eb18aa306e303696f0d7ed138839d30940985bae7790b24c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
9f3d39ad328f49659593d1b67e0421e6

SHA1
425a60d6b41706d104295e2daf429226db261b1d

SHA256
b9caa378fd4b695efcb31bc82168112fb11b97eb035ef84f5d2f078d53173300

SHA512
2aee37c7be8cf5f22569130e773907def4877419cbcc46c764cb40fb6dff59c08a867418d6f03476245e689dc71403f064e856cd448bbf744788ca6a437813c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
f1bbaa143d2cab7ce17457b3f8e669a3

SHA1
39581666fd82a60f86848133d29d800b6337ab7d

SHA256
92cd174757a86f06975a81966608cba3f403b01620ca30185f39bc4193c4ee56

SHA512
4ab4fbb2604a6326d3b5263ad82c258c8feed7576cdf795b35ff320cb173aaca142fc91733d1f0513d878779ffd11973b9dd47ec5eb8e734deaf9e730ac3db93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
cfc281554ad28b6d3ae7dff4f4ea6878

SHA1
dc7d83bf85e67e254c4b1d25986d31f86cf4bde3

SHA256
fbba86a3c686e1fdf11b5bae1ce4083e4a7369ce6deaaf51bfff64e5def3513e

SHA512
44d90c41c6a7be0104fe53d592c28bcbbaef8249b4cf19d8a6b585cc852394579ee829d99f3cd33a837bc67273873c86457ad2733bd1446b3e77dd9c42078ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
bc88e4c333ed280362f59712ff073fe9

SHA1
9fd22b496a6017f740dfa66122b7a0a238bc49bd

SHA256
0ccf42b1e8663868992b76ebc0cbb9bfff19e093b5efcb03e7123e729e649691

SHA512
4d3b1071e6f831df6eef61d4e8970d7488091445e51835450201b5822b12225b2ebffc10111e391bac2cc146ddbc985b64ba29a46e9fc4a2159b08fddb00c764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
41e823d74a7b28c88315ce56986692ed

SHA1
1a1feff57c566acb60f91f111ebfcbaa914fc081

SHA256
68d702ae03b952a897da5e2c37954c6a3d531e120c61b1545867a70cd2569133

SHA512
78a4efa3ab6997293ec6687ebdf0c938eb9ab4d5078343efbb84d2fccf093497a197d05561f602ce601fbecf8b2c195f6ff83293fc2850a11710c6660043fd59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
a6b18fa3d5a044ca9ddbb4632d1886bf

SHA1
160efe637c8893bae74f2aa203b20971b14b09c1

SHA256
0b2e14c0836a481da3be720fc74c639a13a201cf37593987f0267fe23626c08b

SHA512
862a778a02d73e066ceeda2a01b1bad8f4f43188921828dc8f100960fd71b692d998d2eb42b48b6def107948ff16ce517cdc53e95b011056373a0e4dfe414e19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
7950391e8d9d8fd0d651389a63b5c61c

SHA1
6d148c1910ae072153b5ff7e168633b7b78d278c

SHA256
bd8bb43a4bde856e9ad9da367c75992ae00e7f8d56a917b9ebf168acaddbe88e

SHA512
db04b7d9f37f6f20cc5d50dce20669b0eb08d4982c68d808050ce72013b87a58889f781413f0c66e3997e09dad18d37dd7a27ceb3e587c3704d9dc3ec3bd8514

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
e01cc67ce0feb17b86405b97878b9386

SHA1
6da7d76fdac7770dfe6992a7b4502cb2a29dc5e9

SHA256
440056b355d2b1319ecbf94d3c3c272426c3c113c582ca14566c50767a1a04e8

SHA512
8b043856281202ef1befb84e5714b83b9a82885e4c414c82538a39b538052a5ae907ddf432c4756c93099dbae7c6e6f75a3ff04f41ff976c6e9f4aaeaa70b88b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
64d19abdc6969686790dac6810ad88ba

SHA1
6e21d91f24d21adc7e1657e9fe2d544782461176

SHA256
12f10d0d2334eec4475ac60c650fa247f4689ce8897a77586ee59815064f3757

SHA512
986b6ea68050c00cda7d3b23a5c071fa87afe739e4de22d113609782c5dfa16a5460fc87ba9b7fdb03d3bc74a0768d298cefbb47a41a92c85a227cda2724e5cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
e3aa253ddd4da145b7b67ed8b822fa87

SHA1
f96bbb0d5bee0c20348f9b5317feaf6a6c128d8b

SHA256
15f0533b91409c48248447ca57d255b077ca56039f55d734a1bc63026abd5da9

SHA512
3583400e08f46f2d6bedb816e38563e0d7bc7874ddfdb5762a8808814d541d41620adc5eed100ae99ac3a18fdf49fb8a267252a5e98221b3805ba2206ecd3d8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
298c7822f597a46df0db7ff0e6fad7a6

SHA1
d7b86f4207b74b7801b00e7b8a6da14535a17e5b

SHA256
710c447ad4a82778c10cfb297f26ce942981d8e3b6068531f8181ba3985e8355

SHA512
d27ce80fc832dc7b06d529006b77774b548add99463acafaad35319032f597b560651e64e32560e631da03be6dbc0745b3578c3ee659e3889c367e108cd6e057

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
1ac820a777e89ca1801a00e368a3afc4

SHA1
3822ea7c5f1b2a35122b73efc2a463506507ee7e

SHA256
f513a76cd9cb370075150043b0f95d89fd0053b3d33ad29128b7dfbd7e4d6e63

SHA512
08a73b0ec636283ae8e65f0a41a0b8307125fecdb8b0e44e0903521bc9d3933922b74e8fc2cda671177fa3a36ceedd266ce55daaa118715b59eadbf58a605702

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4891ebf7120fed3e02f1da191e8a2c81

SHA1
0e42f07ee653b10cdea871b191fd51085c61e9ca

SHA256
86c3c8bac582afc1182b3e1bb0c18c510dbab400680cdec7546b79df9bf7bb00

SHA512
8d50b88737c70950094124f933436dc1bcc82d175e0732c0185058b8c9f2e9ac78e23eabda76101d1aa887930618f064e6ceac4061c84379f2ce32c647aa062c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
14282d963248cc2c216a57b39720b4ca

SHA1
dfcbbcd67da308b7adef63eff0e739abb89ee998

SHA256
b733d4c82a1ab1b299c5cf6d7bd6691d1574a8d78e40e91ec0b03ad9262b128a

SHA512
c8216adf5964995df0037bf84c28778c245e68c23df124d9a69b5c0f929ddaa3deb5355712e2970639dd96b10706fb008440040af19f270ec9850e5eaf8b51da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f543b2b65d25140d17f61e2937ba8845

SHA1
9ed9356eb74be909fad557cfeb4b4de94738bb59

SHA256
079e402a2cbdc275776e4d56b14857bfb03eb7bde743a8b8101f61b23eba03d0

SHA512
259e6f0a87f813d843e23632f6fe009b65898ef6c257d39a29ce2d3c27067db9caa9e4522859d717f31d8c0954304d56662fe5aa3eacfdc1a556c76eac0c27b4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
f8b627e94565ea4965d5f2e51b8c9f9c

SHA1
8fd6aa89b3d27e210ce7c127cdc0b9260621fe30

SHA256
e0934377778dde177cfc4d2adb42b467e71e26a54e779e1e21184be6aed9328c

SHA512
285a601a0295025877b927b7f8124c51ccdfdeaaf7a8467bc034ba70367eea526b0a1bcf7e6d1e8390f29571f05529d2bc2df26c870be39d34263867090847a6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ce68bdbcf3893747f024e14eca378766

SHA1
6625c73c6e3cd0e96ce52a1a420099ba09e35bfb

SHA256
5ce8e77bb93ed8f09905e584a763b2d339a7664387c49378f3a16ef2c06c5867

SHA512
01a9d693cd2a53593efc8d3f3b6f33544e4fd3371190f8fff56b70227150e45b2f86d29b2176d84f34d973b9801d7832dbe47d6d3b605ae760ed92eaf748776d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6edd7b228ac198d290a94e849f3d0e9

SHA1
cd3ff6d252220d192735031d3e683835e771cce1

SHA256
0acb5f51caf5feff667c083d2fef2a92ab0a6516f7ed5752114a2f1d899cdc98

SHA512
69023f7cf1a72ca4c28f9a40ad234791de1694e0c659d2e6f222a88fd37f3cff3f01b6762be4d46d7c6f738755fef9e7aec501d03fe660aac1234ab39ce35564

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc191f381965b1c1642d5895dde5e678

SHA1
20d2606a6a52dfafdf0a2b2f111f1c22832df59b

SHA256
ae12946b607475c444168d3b0e1e9250e126c35095e1d128f84196c1da2e1c67

SHA512
f317c6c32e688ac6f5cd7caa934b37aee2b5eaed70460c074275c71f743e1fee729672b4bb81f8b5ed9cdd4ff014daec772a00e26cdd0ac849bcf1fdae718b1e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
c7f4239727d3ff0036c053f5e73774c1

SHA1
eb2c588cc25e0b708dd3660d1337894d6b394b99

SHA256
f132bbd55624e61c33991d9b81a7787c05487682d61cfc8af18fee738428b82f

SHA512
9416be6e0fdbe664722fc4f9b008f7c363c9d21a7f88cda456d49a1d70a5e7a1dffc5cac0f35b07161d5e22f1ecc462d25581b8dc83700c712d73ade85104856

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8d0ab9678768450e2dc6d6c21d8baaf8

SHA1
15455fb254191a3e3f482ce0ec8aeec372754ff2

SHA256
4f65339b916bf0f2296be50dd6e89f76bb7e84944e826492d3ceeb8721229f61

SHA512
45b99b7539605960cce0b7b038f8e938108fd0de21d1a9f5823b16e15a2359badad5076adc54c7f8aac40be5fa73eb0456ed4712d1c164c78ac8213e091466f4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
cec28e183a75625ccc874e480a85243a

SHA1
ba526c9b0b598af232a22db16591a85103653a88

SHA256
dbaac6177ef8889ff895a278677b003aca4e8e91ce89dd984b6a9e32753d72ef

SHA512
e8329b01032773e0d778241f353e984aa30560add84f87978f2cfdbfacfcdc8837f15affff0a571903793926518588892563f1025fd6524b034bc6e8aa633915

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
540c2d00300fb996dcd311fcee07a6d9

SHA1
b285963e50b92ef9dec0f02e61f28620cb70a365

SHA256
7952a6dcea912d1c55a79adec8072aa2bf0cc899e4912545e4055d59ee5e5ffb

SHA512
e7608c8929c35ce967efbee268545f572f865cfbaa33e81dd5aad233c9d79d4a9ff9339db3b11cdd995fc2a7b4a371d5e8005df0d91a817dc05092a92e78a5d8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
83ea41b057dbbca1751ac4ddbac9da9f

SHA1
c3a3268d85a501530962f279f8689ee3d1162752

SHA256
e8c33f2a11e6c2c4ad78a272db55ba9d07622abdf3161c2399dddb4cd60fae14

SHA512
c7b9abcc6bd8ec473f456c710f7259921dbb93d5bcb38467b248a97f0cb1d0ddd18da54600ebd9fc943c5ad777c400f5c39045d55038b6a8a79046cc1548c1c6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c99f04737d359a9294f9dd34a01cc92c

SHA1
779fe2756b5e38c3ab5a667f42c01a8f1792d255

SHA256
db3fe4331961afa3724b660a7d8dd317a5a87a69e50d4f60163148313a71ba35

SHA512
646ba284d2888879a7a76a1b103b91fad8f6890f73577f9dd08a3e4c9d7aa110017b21aaf8f21a36aacb3b279441859f351f427eb0f38fd7cff5ca7e80aa01df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
6c7ccab3e8c0bbdb3f77f231231f914e

SHA1
16660e5b48988750ba1d5bbef32053ff28178fa4

SHA256
400010914694f3022d84575a6990a13f3aa54d0925e3eaa9c73fe4ae89f1043b

SHA512
e8c682da854c18966d4789e8f5ce72713f210047d62e936911ed941d0d6e1a7ce5b3a9e141fbee0fe492164970204b5762b3f4dd8e277b2676ca7862c547af32

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
334cecf0c19557a95aa35b0bd5f7d797

SHA1
584f1acad75590a1edb2728d0bde3da1f9c24dee

SHA256
8da18bcbeef4d14927096ab18bfa40b2cbb1255b81685e0a606ea4ca8d706b3a

SHA512
fc5c400fe6ff43183a04ae5b9b7b30c3f9cb3479e9b51e06847e637c82a74f345f0b0aadfa5d972fb5d2745a1101afcc0b05c8dfc8ad65e1513d7ae081a10567

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f597efd8bbfe3afe88658cf5e2266ca3

SHA1
728bd883e52878674eb5c952f9072f241c38025f

SHA256
4fb31d83875b13cf6e96e2e19ad976d3f50ae1b126f46d24e8b9754189b43dc2

SHA512
5af4b1e5a8cb9ad43e3b8d4aeb81131af8657f9ddce79751559ca4d3231b3dabd97ee09e771a19f3e6ac7265fdb8a3b3b8313f469508a1b5ae33d3a634037a99

Download Submit
memory/432-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/432-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1248-0-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/1248-8-0x0000000000900000-0x0000000000966000-memory.dmp

Filesize
408KB

Download
memory/1248-7-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1248-17-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/1696-325-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/1696-268-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/1696-266-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1696-260-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1932-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-66-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/1932-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-69-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/2000-321-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/2000-253-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/2372-271-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2372-329-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/2372-272-0x00000000007A0000-0x0000000000806000-memory.dmp

Filesize
408KB

Download
memory/2420-289-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2592-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2592-33-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2592-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2592-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3052-82-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3052-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3052-77-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3272-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3272-598-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3440-333-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3440-281-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3556-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3556-238-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/3556-27-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/3556-28-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3608-592-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3608-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3720-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3720-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3720-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3720-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-239-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4248-13-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4472-314-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/4472-595-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/4488-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-599-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4500-309-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4500-594-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4600-601-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4600-334-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4624-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4624-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4624-593-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4644-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5000-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-600-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5028-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5028-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download