60e29aa74aba1507c25fa2ebbc8d5d7b9588f9d7cf5976809c6485e524a515ef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
Size

1.6MB
MD5

282db536884d36d8bc79142566a1998f
SHA1

5a49a43631bd1c4bdd44958548de8761499a2081
SHA256

60e29aa74aba1507c25fa2ebbc8d5d7b9588f9d7cf5976809c6485e524a515ef
SHA512

1ef25d6278d863cdccc2e708de6acfb09e3431e759a8c7416b4e66ab7ee1a9a4162330e9b97b44089c919ff271d1b41deff90da4913e7f2e2c35ba5de730effe
SSDEEP

12288:x85bM3nExYfj63hgD1Zi7MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:V3nEi63iXSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4832	alg.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
3536	elevation_service.exe
4512	elevation_service.exe
2116	maintenanceservice.exe
3392	OSE.EXE
1584	fxssvc.exe
2540	msdtc.exe
4896	PerceptionSimulationService.exe
4864	perfhost.exe
4080	locator.exe
2936	SensorDataService.exe
2368	snmptrap.exe
2568	spectrum.exe
4648	ssh-agent.exe
4064	TieringEngineService.exe
4292	AgentService.exe
1216	vds.exe
3640	vssvc.exe
5092	wbengine.exe
1172	WmiApSrv.exe
3332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aa2e5d7e7dd2f4b9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99406\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b47e1577bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7b47e1577bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cfb461677bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e7b641577bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727aff1577bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2556	DiagnosticsHub.StandardCollector.Service.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
2556	DiagnosticsHub.StandardCollector.Service.exe
3536	elevation_service.exe
3536	elevation_service.exe
3536	elevation_service.exe
3536	elevation_service.exe
3536	elevation_service.exe
3536	elevation_service.exe
3536	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3084	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
Token: SeDebugPrivilege	2556	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3536	elevation_service.exe
Token: SeAuditPrivilege	1584	fxssvc.exe
Token: SeRestorePrivilege	4064	TieringEngineService.exe
Token: SeManageVolumePrivilege	4064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4292	AgentService.exe
Token: SeBackupPrivilege	3640	vssvc.exe
Token: SeRestorePrivilege	3640	vssvc.exe
Token: SeAuditPrivilege	3640	vssvc.exe
Token: SeBackupPrivilege	5092	wbengine.exe
Token: SeRestorePrivilege	5092	wbengine.exe
Token: SeSecurityPrivilege	5092	wbengine.exe
Token: 33	3332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeDebugPrivilege	3536	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3084	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
3084	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
3084	2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1252	3332	SearchIndexer.exe	113
PID 3332 wrote to memory of 1252	3332	SearchIndexer.exe	113
PID 3332 wrote to memory of 4612	3332	SearchIndexer.exe	114
PID 3332 wrote to memory of 4612	3332	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_282db536884d36d8bc79142566a1998f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3616

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
67250eed236c05d6ed7d95f27a59ac00

SHA1
e17beab2bb277b7beed990312729799d7af26162

SHA256
fc240ee535dadeb08b98d74a4eb2b303d5629064c20c932eb7baab4fb3729405

SHA512
4b72d6a51e40e23d38c0ba580cf2f37c7744e632180a7efebf1d6fcc5a542271e4c60300e16cbd976b59de1bfc4804ca7302eaea9775307755db641e99374471

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8638893edf64be3681d15c40899f1a9c

SHA1
0b0fa2c10510f6f94db60a7827b233002e00c7c0

SHA256
5ed6da66eed9621544cd23b6fc30f17c94fab39893036a29cc8301cf5bc81ff3

SHA512
c87abd6ab80fbcbeb6e00602407e255d07d12d131487858b6d5e436fb21c4ac69ab31a747baeb3d37d0657ea2067c289197039546de9933698f3435d2f86b80f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4accf2462f07eb4ec70cf924afe8d9a8

SHA1
9f0e6eba3db7685113327057d84af4a219f5d8c1

SHA256
44e9479a393bb268d526edfcf774838ee24b276d349ff2d01efa447a6588c76d

SHA512
eda34b75c1f3beff373e915e8c61852dd473da098f35953d853ec23cc2d81a0605ac250ce0c25d833b8f523c5bdf1ffcc550e0cf3996575bc1877b7b6d462945

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
638e396d64bc51465144f9649f1a59d7

SHA1
a79e4ade72203a130d376e394cb97ec377af9601

SHA256
672c427033d9ff315ceaf5c72ac22376b2aec6c14a83e7adc371cad62c56b4c4

SHA512
744810c31b083c7a79ab5e2533b4806110ce098f913774e121dd2ed4edf9fa652e4bb8e13b5b0ee5f28b732427a999065c4c4e733b8d505beca4ccfb9449227d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa2162f5827498413470761c98e29972

SHA1
1baa877a8d2bd74ecbe64fe92c4b93c6c2db0625

SHA256
3af98cc2b3daa04f2672daa132522007745dabd7d5d90db9e7338153f7525a78

SHA512
3ea0f9674860dc9ed7968bac4dd6d9cddaae176fa523a05a7505fe6544f91d778525251bd6b1009860506bdeb440d62fcbc2c1ab923ac9838b5e6551305b8d7a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
18bdd33cd41b00b809d1ae7e4018c7b7

SHA1
dab0a9007461098e0d95998b482fbdfc0928c4ec

SHA256
dc5ee50d149478d356272c50f0b6b28f2579014619b41790a7254a79d57384bb

SHA512
5a9aadd33c16347ae0415a808189cfc61844ccabd01c0da141697cd286d2dae06a8aaf677d83b04cd5141f4b96d9c99350c2a4f2c8d67c72e9e05734707de9fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a3a14aa50d99dad5d16b7e7173e460d7

SHA1
995ea520016d085f79afe109befc5a5674bf92ce

SHA256
65be7718f196ace89b9b984524cbe50368724fc076d82f5c6705d52d3a9e33d6

SHA512
829e066d0f74b9666e40ea2705169505476777e588da4d8b516387a9d4dcb8a4622f75ef2ced96fbc2f5105506c0b7e93cb0291aecd009eb5d985861273aa641

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9a51409ac79d856ca0f9a573bc0e5a8e

SHA1
dd8ff216c4f827cfb0c9ab3318938fac1a18ab04

SHA256
5bc9f0e6f4c4c5d162a3d83bc4ef9c02483b13e381b69d55b1658cdde22198e0

SHA512
5c623b3d897a27df6d06c1c6773bdfa68ece82c54a1535fca27d586984219df44c6261378e02633c17157a0b64ee120198f84c996a80847c3d36f03efd5cf8f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
835cadd2ebc49924c39d97f87da69c2b

SHA1
5a74315be4f067abedba3d78a66c36de13286ba0

SHA256
fa9ca9083d982bdf1407cf2f83093aa30853d79c9f2320ed6b52a78abad7e9f3

SHA512
f09802d3c467166e4844c0e5e9b076f293d7ecf6c3be9660e009a250a4ab6561b963e3a155f347a4b67e01ce5560cdcaba07b0a33fab82d7aacf4a19e75f3b29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8038c4af7d4cd5beebd1cd73208c0047

SHA1
c6449c2cd9c165d7e360c428bc8b4adb19edc7b3

SHA256
def086b635c4c71bd0252880ce1287b712c6bd3025bac73b7a23ab25295574b0

SHA512
d40c8fba172c303efe78e6922cfe194a2859bd1815fa92c840a3f9014eff8cf20ab7fb70b6743704b9b6b78edc0035b68e24356330e7669b3dbf09438c86ce80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d185b8133d97fde79e68000a0469a6d1

SHA1
89de183c6fd3bd0416aaae5b48516b61b237265a

SHA256
1c65a4bd7d17bd503806a48d9aa48824885f69026ecddfe9f0c209e38813e1d6

SHA512
26fd72120fea9de1af1047fb2c86f5bf932ee518bbb91ed1d56af2f6818af017380c031efc0b47e7adb1c82b86cc62b86fc44c8bf9cde5462b0964173b443de5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b5d9f227bad0ae329dd9400115b288eb

SHA1
6bb75dfdba07ed631527dc3b3bd12932a92670e0

SHA256
f9d875fe6e0eeac8c70022d1b36ef06be2573de252c7b1f693bf361a0d943a91

SHA512
f30274e4c97ec76cfa507d5d8900bac40c54ff8f131b60459934526390d5848ea238b76ec0769aa147da4961e0283b1b0a321bc5677530a47279e43fe8ca2ae6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9f6da93595c23f584d41c22c0926a28b

SHA1
bb5eb41c08fe9c88e6b3fd7e3026a2666ee0aece

SHA256
f1389b4338720170bcbe791df52ad4a195197d1b1dac4aae7157e841a0ae1c53

SHA512
7f0a1a5bd2c84a16a6c7b0aef2a36793999a96a80aa8ff547d80da9dbf101cabce2d3f519619113b63aebc4d037bf43db005514e741e6c3d4f9ca1b7e014e1c0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7abf42dd38aaaf61e4ba3eca0a33294c

SHA1
53de2ca89c8feca1af430ed23689f1585a28d878

SHA256
324b82bf1f9f999f0d1cf4b41d364e60359ce4f0662f9a9f269619e2883ff3c5

SHA512
beec7970cc4d5f11d07f7b0bd6fcc8e894227578f9b38472f7442912aecf3e606843b146cbefc116dc174df008f5fb786999ae301790070a8c4cbc625bd0bfee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ce229269130416151b92ad9fd7fe1794

SHA1
a6d4cf97a3235d2d3aa8ab667a848a0caf0e5722

SHA256
742babb33fa5c8ae68c74d824894873af64adb7182ecff86a3da4adbedf1d427

SHA512
28877bdeabc657438ca2f73ce2fda0b5cf659967abcdb76d3f741f6325cbbdc270cc017ad058a6578925280af70b12da91939046d40841c6d948ab6f2eeb6a20

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2e6e24af28b0d07f1ebb5b117c4670cf

SHA1
3c97b208695f89c83cbdf7e7cbe7238d9a14d5bd

SHA256
8a7097bee448b70aa029462f5820cb9917e541a21789f3d172386ddfcad8a9b1

SHA512
fbe346f791a63d769e93014705207a69dedd25cef8267ab55abccf1e25225f36a2319a9604eb3e6b93a2269fbef186d608c6dd5259a54113f4fb5b07d9b1a79c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8150c086a7dd06cb5ebb8153e834c44a

SHA1
ecbeda501cec718cc7fff606d0d3a13b71fc8f79

SHA256
c6d6a3fbea1aa2e5f17b360dae8d0b44f222c0731147edc0c830d3aa92f3c341

SHA512
c7cba9fcd8cc27c5815f02115b0eb3190d755b1539c8472d11229e64235112d2f83460fd6bb8e20ef2cb476b936d136ce696689f882d8b93f0c16f9fa82a052e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
69401cdc01604de83627ffc14df973ee

SHA1
0c06704058131856e16861597505a08bb82082ab

SHA256
8e4f46ecfcc8d1037e1f04319b259edbd22b10e7b620cffcd6dc26295a3e2ab6

SHA512
44958a373d034cf6e3dd780476fae9a0539db23cb370c67019771292caf8c81e2af9a8dc866f1f54c755c9b2de56a3b5371ddac57e9bb06448b682ab31ed22e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3f7b7ca74ec7a95412fe0eb73059ecdd

SHA1
93adcaadf5900447061f7764bdf467d151e0ae63

SHA256
f27a1c573a1430be303b02cc95b75a20a9b30b483382d65e13d98ce0340402e1

SHA512
168d6a52739cf35b26e2d8c93dd7dd6b654c21ab8b3b024d2f0a24bf61c34688264ef1a5353fdaba7cab30856dff8d0fbf67efb5814fd2dcd33ad76a1c10ede4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6d00fc23d05d298061b657d0d104a900

SHA1
650ffb8e6b2bbd6ee03079efe5d02e928a76dd51

SHA256
91c846cfb4a35a8c4926600921476ef2e2c4da7c180644440db00d507350f873

SHA512
760fde5f497aaf24caf5933db9c2bbf59cb741e7c005c82f7ffc42575650b5e9713f2278f0a767f599bff4d3e0f3f6c34a3fe4b85136f929e75dd9625bf5cd94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0e698e4a905ec24fc58dfe4c634fbb45

SHA1
666522cdf22db73ddf53621346d3d9db74c43086

SHA256
b23dbb39d8a52fa1f13110c893ec68c906ceea871aa904ad7fb79dc2eaff15ef

SHA512
a4cb2399b8fa53495fa590261d0811dcf3569415dce604c291b0a1857fcd800a6252f187260c3c4c21560d22f8bae35a39d82d3608b7aa70236ecc6495372231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
dac2ba24ac3ce023d77b095115db6e57

SHA1
c7a7e90518e9bfeb76834f2ddf38a960752ba65a

SHA256
0d097e7bd47293a921c21c5b491ae1b75364f5d56dd67700a0db6aaa7c4e4c22

SHA512
037352477e826610c329e15fbf13ffbb94233b91adf20751c44a94f39ccb8c7878e1d35d06a7867798329becaa5f5aabc531742676b25a36ccf5eb278acdc3d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
bd53f195f27a0fff43603776057d23d9

SHA1
87c8061e4b5e22247df5bc9e668ebd29ec8f129e

SHA256
52453ea1b8a431e9163bb42c87cd84b7592ae923fdc81d7ed72ad49f0b802f84

SHA512
5f2d6f8fac3e3fcb0dbb472f525ac67e83b10ed9dbc36dd9859ef900688415f2ff0f07685968593cc595fc4608c362b29fe9d4a1b13acdf12c6f64ee9d1c8b21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e4db573b0ed5fdea6c59cf1473b2866b

SHA1
04d76ad055abb4dfa820d1e85508d4fb1ab2a5f9

SHA256
0682bdcbe5ec356ae614259e6a19a2a77fd90d78a07e818e44a39b1bb560d881

SHA512
27afb1478473e46a70f487f42eaa9701815bdb86b0cf6c4cd5bc0e4bee5b66486092e6a0644d10945d819ea3b7ce9c43126f319a57ac1893385328ddc3e55dc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fee8cb8d7c77110bb54ffecc0b66dec4

SHA1
030792a106083dcbdc49199039e0c95103d09485

SHA256
248db0c10937e56b296d4a43c9fa8859528524d6d74ead6b4fe2a936feb2b7ff

SHA512
cf8ffe720e4b3257aae27ea6ba02b49362a1bb1f97186e9be9aa4f3ce280fce9b6568819f25fe05732c7f0fdc305e5a0acf5f6c57989c1a1c0ca3bdcd0cfbb38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2c193b8e3cf2341094ec3133670d98c5

SHA1
b0080505467e4a3ca66d7ca43819e11cb7f50c46

SHA256
8c03efdfd8d74a983c49f08fbe4e411039ac3a4d02cd02762c275130a8bfa1ba

SHA512
b7fc1f6003fbe7771512871f5d0bdd7100db14c53918d8d05dfb0ff47d8445ac933b3c9e8799d7cf081724ac3d4835bae943b6809c142f7fc7d27e232bfae87a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f00c9e2988c813e484ac8ff8501d794c

SHA1
5cf37d7954311644746c5d5b1043e1003a758fdc

SHA256
6f5076c542fc2c8e7b70755e70bbe8434a61f0247eb23c0c6aa55ab949d8e92d

SHA512
a528887f35ca85fd5d0a3d7d5e4982ad9c0a1263fb1efe5e7ba37ce2407f2249ad8fab08b62f557db0baa39ff7b588b397c08ef8ca915b8f6dd17fec51c9dd94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
465d878186ef401aed1e74c9522a6850

SHA1
4e88a48d04de845f0ca6387bab3490bc4a5602ca

SHA256
cedd1f7b64ffff17d485a63b9b4639abaf3eef4a582d83738646f829cd59baac

SHA512
e5487454e11fad36b33ff418025895efb8706236dfcd6076f8cb996e7d8d5ad04bf665aab84828b684701d1aa07e36d7157f1efe43d25c4264c1472a0ebcd583

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1b097593fa36332cfe639b7eec925fc9

SHA1
ce5a5a2c83b7f414d14992dee0b2beaa62f2e8a2

SHA256
18439a9717b2c08ac3cf0a1daec52ac1c4a2c1ef27e7d5f992320ac6953759c3

SHA512
49519b519264bd34f0cea5ca95eccc8f01c9a5810fc97c8ae9f8db55f2ab2e55e332c8cd7efe1a18473b7cb6868e01b7b1ebf9656d4c3aa6b275fdb66859b515

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1dfcf368e50833c013d0d840a29721b6

SHA1
8d90fb2545aed9807d4de7013e73140ff09dfe26

SHA256
0a0829a3469484142d64a0a604343bd56cce96e6dd421a9eb68b20d02787e393

SHA512
b42adcb16aad2c020383a64006d4eba792fb79b1e5bc453d3cb17ca2e865496f5ad7798ddb8e7e6be91fcd8c7b775d9dcd0c915efa000218807fa187c5e4b14f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
07e4c6a8e5c1969064c8760bf43e9946

SHA1
bed6354effb8a26df14655a9dcb62d10453acd8b

SHA256
c1246f3108f3e1935d8e65fbeb765cb7fe7aafd62388f59b59cefabb9c10585c

SHA512
e205a6bd3b21cfb8bb1b6c867cc498a41b515b799925288a5bb2601afb95f8431f4d68b14fc8e6fa37eaec622ec29a8ca9e87e4ff5efff99ead8c127cb45a029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
185d268a9a8c54701b3435a0842e3376

SHA1
b63178b27fa543afe940cee4b59da02416d19098

SHA256
30575eab0e93595742df9f2b0d1ad91e0d776ec39b922abccd9246c7850d1b96

SHA512
56dde10f4b1eac52761ca08618930b3d422a77108183bf36a5acddd450657ea05de2d227421921145f17c3d56ab6817c42ce5b5c5b0d580e8949a1a2b7d03a7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3ec1fa42bf3f2f6114ee9caae3211aed

SHA1
fccc30b5be42e1fc2a4e986ec4e4e694954d08bd

SHA256
61a582158b6fa47c58717ab3ff39d8237f42ab397c4154152c8db040e570a190

SHA512
53a20c787e4ffc7337b95540f8243a5e91603f9189fe4f7e962e1db63b63a3e1578d5069c9d64553f02d5f8b069f63ac95abd94f4e99b3ac2eba8c814f8ca771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ea26e00c2796a46c451771e2880f701c

SHA1
314f913ca08368b65c4c6b41025db4eb2b2a44b9

SHA256
911424cc9976751c7d7bb6fd9450c42b5f5c22be03be7b95d67c2ab1142a0268

SHA512
f8ef0435584bd90a8424502051e499e34a3aa7a426f538803c3b11530eb9f4f31a0868f9539e3a134997557761f02b981623977656f479c326726b3cb790b2d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
579930cacd637e16aa17c026e3757a58

SHA1
e1406ab87b18657a208dcb0a67d9bd830eb2cfb9

SHA256
1e93e9d34491ea395db9878f015845f06492c77a7d0a31c9e2a306f4784e2fd0

SHA512
2da630f8890a2c703e9d804d5b21b8bbd263bfb21c7969d284b121bfd1baa0d4862f9ed2cfb8c0371435904c77ecbf1d9c86297f938d77d484e76ea71024b022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b935df218eda34b20d93e8ed1087c1a4

SHA1
9d5de8c11e28496caf68160df6baf15e1764bf85

SHA256
43cfbca7d1deb083a6daf525fa919ec580b80d46b1d09eb170dc209d05b0b8ce

SHA512
4b4e1873fc90aea8054e2055161852411fbb1f26e71416b5827fdabd70e67d0dc6aab478d4ffbaa1fee867404192a0293701dd56ab85e02d51d3ac53311c606c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
91fb8a5bd7179b9fffc6bc18bc9192da

SHA1
d9691984f5de36a6fc917ce6b95cd53c122345bd

SHA256
03de0182e4d0b7abb1f6b6ccfcb5286075e9be50ec36e7f3ae446c85e6b4eaef

SHA512
42a3a58434ed09dd95984f9e9d22d9edc227736a687d4101be4c98b567c7c57a015274141a802fe67ea8738aad3e6ba7530b68b2cbc4b5973f36ff93252d6f01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
0ef43028fd22efe8b96d409002db170c

SHA1
972753ba7b107418ba030ae60410bdb95540be5b

SHA256
23ec02219305a9eeba049c99bbafadd97bcc492777ca58ec15e25cbb8693bab0

SHA512
5b4b0dc9b7a994b4989c3b0b5f7e381bea8d22b045500336af488eafbededcb93093d3c148cffe38a794ff930d5e352dc8ccf372776c65ae561f608e90b661aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
516eac1321f4fa54f8bf875518137a72

SHA1
48ae14c1c66844ad29d9e62c58b3fa8adf779c98

SHA256
030e986b49c41292e97a4d312dceeebf833c58b69cbb10cc2a9f2833213bda29

SHA512
cc23dbd3bf277606d4414fe5b57e78f93925e1ece1682ac0a6d20c806724aed6e564aaccd9abace025e96ef43546d6715b505573272f4d67ad4426c2124958f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
aea63bc86d2a824f2e4583fb761ba826

SHA1
6c12d0c6107b2b0ae6c2810aac0e2d04f068081f

SHA256
0c3ec317e21c011ae90cf10b3a0b36c7ca89a4ab8f5c92383d6c7ed30944d719

SHA512
80f7fe2cc6d0a0f0c4c75b1068ee15de010b701935d38c1cd9b3b6888a5a7c35c5ca9a757777c88566e7aa53c2b5048dee39dd24c39dc1750a2426728d9164bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
2bf15cd9be7967e28009b91f9494288c

SHA1
40eb31113638620754c9c398b583563410619600

SHA256
fd9ae3a2adabf37601bd885b067a3b1f190c046aa817817625b29feb22ed2955

SHA512
c7e684bae4a5b0bf8fc75a31748c2496387450b7d23b7e307038475be6f42fae4550609e45e163158b98b7525d10adc82b4ab4cdcbef98eaf68195dd35d8647d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
3eb85825c92ec097d82ba0ef7263cc83

SHA1
6579c6859c949c5f2b89f89d46bff99b0f7ffbd8

SHA256
ebb63ed59958a4bcc9f4364378dfc2c6d4d0c0ce230868ff33fc449b28fb0d47

SHA512
291d67cdaa8df6a17a937acbda1d9a9adac01aab32e79bd2f6c5fb032919f2541e024755d036bde80532fd4a140469ffc5c3645e5f393611ec531f98bf17b947

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5ae5d3315b3e7f81ddfa0316da9e8ed4

SHA1
71ab1e7bb96916c745a49aaea1c68e6425a3dbc9

SHA256
80bf23ef19faa05149a6809a4dc9401388a77b323719b9c6f6f924d012f5ded1

SHA512
04e1d5c850e72278330bb53df3450be1fd58d61356f8687bf4029f82362760e35898c248e92c24526c4f0c4902b1ad244fa0478ade5bf38993ae5369d8d7ddca

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
308d364a7ee2ba8817daa6f633453a2d

SHA1
72cb4f6349ae15ff08c3719d7eebdc23acc4c0df

SHA256
18b288d21671636dfae12894b9b2f509bb581b6f3fcf1bb4c3adeb80986e9edd

SHA512
fc463e30928754b647abbc360226e04fa64454f1c45f6e2bfe352221a42c7b23c4a336a2d285648fd18e870fe78786d392f04e2ea305352809b1c2feca1eb28a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
64bc622ee63291dc0a02cad9fb1cb68c

SHA1
2c7cce93e8e0bec434ead1ef6ce547432890a137

SHA256
7344b028bc03a351d4c1478d15c746f35613fc1ad769343b50240c38812e31a6

SHA512
197c16e4abbd255335a77cb7240202f94157f3e6a5109657c8b13a4c56fc21cf06074668e66a32233ac90fb540c8e39d2e29807f54ac0dbc369be017c7aee23e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
cc1dcabcfa1ea4c837615d0379e87176

SHA1
e1051b3971bea1148d8511726d91449c82d1835a

SHA256
de5606904eccd9bcbcaf96e50b9dc2886116ec12b313fba5762c20837312e099

SHA512
3f4ce8b3c07303aff7aa142df6e51b727fd2bc5a21149877198790ffee16cb8ce78eee0a79786d760ba16091b7ae7235f42725f1dda0069b218a6a58eedba815

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a82f023dd26a5f3267d2b790af0a021a

SHA1
8f44c1fc88970d98b20ec83791bd1cf3843c8e20

SHA256
973f4c7a75393b5357149f86912dfc053c5c1ad08b6d96bff25504c677ff56f6

SHA512
7827d50307ec4befb333a6d96b8355540760cb5bfc05d0e6abec0f027b5cae8576d988a759ebd5b860e9b5cd9a247cbc61da555ba3cdde6155001f3f73429f1b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
90a278c793113c7b964003ee5e42f437

SHA1
560f5a66cc1af06a96d60b4204751c14e1eb5cfb

SHA256
756bfef23a88afd6c2e5221d0a6ca67669975d8a4193b611d291efe53eae9975

SHA512
42c46efc9019932210852851945ac9d7cb4a0c54b78409ac5e138bbaa2bc2778fd6b96286ba5a20d4880c76d5578ab95822bbaa035b2814a9f31039976f574c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
28bbaad40523dd9fdf28aa3d77e45417

SHA1
37dbc6ea00b4f6e0da9d639c7819321ff040fb2d

SHA256
74cc08cf50f8bdca9fc9d2d96e4d01293b8a29126a4117046764678b5093dad7

SHA512
0a74fdd657d0ef7cc6c36cb33c0bc86dd12b9ee446885910081cabb0c1e5d40dde5b5997942e584f4f4f476c5003630615f0e281c0b3b3a8880c978cb85209a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
dc47ba6cc1498c37f33bebe4329e6afe

SHA1
a7f671ab759a51f824f37e9c98340cc3a959ed7d

SHA256
8563d649388db9ff43ce398384fbc98f27f2997f705c80496ca6818ef432d065

SHA512
7562d9c6011117374b772c6c80594a584e77169e6de7c6cb0d0fa8d8f44919b375db6cb15c81b6f6087a18906dc5a84f38e25a779fcfaddd78778b823b49fb81

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e61b7a1064331f750a5ba6952cc2cc15

SHA1
c4a32f57b61f594252798c6fd39155c11c38217a

SHA256
4b9553f2cae5bf7b2a673a4f53b1a06352084991d9a13ee51f6cf5e1dc9af304

SHA512
d55fa82dd94dc7356bfd696bea54e758c84e8bc6eaeca570b98fb86133f3414869478a7941a8fa90b43b2a008677e86172b940f9e035b2c7ac62520d062c3500

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f2f23b1ebe62431700c6c9827dfbdf41

SHA1
5e7709f67a80efb574cfd11216d57ff48c2b6165

SHA256
5fe6890a30734661be2e3bbfca773bb2017f63761d0a509540071e321502c231

SHA512
0f4930ac3932fc9bd04ddee80631641c31f047230b3aa25544f2675bbf454c11d5bd44147739503b0994ebe24f767879baf3a944fcf956c2e52681acb3576674

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4430007e6895a6e7f262206721053a07

SHA1
5445828519e98e0e49fc4e93e689db86a05c985b

SHA256
52b5d862e6a9f94554b7e9984be42a5c1a6fc9e1c5af174d858027f32ab6bfa1

SHA512
ee44a16e4d807ce8f554705df06917bb315d77201f43cc496ff4aed035167be161383e41ea177dc563a8c4d4fd32b19d5a7097af0a1d6ddf5998da745f452fd3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c9841da88ec8c6f3ad37549cf7d084d0

SHA1
e6a2ddfca7c5d373e10493f17895dd31d10a5795

SHA256
43c44b7999dd7e6ca1765fe3ae635ad883a7696e17d81a9d6452ab97ca3824e4

SHA512
e45ab28983e97a453ba4955ea03535976e617c7df2559dfb6cbdc895f0448445dbde7dbb9e182f3976402c13d7ce7c6b43871644eae3630eeef34f473ca8d228

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
94a80a24807b11a7c6e2879641861883

SHA1
81cc0dfb92fc987a57f50b946935bebe70dedac2

SHA256
34f830cd99e7185a0ee066a376bced2aa0fad01a9da332a354cb83262c16218f

SHA512
bbcedcb6cb8e12f5549a65eadb6a69c0ceef7c54733d60f749fe6fc7e7e3f4974c0c9366a67bc2a1dc8e1fb44bb082448006a7a58859197ed3776f511853d13c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
292201a01d584452d81c2502f3170a05

SHA1
6f44b34a118a9be51ad2fd4991055e7881b25f11

SHA256
1599098e8947be075b31ebcaa1d0d42884d5bc8ad880d68507584220b909a023

SHA512
9934fabb9cf05e8cf2552bc4dd936a75a49bab934439ba9743244f821eefedee7e9f20c8ec48869581d1ad0c446b016494907c54e881a5d615d2786d5295d9d5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9e9bf3a0530efbf0023c13620f525612

SHA1
da50b58a710603f39bc84752f51e4bb6e10754d4

SHA256
ff371c7c56abaf7c349cf893b823fe3f0543f5b4917415585a7309453cc79d0b

SHA512
e523b2458ca56faa3e382a3e4d0f3662017a0085a0ab38b1b7f61791f5da915987926eaafe1e12e8c79dd18df64625d95b325fe2add268560a781706c9951a03

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
00bf9c2d419180c9ba4d249d99c336d4

SHA1
f28725da96daaabc868951f3a5515f4fee373584

SHA256
afa8fab3802551f6baf5bbee6c3d07553f5445dfff18504f9dd5a678ffd4cfff

SHA512
ef6d4a535dfa4323a0041ca00d2f18825a4d6dfcff4c937b809312ccd2a01b5703051cb66802b2dc27b3f005ce29b359e467532df42a96a76f0f5a3d279bfef1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
da8e14e0cdba48771e88d5376f14c1ec

SHA1
84d27103e0b26e88b09d17feb8e69f0fb31b9b7f

SHA256
2de5f1385ddbe03a8f28bdc434a6488908ce93ac24708c31a531d14455ad27f1

SHA512
a5c992fe9a1b0fee85048642ffa9ff5026e6ed8040f86970dadf64e0f97c63f1725744f25370bf5eca1b184d28ce21968cb69ff0f717c9d17ede7440c9629a7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
c3092f21324706c9c5eed14b2c73195f

SHA1
8436d3e7a06774d56dd120ff8002967786dd5947

SHA256
cd9c6ccd173f8e52575267cc58c4a1b7fb42c637c3c94f14858586c540168297

SHA512
20b2fda7cba9eb11303452d74dd54e79227ab0b86720dbd84bad3319acfb39e9f311a68b9deb9b1df0e5e564737afc8c003fd1902692a65fe71708b415518e6b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ecd618c21473f9b16c30d6d511388810

SHA1
ec28e18599906cdf01832a2b9ab0e18c87e75f84

SHA256
2c46c0066506776785ee5e96e1700df759eb894fd8de269832cf1d70062d51e9

SHA512
eeb986a1d689f23bce2d50d3ed62b41f0e0aa56e39a524280ed78a0147efb32ef87d7df1024877069e3e36f1a762bcb214fe3e510d08af1cf806d95afa0f5184

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b08a6f7c28c36391e45e2418688c3fd1

SHA1
cdb05c9782e6e6515d4f0a2493d31dcaa67ceb64

SHA256
d945be0e2158c1370b7e1f00e2881fc1c5f1331d75dc19bbfaddc0298373bc24

SHA512
6b68c8dfca4d81222c3e89b8c0ac67c86d252abd5bade5be30d07b7b382e5cffb08d504b3da9e381a9c9f3023618ee69e89a99173e82903e3c2c8154e586c1df

Download Submit
memory/1172-332-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1172-473-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1216-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1216-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1584-247-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2116-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2116-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2116-62-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2116-67-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2116-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2368-413-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2368-287-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2540-320-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2540-251-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2556-19-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2556-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2556-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2556-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2556-237-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2568-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2568-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3084-16-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3084-2-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/3084-6-0x0000000002300000-0x0000000002366000-memory.dmp

Filesize
408KB

Download
memory/3084-0-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3332-475-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3392-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3392-77-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3392-69-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3392-242-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3536-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3536-33-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3536-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3536-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3640-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3640-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4064-467-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4064-313-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-280-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4292-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4292-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4512-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4512-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4512-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4512-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4648-302-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4648-466-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4832-236-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4832-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4864-270-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4864-328-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4864-271-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/4896-264-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4896-266-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4896-258-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4896-324-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5092-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5092-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download