0ba341a9d238b63ab1d1e7090f8bca4b2c6b059290100074094b7df1fb1d3455

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
Size

1017KB
MD5

9d71a1c5563b67ca8b90d9441c5945ef
SHA1

84a97db40c4d0f5acbad66de2abf260918919469
SHA256

0ba341a9d238b63ab1d1e7090f8bca4b2c6b059290100074094b7df1fb1d3455
SHA512

76e39492420bf9b9e31580c1c03cc6f85f2392bdc1d385d00670a713b52aabf4cece5fefa745b3ab2ba83fbef1b64697898a4038ec4f35cc080e57093e6a1b6d
SSDEEP

24576:k2lmh4RXmaouGSPGM9ZQ8GYelhwOXGEDgm6:k2Mh4RXdPGM7nmoOl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4968	alg.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
2960	elevation_service.exe
5100	elevation_service.exe
3984	maintenanceservice.exe
5004	OSE.EXE
4140	fxssvc.exe
3452	msdtc.exe
8	PerceptionSimulationService.exe
4652	perfhost.exe
3228	locator.exe
60	SensorDataService.exe
2080	snmptrap.exe
3188	spectrum.exe
4200	ssh-agent.exe
2276	TieringEngineService.exe
1424	AgentService.exe
1532	vds.exe
4812	vssvc.exe
2660	wbengine.exe
1908	WmiApSrv.exe
3624	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31e188fe293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003a1045faecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000153fe35eaecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b08c105faecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cec505faecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000523d215faecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083dbff5eaecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4940	DiagnosticsHub.StandardCollector.Service.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
4940	DiagnosticsHub.StandardCollector.Service.exe
2960	elevation_service.exe
2960	elevation_service.exe
2960	elevation_service.exe
2960	elevation_service.exe
2960	elevation_service.exe
2960	elevation_service.exe
2960	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3780	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
Token: SeDebugPrivilege	4940	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2960	elevation_service.exe
Token: SeAuditPrivilege	4140	fxssvc.exe
Token: SeRestorePrivilege	2276	TieringEngineService.exe
Token: SeManageVolumePrivilege	2276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1424	AgentService.exe
Token: SeBackupPrivilege	4812	vssvc.exe
Token: SeRestorePrivilege	4812	vssvc.exe
Token: SeAuditPrivilege	4812	vssvc.exe
Token: SeBackupPrivilege	2660	wbengine.exe
Token: SeRestorePrivilege	2660	wbengine.exe
Token: SeSecurityPrivilege	2660	wbengine.exe
Token: 33	3624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeDebugPrivilege	2960	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3780	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
3780	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
3780	2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 632	3624	SearchIndexer.exe	116
PID 3624 wrote to memory of 632	3624	SearchIndexer.exe	116
PID 3624 wrote to memory of 4216	3624	SearchIndexer.exe	117
PID 3624 wrote to memory of 4216	3624	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_9d71a1c5563b67ca8b90d9441c5945ef_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3984

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:60

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3188

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
911d44c2baa94c735c348f7dc5f732af

SHA1
608ea24e837f35a2fba2ab5e30201fa7a6ec7324

SHA256
eb2d54b516de2c74dfd6bcb640cc6ddbf3c7db8163217badaa96af5d67ded9d6

SHA512
a479d7ba6e97b104da14a6970f6c6e5571cd178056d2240b92c8eb02a85849ce94f2802b153d701dfa794209e71858120862b14ac84d283ee842e1d3c5027146

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
406f6341ca16531635b1f62cd8894313

SHA1
be032905f826b88b1cac233eb6f56724a0170df6

SHA256
2e665374117e2b36da08b5c9b48bb457502972066b3f0d0e09ae49c80513001b

SHA512
a7f0abd54bb5aed1803c3fc08e9117e6b9a19534ca42f93723d424a0bd1fd30cf136e1918f54361086b7716a17036a52014571262228857de56cc61d40ef7836

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f92fbd76c90a0f0a269086bf60615e2c

SHA1
ed74615b3cb68538862b1449ae2177699db62445

SHA256
30be65c490a9dd9d0061d4a6cf23053df7f3bbbe1d2d2a88b38d16709c155a92

SHA512
860125650c1acfbd168f18d25a48c0bd4145db62ea1168f023f56a50f32c14476a4d3a58505f4cef2566bc565452295b11c8dffa626c944524c3a0cc561e09e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
631710f96eee2628bb46e2ac6ff23b20

SHA1
d859c6c4569421a380752084a3b84a169f29da25

SHA256
45c4eeae56c085d5f5fd56ddf38bad2afe05c60694395760a43546a58bec3897

SHA512
3c803bdd8ed2293f22e301fa1d843a874b4d03b5b6a67fda702cbdd356ccfa7ab2921da173b2c9d2f011394445f7bc8c04de6c00231825f08fa04d0428606d02

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4c777d16cf9d2954c9236204d297cbe5

SHA1
3aa2bb1d7c633f98ff5195ada0c9558fad4265e1

SHA256
d69d863dcbf4e21063e8e58eb5f0fad2f58836b7db77010c872aacd86fbd7a1c

SHA512
09423a71682750701d80184109117090a8e64011b0900460d168d19a3b1d6df703dcab5c8dbb05399db6c5ae7380b4741c0ec4743aebfac3a8d4350138ecfca9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4ef6c8735de5cbc4f6221462bf7c0de7

SHA1
1c29b2a28cd5b142e3b6fa3381c659e94b0c4ec0

SHA256
07128a3168d95b1c5dc97e667de865d2f29a2c991eb1d387ab49cfe7da4f1273

SHA512
a03372100444cd50d3990977f161bec6995c9f3c248f15b6b75a589c26fcb7939fe020eee2710f4c9f48f79f624bce290740021d040c2f5d0c7ac7de4f33c199

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c1c8c8716b634bd789fade20a97aa774

SHA1
7f9557ccc4064a7a7987fc1cefa5ee3bceec4e8f

SHA256
7327cb601f7a0c3a79f36c78f5d9dbaeb35bcfbc6c1c37e8fc720c86d19baa5e

SHA512
56a6719a91e4d96df583ec3462f94990aedabf79aaeef11358aa241be3d3418c0a594da75722fa3994356b24ee72b22ef1affaaa305c4db533099f1eb1881c3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e12d44a21aae08fb516bfc7c47b81614

SHA1
9a02d3e662d93254c541aa60ce8df911b3217945

SHA256
a3fe9747c5c722b32fa781fb47b431cac7b93bb50a5462f19df3df6f40a32183

SHA512
f4f86a7098111926802a0b2342555b6c0ade52373b4d56927e4cfd52ff755b804f2cac91be9beda6113ad0ce41ef32e63fe7c404f4365cca65a0846674cdd21e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8e6d66b959cb0b3002b442cf78100fe5

SHA1
325fe1e7acb5cad3c9762db41222f7458d49f161

SHA256
9236704366489de7ce03488628ab64f07d1305fc1bf2819b625723d4221d3bd5

SHA512
51a6569fcf37fafa6602d8a7f99433842ee075f7d379ab4abadb08076f74135cb1c65baf60ea89b53c36bcd4d60177ea0b014bc2af6c9812519df428936c3fe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4041698b8a6ef4f971b73621c0ed1f97

SHA1
cbd3e65a771569f54865a015be78ea7e664dcfab

SHA256
467b9f36b5cc91b5d7dc42a74ff3faf6d1c07acdeecf46534f329dfe90bcf9e2

SHA512
9a88d838beaaf52a2c95b254914785a297bbb2a25dadc5de6f58f47c2ac4ae25d769b22d4d4a0a6e0b63ee241153edf7cb23883cd24f7f75bf3661f3998c1e29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
39256b6cfac2d88526740d9a1aafa7d2

SHA1
b058763acdfe46af386816ee9a0ef38144ae8e7a

SHA256
34baba7ed88b3183c65dbb8d1d77689b608881f07619ec262173d385845f77ab

SHA512
08043c1984db215b16370294d5e0fbf3d96adb1afbaf04774297592202f8e435b296a0d0868d2faf3f16cfa41da4a38ae869a7a01ef7edef14941bc6765db9e4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9ce0dab19078dbd31c3aa7632242e880

SHA1
290a20b05fbe18c528c563b2682a75ea37dfaffb

SHA256
e03136945567217c8f2cf865e5df415882e7c75c191ad2e6919993d1f33fd681

SHA512
0efbf6e1873c80e1376e0990c8c661f08a96d2444daa6be548b63fad1e82baebf5deec50fa0bfe00f6be8942750da0fabf79830fe98c34c4e3804ea1a1afd2b8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bdcfa0f6563e855476cb90f5a70a034e

SHA1
44856a9ec28b5dfa77ea5187e03fa7711b4cc04d

SHA256
67f4a557784e678d218705784106afed3597cc17ef020a50019a7203ab70e9f4

SHA512
4efcf9a94f859b70de1814bbf0f39a6e622920b7ce48e848e50efa498a3e4f4557b57bd848d57dcce09825dcf1961f62436043ec3c5b44281e229dac5806cf46

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
214f5cdfd93d6c0efa37bb98759eea83

SHA1
303e30c9ecdc2896a906a5c98b0dbc0e318b7faa

SHA256
218f1bdc2138efcae35c7840baaf209c015e7dff4a2f1d13d183d267dfc3b23e

SHA512
4f6b71ffe49940fce2dc13b674b9fb57c505fb093b63934cf4a54a4852186a8ebc3e81751ce85115f3a3c6367f0406b7908bf64a86e0a6dcc0940b42c93dcd49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4521b4970ed9768203f0f5451ae6095c

SHA1
5cb6f013fb9e42df56d23a407dd61d866b220ad8

SHA256
74f003ecd158b969ac067b147b44a3ef21b874a3cfb94adf460cd86140d57275

SHA512
698c957ddf793a6e0b288d61221a175e1bba550cb30ba8e8451d6b935fea54923315eecdfbf843dc12aea97fc8d8451002d48451c485eaae3ce7ef38b04d79bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c311c6840b0d59f517ba33db90ae35e2

SHA1
80786af76faee8c5776ba1faf5bff168bf67249c

SHA256
7ec357705623db10c9c891a4dd6bfe8024256294eb87609f530f2bc93db5723a

SHA512
b7eac9d7bb1c1ab1b6c7774fa3e56d68b1b0077b0b0d4e37c31460295aeecce4599b85262eb12f9e26639a71d5768c043916fa4cbd5ee6b1bc9b24dc0fdf357d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
735d157ea919306cb1fa2e230a2064c5

SHA1
3c752958ef957d7ccdd05d1648da77857752ab44

SHA256
e73a790ff4328ab259e4d9c7c5ea70d74ccbcd2df7c1e02f47dbb20e1e5e30d2

SHA512
cafa5303d6de9cfb2e53c4ac7ffc085235f86a3200beb48014209245c163ecd6c4fe8f0d34e72147f963c16fa44d7f548ccdc80bddd1bb666347ac34981c36bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6fd7938041146b0462216ec0d0c36448

SHA1
26a027f33f3e52d0fa032810497128e01a91ea46

SHA256
852020b2fe25306430d6cbfdd3c1c3b1f035538aa889ca267f1b4da34222d667

SHA512
99e67138e82a02afb841822a0250d359149269441968f95662b370658371caa2aaeeb66fc461c6868b1e81fcd4541d9b8795d347f59354193f5807217dcab41f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
faf4de55880915b4ad4fb9ee2797ccb4

SHA1
86b000465c84e9ed685b95305bec467a3f99d32c

SHA256
52f40c08e37deff85a6d163f793037dcd1b843b250278cfd6c04a7693d2c4e59

SHA512
ee52eae6e9cf918fae162b44b00ccf510da40eff76a9bb33b0be6d0d74e078d6572a46a4b689e2d86f0eaf5bc8a4ee5b83bc8159a1ed5dfc3a899e13948f9dea

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0a7a373d81dac559eb768ff7fbae3d07

SHA1
d342a9efd29b89354280bcd2a1ab32553b604bba

SHA256
ee13ff4aa05c056bd646825f96ca4d9c1b48bc69592861885ee722283bf7d794

SHA512
10adcd7587eaa06778e047e5f09b75bff1682c2ae5a9b47330b98e4131311e4185caba5565e3f217801f852211d71ca25910f5cdf785a375c61db5eaba975f4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6c7b1fa3769881e5f569db880a1ecfef

SHA1
3ca65a043134862845c18993db8c4e22934cfec8

SHA256
ddd04055986beac44aa2313c04d124cd9aa5cacd96022ab4bbc5ebe4bfd4b1d8

SHA512
549b04f225fd6e658929278680bc8660ac722d4c62bec700e25d010618af09843d7032e11f6be03d78a0136a279e024e096d07efe44d0bdb0449a49ff52a74ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3d1161ea9abbb68d866346312142887a

SHA1
80793948309fcf5d386f50ae7a4c0007b70e1552

SHA256
8ceb835f1ec1586a52cd5b4f09d25165485da6c54ea773e23a2bd46e8efea96e

SHA512
446e98b44ff881e5f94d5ac867f23e8b69660036f8d920fd17bef924d32cfad0fad28674845bebd58ad679d48b17762b65830064c1e6b5bd8b23eb3401f4d003

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
92543501d87e4a308d52fe23eb20741e

SHA1
92ac55ca4b262595e5a1990f3fce278ce47a23a8

SHA256
1173f93ddf27dc9e3f32120b0fbb409c5a421200f80316cb0352be90cda829a2

SHA512
dc22a838e74576d77221ebe94bbcdaa2106dce7b67bc9ca70b7b9a4b298c946db7dd1a1031a50fa028a5841f57a7add0c0c8f09e84647890fa220a7b001d3c10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8ce8a18def48e8daba12a868cf3e00d9

SHA1
1931a487009b86ba8d5a766e50e4d377cb66441f

SHA256
03af9b4e57bd90c6bc547adc34c81689131ef07e4179e6e7dd5d1a7545f2c8a0

SHA512
1284cd20b9140f172543c60b096e1cffd98a62c55bf644612e6fddd8ece37c94f920bf1a05e069d7dd96a256c6093cd7edb856829a260110209d0a5e8c80dd02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e485193ec784d412d2cf5f363a61a050

SHA1
7e3e85fd64273c9ee119fe0140d51eb13f25615c

SHA256
4582c1c97868ab70be35e5e3821827ba3bee88fbf8dfc6898f00cb7420147aed

SHA512
42144e93f079094ded470e828545175dc98b9b1c318e6b17008d055aefab595158c089b256a1d82c9e26c71770bdedbed9e2f8bd66a599428e33ebbda4cbab8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
addc444f14ffd22b603eccedb440461a

SHA1
fc6ce5bf2fc4716dae1e835f78e10fbd6da98781

SHA256
67c2ea3fe86ff30e3f35e1bb7031c30120291280cbfb66929442087e53ded03c

SHA512
d3e79cf120ffc0a538d9026033edeca6a6c584d72ea487681f88ed1c83d431a6a2379e060a8a6a05d0b7294aa2d38274093f0e18ab89ad32bcf05d9bbd5ba998

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d8725ee7ff7e3fcd2b69c1a9b7973b89

SHA1
30498c8813d0be679057327c3039e4f7ebf77d90

SHA256
e1088d3205742680de4f6c781c7fcaef73059307c570b33e3ad695be637ff032

SHA512
45e56a8ea937c542524800b9e1b9470d3f4f9aeb4c47f40ef79a87fe12aa563b0086ed60aa7c3d2f223dc3d0252032ec7537dbb07ab960f885208020f23eb9f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e22430656962317d992174d55326a500

SHA1
1d62e464ae9916cb74732f17ea289852a98e5b49

SHA256
ee17d19d1a7715f5d2b5fd676dfc66bf8e2ca0f752ec5dfd0b9cbf2372938b42

SHA512
0caf570c6b568c73e26edc58cf0e4c90dca62f9e27e840fdc9416299312026f0f83ac1964683cfa16872be3e606d3b92746b7b07d8683b6ef1e9c55ad224e0e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
db498c353e773ec355614457a7d33bf4

SHA1
9e80f7d25e87dfce905e680093ab192179158c4a

SHA256
9ec0b3615e08ccfb9ef6e1d25f4e2853d2b3311c18d3033970221e29789a0ee5

SHA512
4ef6392c94973922780782ad88eda5dbcc168e8b0007cf805cb8ee76183dd1a95b9a4f3e03c9d50b35b963ab81a33972380c428a8f4f6a8f21e87c8b7fcbea0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
65d3d920aacf14046a473396a54d5c9d

SHA1
a1dcbd263f9923aa318672be29d23401e685bc78

SHA256
181cd1e5b1db3f2d5bd7146ce2bbfe0f5377dcf9cd351ec12eab36cd4132aaf0

SHA512
b86036dd3ca32937edf1c38940e318f73e71644f7059fb000eb35860371126894a9b260d60e370e200aea31aee614d6717737af2283e41cba3dda68c0181e932

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3f20b35211e03bcead07598dc9361628

SHA1
4f133e57f135b0cbd2cd28642c1d10fb200f2e8b

SHA256
3480ab39c452795d0c10443f4d223ab3073f1946b3be346ed9c7c201ee37c494

SHA512
dc151348ebbc808be104cffa753926f937968f76a19ca99486a2ba097e1b441041bf851b8649bf0a05c5abe599c62f83f4a1f3f14e1ef6be255c0bc23bc443ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2e479e389be80220078277619f39e87f

SHA1
0c99585aa8150fc830e5fe3d91a0679470eefc78

SHA256
951fa4013f99dbd95e2c4d8ffc898bb0eca7d8629e12f5383b8dde0e6049823c

SHA512
33174d15ac9f6261f711dd90e0139cda4fdd8f6e2f180890dcd0932bedfd989c4a23e1c95e7cde1f745dec900bb3e7a462322747c598e8a7b466eeddcf39efde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6ed97771437ea42cef776b0a3aa13fc6

SHA1
c815a3fc6be8de66be3e835fbb40f284868f02a7

SHA256
9686a4af7686f6cfe5f593156a5ef08aa7502e1e680eb687bf36ffd0af15714d

SHA512
dfcce863809a59a9d77d497e6eb5e1d950fb0a705ed0730f0ca19fde5b093b3da01f4beac9a727361c528daa01707d75b075193b0e8e0e2da02bc4618131c663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
86494d6750b39d062bc65ae4a6c87d95

SHA1
6e22b0a0787ba63deb00d49bc4d08ca604272eb4

SHA256
649e6e9b40cf0f63f463a691d664138a9a5d4db91a8a9b283ff1326ed96f9e01

SHA512
baa21a25ffb34b74dfecd4883cd0966d3d7cfbdb60e6faeff0b98485bd5db061d2a6e9a870c3a2a54c8caff6e8bd0dbde1f296514031e021a3be9d51cdd4f46e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5a1a4108a00754d6d92eec80e51e41c0

SHA1
e8593e79fa65f97dd3c127756b8b97bd4cd07ea8

SHA256
f873ee9441b41fcf16341109f5b74375f10f5914a2b382679a79ebe8d507a617

SHA512
24b92849321bac371b9ecc777cc8483ae4de06f9ebbd65f4e68010bbf0e0692fa3fe913b220f77042ab8bbab57deea819ecc8535a9b48b20f9457fef01e12936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
17103de6036752eb6692889c84579a02

SHA1
5dd8f5bc8898984f2f94c68b6933702e4cf5a0d3

SHA256
bf08415cafbe3a04d53129b54953e45fe0b5cb2b756f85789a95d41bfc6b97d3

SHA512
89b141f0e01bf1af86f9bd1ec828c18e8bdd90ed23edd55128ac31a303edaba2404f149fa9f3b9ba7222f382ee8a234cbf2dddeb33bf76bcdb0769ed61328e4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a96536e83878773f7b88a421452ffeab

SHA1
4b4f6545bb02d4f67a52f4083cff945dc03d0c98

SHA256
2666421ba002eaacbc38da4c9c58cd35a4abc9cdba710d0394282b989411c93d

SHA512
4a2f145376fb5227038bbb85b5114ea4003e963368c7df6fa3d9044b1822ec0006de7a1c68b9ccb6dd6c58daa6438fb0fc0d097f62e887f09f92c7d92d8b290e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
50cee75f7050f8136ea188e115e17e57

SHA1
7cbac84a9ab7dd1fd99127cad44b85ab4ec9aaba

SHA256
fcb6978a28e79f6276b4f0db24f549e637e66552183fa27e1b623d6f00c3f6d5

SHA512
ffb6ae8f6fa4b683937a7e4fe57ff2e9821b69ca10525d02e01cf31ed394eb6e27a171a9661ca219119de731e8d1c1560f9a646d05d61936debc53729322ab88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6491a6dddc884974f9d941d3383ea890

SHA1
7e9fcc8ad35c097aa681163a32e76583333d9806

SHA256
b1158dd3f3d542c94393dd08bbbf89e57fa4db6ddfe73f0e1a683bbfce8c31b7

SHA512
141b5798168df07d58484bd6e2de0f4e4455942ae69bde15f08b8515e7ff72ae1d1896628b67f9d261b800a5797b099499c0b373b1e3ca0553288b11205f6469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
ffcfea0c8679fe99dc90a86c983900eb

SHA1
56b275ceecd883c2a57c795102864085f4723217

SHA256
24b18bceb3fe5a78214ff4ed9ced327642d0eda0c812935452af84ee70208bae

SHA512
b1186abb049368328217b60e979a1a877d4e379852b05dc542d20d2defde34ae9aec6109abe40b6bd47c9e7eaebde2071d86c12fc3c2ce5f69c38d5fc946e9ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f69798c1b1110890f7ca897a8b0c7639

SHA1
57239a419a6ef967825b40d020c4c2e1f069af78

SHA256
123eca1f7f7186897e6967097b3742c678624d8fac2ff5592f20dfa805237db1

SHA512
43f74a14b06965e87ba4c908164e18e7f86467686f6f589abfaf1dfd39b65edd5a622feb857a0d1eea3bc5cc4ed84732656310554e1262ab92e9ed22d531a260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
6f006f7254998c65fe61f866f1b3c057

SHA1
814255b33bbf8e5c11b0bd29dc3decc19bdc708f

SHA256
1647adbd410eda2825dae399a1b3381dd64029e3ca736d5f2dd4fe79d574c832

SHA512
66661d1885173ab53a5fafd2f6ec30754ab1573d96ce786723761f1745186328254927e75b8207f851d417481953607f28a23819fd5634a4979722ca0a161ba7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
96263cf032d5969d50a372474bd18f42

SHA1
b138cdf43dc9ae69f9a9ae171d5714258c1bcf3a

SHA256
aa2a8b56602ec547c322f0d704737ce876baf9abf4296a45e9903e7dc7aa5632

SHA512
15dbfed0a6e1d546bbbd8da22b38f1f6b712a5e4d747d044e8da7c93a07df4325b900b97571cc0544053e255d7b8c0d5f6f28233a4f606ae9ce0a3c16f3591e0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6eba471ab0f5801c879cedbdc3babf28

SHA1
661a031d711ab2dea0264f71d26cad27d8e042ea

SHA256
2c86d3d9e5310974c927067015ba01f32f1a9dad3e67eff3a3e65dfd55796d84

SHA512
3251194ae08cc0038cf3fed5fe2074e674b4f66ed32fca23d4a8b2e904399fcde0e36cbe07aba95f497a0ceefc99252dc6fb0f766721ed48fb60220230b7d268

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cc5dba270f1a45ade06cdc31955f5df6

SHA1
8d4278a3b4eae7c99a395c29417ed438252eda1f

SHA256
709873f2063a97e7c0c0d511b6fa81ac843c59b534e6e19b1cb93fbc88fb87d8

SHA512
7776a9bf95aeaf5e61c23d40a49a4c01f791b75c6737c16bab5ad2c80f76e55702e4fc55383819c8d4f7da8b7964576027886399f83302494b3ab60ed04bb125

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d60cd785ec23f7c220b96b07b5047cac

SHA1
b3c3dfddb09534f1ed34238c0bedc3c6c1b094b2

SHA256
01dae2b8b212f8bb76acdddd36b677ed3f592484cd146b1793049d3d15d863fb

SHA512
5f7595ec4b0cc53c0e929dae466b7b9d9dd6559c93aaa4dde9cbe7218148798375e7a69bba86e60a4abe4da283a2f1ea656972a03d4dbd44feecce1a615efa2d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30d74adf6a034feb9261aa9b7dbb8b8f

SHA1
aeff2b34250fe20df6c9f11af86959be7191c8ea

SHA256
82edc4d81deb4c18cf1c472558ba33802e09ea2cfbc7f1bad548ef640e0c9616

SHA512
8b4c730de4a6a26e577b60e8aa9f0adc5cba965d42b93ec255268ed98a847acfa45f94227b1d0a6370b6807b4a9135b7bb314e61951eaefb6543064730443b85

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
05b84613a8cda7571f326ac15bf28ec5

SHA1
83e9b177588e8eb4cbeeaf559ea4c5cb6b1a37b4

SHA256
5fa824c13979f9e13da9b6824a8bf4a8ac1e938d0a6e2e0c307cfb56594ae684

SHA512
a2408c134d835efff42123e88ea2b0fb2a4bb197e9a8a61257b92d60082ecb618d5d8b9583c2e80cb5fa8de244b8fbfc1f7a6255753de70dc7ce3aae9aea1297

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3119bf913312a104839f30deab44e3e4

SHA1
2d10c966471f933ee7b88492ae4cf5d658ea4be8

SHA256
ec96281eba0e90be37eae3cebeae06f03a4644fe25addf3710c3a42a47be3a31

SHA512
9068c90731841fb5a898540ff1bffb9258fa30b84786f3d8d19b5625535d3c46ca07028ca6644b27bedf1c31bba76fe67d1c98bfbacebe6c9d583340c0d6bd2a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
64deded0c4975af4e039c6a906dca98a

SHA1
afbe91a33db50d895bc67cf102c0083715b46cff

SHA256
930ccf0eba5a3945dfcdb350d2780d305eaef34c638f4a37d3cfa72083931314

SHA512
3aa61eb7edece573f26a50c6a76ace11ef0ac9ce0a03fab4bce27a53b745632c7e31ec2d67882a6c7077629d327162c555bd582097e24873249400fd91e0fc19

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ecef9a81e476b80de5746891f0b33664

SHA1
a557262f8d9759c086a53f73a1764a2ef4412222

SHA256
886e71b81221eb0be2604d019de89969a6037e81cdefa44c1ba01b8991e28387

SHA512
80a5a1db25d12a34e9c1255b6c2be200316da249240ec1c24a06e3e3faa839733cd6fa199b3516d168b42d047c6a22f2cfb0aa94ec085f98c2fe0edb97968027

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5580c028c48bb81a0ee20b4222319ac0

SHA1
96d7be10bb45fbcaa8c60d3eb5caaf18d6dfbbc8

SHA256
cbed0aa88cb186b340ddf4d6acdaa7f461bd956ab1453fb05bd197fe0456d82b

SHA512
7d353ab0e6282cfbd11615d1d942b2669574e5449d7158e226828d664ce4e12614d47f8bda4a996998b35626a28f66c5c7994e76a4c9b0781dcb2dc9aa0a9851

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4705c1167618993a9555b91d9a8366ce

SHA1
a68921e9530648282be7380881ca54967e5a3ef0

SHA256
83cc82ca7b22ea53edb7a618339050c30154ed4709a9035b7bab9f50798f98ec

SHA512
403b218724e8c41dfc983404032417daf86721918cf95ab9407bdd95f260d38b30003d6ec33d868c76e7ad1724c2ff17ea3409158a5f4a4363423fca2b232437

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
de9e2edb7c8172fe97488afdde3c8867

SHA1
07645da7f4ae83b64543dee2d14bfb5754a8682c

SHA256
ea912dfacabb18214588a30c69d5130bebec27b7d5fc0bd842a90935dedeb17d

SHA512
08e8f46225254f2a22b2977f7a209e971bab56dcdc2204a407a64a454a2c60bb68b8b36d712245ce658bce986f20b18b973d714b4582c41e0535fa01b9adb8ae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
143b1478337b576263bffc13830add1e

SHA1
d5a275530c9492a64428620e8816ae4d1fde309b

SHA256
d8b5605a400be8ca7049d1ea6354135f99d05c6e08f7e988656f6bae1ad86445

SHA512
389d23d4ace75c2f3b702acf9920b417405284be5ac858d19cbcb5e32e193bca17d35bdf3f6d9aeb06d0089ce56ece787b2bf71e473fe0e7e1f93440fc038b4a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
11fa20871d2b6aada627c8900e0159fe

SHA1
c43f0e400468b8fd3b5feabe87b5c4b207b1701a

SHA256
846c38871361c6b0fc539ae748325c9a75b38e1f548a155556c6544a2cd8a255

SHA512
df998dad67b1ab70a7929458e4e5a3886da0db1f441221a88da5172b0450158d237fa92800495cfe61586b078eba6ab0dcd8d26b8d04a7432b6872e89930dbef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
507ab64cb099a240a8c79d9ae7e183e7

SHA1
e5c8144f62f9352358bf0a8bac2fa18b076ac29f

SHA256
f3f647eea8701c507722668c99e5a1062fbeea770297fc01a99e70209855dd95

SHA512
4687e4246fec7a2fb24b942962c423eaf7b0e766111f24d5dfe42a2fae4551f91082b46163527eb0530a059e3477c5d6c7f3b0572aa7a70ef412ec1c3289b7f0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6fc9fd61dadd8b86fc62b6d6ec46c51f

SHA1
dfd42c1f927d2b8c78bb0216722cccf2fbcb38cc

SHA256
a2baa4db6ff160ccc725a94882a3460e4b70ac303dc5fda8912d57a37bad3b42

SHA512
ecba4e8a6378a132be627d95c4e09f00f549e404d84c330057b064e715960c5266aec78e2880cc2a251dd815c28021d4bf67fe0c5218ccd79b53286007bb9e66

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fb8a361246e6deec95ba1c699d733f7d

SHA1
99d21b11e53e44973cf41c70da498c92f4f9ef60

SHA256
e87d6f2cae2c12d1ccd8e27b1cd33b8d1009591d415066ccc4914fda3a2c731f

SHA512
1fd92d8aa44f4d7011500811a6fa892f859b9f6aafd5cbf0430ca97f9206a07fb5c92a584827e70fb5c79b1ae8401c041ac5ed10f406ac00049b4e4a9565f8c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
da9b4de2371f4cd492f04bdd123021a8

SHA1
6e73d8805ede40fce2a71dcda387b01217605495

SHA256
8562c25c083748d508b046c2f51fcfbff1bef4b44a2830a2fe1bf440c2d25a36

SHA512
afacb208acfdc4cddc5c51c050a4e57b01d40b4d26d38c38d5b20a60196f5e015cdc5869510c32dcd75fa43ccb1928b526c023282c1696a6501e4fbb3894823f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8832b0f34b514dd0f38e052f9aba24f4

SHA1
3101dbbf9d2d9bbfa49b28ea2e07991769dcf838

SHA256
50cf5069b77444e5f073b2179e96d0c1e8b0ca52499fba2f7b5d2ccab7ed4ac8

SHA512
60b98d37f8048ac54a3a4cac6e8c11564daf928b2ae4f9ae7db485e8c356a304623e2db003abc5f2f61a8e4d80da7d92996e3b4fca29328d05b2243d6eb916aa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
18a572258dbe3489663b951e3a5594af

SHA1
333d92ac4e57d410f67d1da890213106666c10eb

SHA256
453e5e01ba02c79b407f5e6d1b58afb3afb90269d7492f064b4f2fd888a13c9f

SHA512
99efdc477bef265d533690ec4c4210938f8049cf42ed163074f3ab3832e8ee884fc5f36a53fa203f52cf53dfb9f6ce11aaa20c6876bafa86fdfba977d20b8b18

Download Submit
memory/8-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/8-266-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/8-260-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/8-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/60-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/60-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/60-544-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1424-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1424-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1532-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1532-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1908-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1908-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2080-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2080-430-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2276-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2276-548-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2660-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2660-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2960-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2960-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2960-39-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2960-33-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3188-543-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3188-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3228-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3452-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3452-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3624-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3624-556-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3780-8-0x0000000002270000-0x00000000022D7000-memory.dmp

Filesize
412KB

Download
memory/3780-1-0x0000000002270000-0x00000000022D7000-memory.dmp

Filesize
412KB

Download
memory/3780-28-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3780-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3984-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3984-66-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3984-56-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3984-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3984-62-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4140-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4140-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4200-547-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4200-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4652-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4652-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4652-272-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/4812-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4812-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4940-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4940-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4940-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4940-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4968-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4968-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5004-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-70-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5004-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5004-76-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5100-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5100-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5100-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5100-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download