0d72677768eb19b21435fa37533de2115ca6b7f645205f73dbf651c659854205

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 13:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
Size

1017KB
MD5

75c32deb7ecfee240ad0116dc570a09c
SHA1

b75086ed6b08a48718dac08a8f344dfb34cbe1c9
SHA256

0d72677768eb19b21435fa37533de2115ca6b7f645205f73dbf651c659854205
SHA512

053c76beda3e69b72dfc7b2454d633f37a397f76319b7b43d3dfe67efc7b9381b222ea0e194a9a792b2449ee9cead8fb29e926a3f42969d5a9c72879310f3343
SSDEEP

12288:K2lWRPhhA9PRWg9fINk7k14+gYZ5UaiAPqF0JZI4GPnmNbIQ/qDJSgCmP8i/:K2lmh4RWk7SgdEPi7PnmNbJ/UUgCY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2676	alg.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
2236	elevation_service.exe
2868	elevation_service.exe
1640	maintenanceservice.exe
2320	OSE.EXE
400	fxssvc.exe
5004	msdtc.exe
2324	PerceptionSimulationService.exe
4436	perfhost.exe
4996	locator.exe
1996	SensorDataService.exe
3044	snmptrap.exe
3208	spectrum.exe
3176	ssh-agent.exe
2980	TieringEngineService.exe
1584	AgentService.exe
4500	vds.exe
3808	vssvc.exe
4284	wbengine.exe
2704	WmiApSrv.exe
1572	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8e5e997f971c363d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105906\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000302d2b83ced2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039914c83ced2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d493d082ced2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f51af982ced2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4d81484ced2da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3624	DiagnosticsHub.StandardCollector.Service.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
3624	DiagnosticsHub.StandardCollector.Service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe
2236	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2812	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
Token: SeDebugPrivilege	3624	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2236	elevation_service.exe
Token: SeAuditPrivilege	400	fxssvc.exe
Token: SeRestorePrivilege	2980	TieringEngineService.exe
Token: SeManageVolumePrivilege	2980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1584	AgentService.exe
Token: SeBackupPrivilege	3808	vssvc.exe
Token: SeRestorePrivilege	3808	vssvc.exe
Token: SeAuditPrivilege	3808	vssvc.exe
Token: SeBackupPrivilege	4284	wbengine.exe
Token: SeRestorePrivilege	4284	wbengine.exe
Token: SeSecurityPrivilege	4284	wbengine.exe
Token: 33	1572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1572	SearchIndexer.exe
Token: SeDebugPrivilege	2236	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2812	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
2812	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
2812	2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 4980	1572	SearchIndexer.exe	114
PID 1572 wrote to memory of 4980	1572	SearchIndexer.exe	114
PID 1572 wrote to memory of 924	1572	SearchIndexer.exe	115
PID 1572 wrote to memory of 924	1572	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_75c32deb7ecfee240ad0116dc570a09c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c6924f4f37f96e8e27e7b0c99b0c1fd

SHA1
cc1defa2bee216284bcad0d6051ddb40150a2b15

SHA256
13b5326bc06a10f2e37126bc72d17a30084c13fb5149bec4eac2382f7c92ef76

SHA512
0d32c6649f39e925de824cdd86b5b4d9ac05fbb723bbab5e8fb9a45b45e1767ab9647971ba6a901caf01c750750e1e4f0e1c623622076b9c6697096ffb0cd756

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
6cbed12a388f8a373c12f0ed92561d24

SHA1
6d030b6623982ce68db63ec944fb5c3a84b26dcc

SHA256
12db7534b56a0fb9aade785ad505546d8d3ef0b06990efdea1fbad2ec1a8dee8

SHA512
424c2136df3a077f73119e044306a0838f0914f41afed8d277780aa67a2bd98841b41ed163ef6105d9d9e218b329ec3aa5b669b139394bca51d5d559cfb7eba7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b44ca72fd493eafcebe1c2de32208a34

SHA1
8486bc88fb94a221c2176714bc0d1bd35ecaebda

SHA256
d9ca68cce0e2060a3cb2407ca624ab5c03334bedff533ae1cb818e4ea3f51780

SHA512
521e2bb991247194dc3ae488d9614ac2f0120be3f7f0b4fd7a924be39b597b3f14272c4c4176a25cf5f6bb201b939cad405d72ce955e73be8ee1696dd934d101

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a3a916eea3c21249fff9c7dc83c8048f

SHA1
7ba78aa3a98cf107d2e79fdbfa7b997718d6807f

SHA256
65180dd3fc2c030a72303bf9591c6b6769cfe5fc7f65c42183e74b90703b6d1a

SHA512
204868f5994b9f1838e94d0cadfcab2aa9f0a6a8c9a0be44d7246efe9aae19ad1825df4af0348301f83388fb1578945467cbc2339e58896b7908a7314f7a0e0b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7698b1efb230d1a0c4e354ee854786a

SHA1
f9e96322f22a251f1517566729cfbaebbd32e59b

SHA256
11ce8c9c3c47b975541b0d59232af543606be26807fc19ec3d83f6ea9bd04979

SHA512
63ede2f4db9fcfc734e6768ca64cb21b221d3cc2752655e63590eaef5b4c9507877bb3f2f316a44137b32f2e4adb5f5dbd106ca52174830265d300361b35fa09

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
930a57cf3754e27dc20e2abaa65f7c4b

SHA1
c4ea61b04190c36e82782e9b5e6f6179710f0fbf

SHA256
ad9b76c306941c2d95762f0fc40376d1418217ba22ef3360c3d2362e0576928b

SHA512
59534de86dda7f7238c8fd2fe98d14a7479e1c09ea29850e7ab2208aee77cb7bf20de526a4a17f7711ea9f2636e01fa178879e65b1939653fafc1c2d52286688

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
04a9f8e28a80d09d354c17d8128ca2b0

SHA1
19d0ea02c4204bb8fe9dc53445fd8f8cb46c0142

SHA256
81583e9d9c084b7b7d02deb03afe51d8d08b233fec28adc31f8a7ead7b2f9a1a

SHA512
c30f922f5d53ef952dd52f17ad5ecf7796e668eebb07b715553e02bb9c56e9075c83d7101fd7a15ba3b9a6efbc973b97f027bb86790aaf3b2a8f26562d69dc0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d40c47b8259d025f0de2aa4219ee4318

SHA1
d6114ee8ad975f4efb638fe4d835c2611b4b2bb2

SHA256
fab149a9a5dc21980e85d87e06c9fa926451f98a82d5078767bbb91f28d4490d

SHA512
ca9bea1ae64eb442216945c2f213ccee2dbef12aaffa2ab99a37a3f006f99da731637ab86a2f74e1da60884b01a10cd4acfce1fab31946891317fc5a6c889f02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d6fbbbc22c2393d94e1189af5658117c

SHA1
2e6fefc2ee99f31bd3728e254467a609793a9626

SHA256
d734cc35288d63bbcfab6e2db383d90d2fd2e679d392a13a216eada89225a240

SHA512
138dbc053d0291c2156fa33e2667eb6b066521846053391dab13f1b35ee893ebcd1b379f19ddb7624936b516fcf69c393038d1968a130c9917c0c650112e75d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
14901610c7c54cfc5ea7351ca5ab5f18

SHA1
a1b9f4eb59104a61b4f506fb4dc3e0912c20d83f

SHA256
22ce03153c9ab9d0fb2cacaea576c7cd871c00095e3d274b34bbdf0533733227

SHA512
3265e4b2858193947e7aeb00a6c925c9ef8fa7e9290b90dbf6fbd67bd3d5a68f32a02979fc1fcb27f3fbc848a9432f2bf14dad65f81d29f0dd1a704648d1725f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d7eb7eec73ce389a9475c1eef2da1909

SHA1
70068084d2d031f4f36c5295940b49246d7df8e3

SHA256
fcc91034c861a222db619b5bbf89a268cdaaed0b633d294ef9385868ae74fbc7

SHA512
23cdae3aec59500f0447f55536f57e80b2d9a1fd24c60ca811bb88042565198bb9bc5bb41a9b1257241bd409c0ee5dacf8a9c9d3364fc3e9e5bf8d543b19baae

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
81fd7483f693b241188bc5bef595b9d3

SHA1
b160fe98b07798682917491c8cc265fbdde0dc7a

SHA256
eee98c92b3e5393c72fa446989a91dd64b5fc9dce42be10580f09e448119d520

SHA512
b1b53d6aa5785bb408e3f920db5aea6119659967b2f3ed1c995eafe6ea962fa6dd885c58d2ed7bb1185cfeffdb0960b3880e9442fe0998ea3a55f102c92f25dd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0b699fb1916dc14d69040031ffa703aa

SHA1
1c9669b6675e46526c6e4ab2ebc35b5cd3003955

SHA256
c2a67095c05416dca6ee154314a82fa2db763eb565e1302a6c894239e9067a15

SHA512
5327c759569aad6a3bb286bfd38076c58d1736b2cdc0e8edea4a4458fff5087ebfe2759dec41c83c5873af63a1e76969dff88a2d46c6d899cc5d779ac31c9979

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
42fab518a7a2e102ccb5aa0f26a167ea

SHA1
9bd4345ee2290fb020a27d8a7131c0572039623f

SHA256
067a4da45255d3075b9b17646daae944a922505469c7105b57938e729cb0f8e1

SHA512
0019dc39611281b4bc8259e2eb0f02c5ede17a355f50d8431d487696474cd6191ec7fa610591ba59e2fd19f4c29f3d09aee850fc65ada18ae3eae097e81cbcca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5399ebec4df7ad4e8eef1e0645ba2aed

SHA1
69278fe3cf95562cf437b50a7b75becb5397c154

SHA256
1f0d81986713037ad7ac995a150ace7c9ea85151e9b4582f0229936888befdf8

SHA512
82941a7da770ccaa1d697034eda8feea2d7a3747a20a59ef21f19bb2f9e8f495652fbb2f85ba761c18418050c6c3663566ee4c5c4e0574906fef4a80a21af713

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
0e538f74d9ed323f8c5526cc774c545d

SHA1
2a1e918dc3f2575dd582adc681f750f34372c605

SHA256
8ebee2736ba5edc3472089a8108b92005597590509f43dc58009b35d85e66790

SHA512
bc1a2e1b8eddbc9ec9310ab9c6acdb32fc4f9e58832b0a3574a41d27fa17096871cb0a6c7819c690126306ecf93ed5d0bca6d2d0da32ce6a46471adb8c542bd0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
683b0d598afc714df14948e45aa8b52f

SHA1
c1fde53851fa19e3e323dbb85df7db49e5230d15

SHA256
efe3d92b2aa3b9b702a750450e69bd1f4b156ad2b7d3e80758a2199e86d9aec6

SHA512
e2a1dbfa420eaf732a1468163ed4945142d6dfc17acd7328e3a7c51b63066a7c828b84f9064be3b451a84eaeba089d9e681dca78e3a661e1739c2a5f4512e5de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
6243071cc1a179523f9b92059a574e81

SHA1
4455cabc29fcd5ecec44a6e628daf979060b4e80

SHA256
d5049e9e91aeb14d8d1aeafe6aacda9f1a0fa5101f8620aa234b360fd0cf9a76

SHA512
34fb656fd5b775a3d9765eed6d42248154fee98e72e30b82526b6834b00a2e92934e733ed54d89ecae653395d4727b66cb35bfbb88a2cef1cabc42121bae0a56

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
33fbd7bc6615bff47669d167ca9f7ff0

SHA1
722bf663f63981c5e9cb1f315e4f15d9b845ba22

SHA256
9b82de91e2a24eb92d854d2be4060dee4600ee80554276d01661624decf9d84b

SHA512
30440bb63b29ec696e439946b372e2efc503270a75bbd6054b24abf116e9f7925e4f7e1116214ada86d4d050c95cdba174ec1be9e14ceaf2dd8b0502c6cabba3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
08717f582ba6e673de9670d960cdb033

SHA1
ebdc1ad454f3a8f8f43727d92fd9a9db16305168

SHA256
ce7211bbeac74213db775b59133a29a617e71f8b1c34dc209270c3bc703925d6

SHA512
aa3e6803f419b45b3f47be02252338eb03cdecdffb9cf4bda9a321aa6689b904fc91d36aa5b2830e98cfd8503534b00d66078766709a2d97ab6a8e29b24279b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e394aeec0d162a1647c6a2af5ddadc85

SHA1
54f662381b35e21b096014ceca4a5196216c6bd5

SHA256
69ee792c4d472cd716bd191d1919775c5a64516bf774968e2ca1c61d53008953

SHA512
010998d9bece437721d3c802f8cb472b63a99422876e4b317b51aa4df644fe789eed384d0a4ae3c76313bcba19ef16095241ae5369ace77366e6df2b089bf02e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a9da049d045d788024fa7d1b2344eb05

SHA1
670c505b700b52c833641efe002233339a71d388

SHA256
e217857713993ec9117d2a36b1983c70548830e2dc5d3e962aa0e3c41962e07b

SHA512
8865ec28039e6a00db9f0b3c57cef0842c4a35a0ae3ff610d15195ca97306e9d53260c2a3dfcc3d9ca7dd0c2afa206daf3afa5496afa198bcb21bb810fd016d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c2fcda81513eef6216aeafe3e8d2ccad

SHA1
42d6f858d4a93793b2edeacffb00f4fb02a6c10e

SHA256
dcc134bbdb27c9c2e6d25cfca77ed30de8fcb5845a02c66525b3da7fbf20fbf2

SHA512
3a40f8d2ac198e97c39d219c7377b45133950a7a1bf0ed43ac985e597118a76f21f5492526237a9e43c357e3ffdc3077732030c243338dea66ac2ff6800bfa11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
267962ee83e5c6872997f5c762bf434b

SHA1
2fe11482f84a5db3c6a5a8a92fd50b77e5d3b90c

SHA256
8925b1b7b6b88c930d384db1e47846c3627b34c7b6ca729fc83d276e1b61292b

SHA512
d0f5f56e1373997cc41f45b5e5ea864135f48a9ef3c07c209e198bcc0152101fdb5136f70a6f8ce134e315249515b5be64c10aab8810d168321b495aa241b63f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a4cb22875a5a9abad198c0154ad94390

SHA1
926ad1e3b8e8e85bfe44449fc7f5eb511d33a9f5

SHA256
5f9f488703c1a60a6612bbc199335e6fe5386624369c2664d61bceac3d986599

SHA512
d4e6c46bd07128a8ae2f55a2a825f7a98c8f4847d9a77528b592d51993e9fd877b4f36219ec0a978a51c0e05da79e9b3ccebe57e3f6cab9c5b37a33d2c816248

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
834cfd3654a49820b6f912d641a410a7

SHA1
327b23f458a3bb4673cf68475cab8c3d7b20d761

SHA256
16bbae832ef96dc666ace6ec83b8f1d5cfc4df5a6d14415fc7430456e8c12959

SHA512
0ccf65ba800e93aded55602ef64370d41079f927403c944413b24983b02a3eb7121cb2666470e7de6f3dfbe2384e4c546ed292ee5788b5a70be0f3fdbf91c00d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
75e53ef7d6674e1e7963ae482a4ad807

SHA1
ee2e6453a4d4d8caaeec94a2422c6ad890083c63

SHA256
2138429e8c5b4f18e1fda77848688fd49b16e1b4ffb0d19a216281584e8c874f

SHA512
0841bb0aca8aa47fa8bee5bfb1b0bd6b5a56ececf0b09da97066e773df7d69ceb2defa546d73f9872cf5e0f92c4ea278f4f2d9f48e1d7e122396d56e4f3a8a4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8691f2f6851e263ab913bad87e09d6fc

SHA1
1daeba18e15dededf49bb4a01dc4b95f7362a6d1

SHA256
37b6809d10945b0b701535daf9fd40e2ccbc0b8dbf6e8a8d68df735d0e2f30ee

SHA512
f46edaf40f93f05dd464629dcd169995ccb1576fc82f024de5410bc9938456737aa320b9b640ad8ae16513cbb7428fbcbbb0239d67df2fd2855d82814967a8ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
902d883ad857d9f5fa9a0df1291e81c8

SHA1
44c9fb9aacdb8a5eb13a161ce4f66078a5b2def3

SHA256
a4d20336618f84f1b68882bd13e935f7ee287bf30e95caa1ee8e4db8d2e23351

SHA512
fcb33bcd3391f810aa5dc95757d1b9966a37a5b647ba544f482f740d19429ef18fdb79585e2e8b188a540f8132c162702e432de75f5c9e36208c9749538b927e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4d73660c8080c1c18a3dd9858985ee66

SHA1
3f716a7adc687afc990d8485f29b083337731e1d

SHA256
dd13cdee98dd998bc251640db87ddd45b70dfaabb9328bd953962866899bdcd3

SHA512
4439a0a88a1559d27c0c4452fc34fd7c25ffc82984d2d53bb0493908aef788c6decded1625e998b531692f8741d32dcc986d08f00b35394cda142a82dddc599b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
19a930e07c9541898b3939268069ca82

SHA1
e264da64fdf71c3a020b3d9cfe2552c9892763b2

SHA256
72dbe99d6f6b374a6b72ec1d8f5b59f0ece2b4ab458bd744403c04a7aea6d15c

SHA512
dc365f9d3d6f4cedb5bd9beedce5848ec9d8ac092990b97df2bcbb260071e3e157c101becf9c9b7f79c18c13e26996973556eb34b168deb4212d67f4b34546d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4a803b630ffe12ae7f5460ba43686868

SHA1
1b8112d139001579501460ee4dd9168d76826964

SHA256
01046f30f57901d1468feb115dad82d12a0cfbfb74f8727653a9af788009866f

SHA512
72426bd2172a75ac0cc4e46f18587b9476d8595f60c8c27a956181632f8367d713426fd9d0148c9595cef5a715c5f77fd255569c3a63da7164ec610c5b34caa5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d3bcafd6841e672bcaff4498e9100193

SHA1
a9c62d50599b3c6da89832dd4ebc54648b2a4e99

SHA256
7adac7fdd36959811e946a18f4add29e8d343f31defa3a0a4358b2507513b858

SHA512
4f345ea2cb45c4c09a053677e1fe53c8ee3ebb1a98cffb80d0781ee22b38dceb8794210b90870e0ed36ba89a1838ae0604c54f17fa0a898a58f7ddbee41d88d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e3f22945ab46bab31a9c678e6826aa52

SHA1
d108583bb2caa2211ffee90323d2a760b4708198

SHA256
404e889fa9bef76bfae5e4f0417493e2831f009bd7e1f05061327e26c0404ed3

SHA512
a24801a6f9aaf8c59b072c791930db435e4fd7b6ec97c535e68012d0ebe8834ee5a8832a96e383e3c5aaf05bebfd0cc3a8bb0f18457b9d9af3d6df64188293a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3070ec6d2e4d1017cccf7dad9b64b847

SHA1
6aa077c1561b33f848dcb937277971a4fac38746

SHA256
e7d67a143bcf2a1ffc01cf4bc00a9d996c77b6a4b1e34dcb4bd9bd4c836e0cd0

SHA512
fb2ee57914964c458c40a69eb5e5dc6ef2bfb1a0898ae98c89c390b74793deb8e634457d766a85ad0cf560c1e9b4c5a415ff0813f34129d55bc610dda5f0d42f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
71d0025a423d6e3d50143530842b73dd

SHA1
971c2da92e5093c3fbee200e4c747f27d966a587

SHA256
f088539d95d32fb2acd973e141bcfb5cb7a39a9f71e058de58eafe8a80b85869

SHA512
f8b6def5245afa011b25ac0aee5c1022c5334d1a069fb3d8284eadd410d866ea2b516391104632f9bb835dde7f607fafcc44c7e295b0541883142f489ac9d981

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
127286afa2f7bc168ac6b720bfb0dd70

SHA1
51534086c7d792c920682b7fa33e0c2b543e66df

SHA256
c17ff42fc0038b2d530f14fd6edf14e571a1c2141cb65024783efc3d82ae1883

SHA512
7c40e7a5cf5bc2ffb90f03b93b70930374be3489fb75a098c4997a830deb64abe3b45ce374a74ff6e8b5e092c9cbd74393317316c2d44f9c6bd1530c2d50415b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
b110e7092be21507117a313fbeee0ee5

SHA1
591aa4c3e5661b2b95430b72b6b67c77136c6cbe

SHA256
ec0e59e354796706b1226ded31a354a49417db56cf3315b8b4c88ebe0f51dc81

SHA512
f765f870e75c6001050baa5dd22e7f68ce60ce051700d6185b18690d51d3d07a5fdef0a4db612cc0cc07af03dfc450935c2cf611fb5ebb6fef56f86706408505

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
7b76af1f53776e737ae2634d4336b902

SHA1
2a105f2d0251b96bb9c92bbdfa16d6d044c545eb

SHA256
eda814256169a800906f89a514ca59339958373a2fa251a91d0b37d49c072494

SHA512
bac97d7f8dd2f75fce0f8d2c3e8bfd32babbb33b34bf523eaeb0439cac260e972e48eed6d764712a216780ef00266048522f84ec068006619d91e7badc300d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
6cc7584c0918cb4bc05761b24e625145

SHA1
7339e8ff70426384eca6ba47528ff5d6322a7e1a

SHA256
be946fec479b4a619f57070330d782ed402d6a50e9bf4d6a404fb6d6fcb837fe

SHA512
dbd1faabc1e68b81f989c1f6242ad127f702c8b06df8a76d902cd006bce854d47373936a37ed1617894e9a049559dc24dfbc59d3c881ce48a5c4757593007a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
32981d80feb13a793f7cb5f9806ec137

SHA1
0648b1cc616a01f8039906ef955a79cd17587942

SHA256
45e17c0cd851d5ea1066a5f972e6081d81212ebe903a9cbaa6ffba4d2f1de203

SHA512
75a1dc078bcd333d96baa4b6a6a8915c834b7d79f702bd3320e590576dee2f61c426c735ba27904029649ccaac23e48897f8ce170492f1505d74706e6f560c9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
e4d4461f8bd5ca0a8e7f3cd3a132aad8

SHA1
1d903f05fbec9a28c2948c1e451d27a5e26a3a8d

SHA256
d69e439d8b73bb7bde9aaa9696c7da33a613fea47172054e19b3fb6b7c8b8741

SHA512
6e4bcbfc64594d689603274fff740950775e318d0beeee38977f5938084b860f307061f16c6a0181f7423d20d42f346a638d08807f6830a29a06354544c3e140

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
71ef63b083cb2d6958c27721d9d8a0fe

SHA1
85eece04cb495bc23d056b1f33636b1744cb709b

SHA256
de75322988b98806da1fde7410d2299f8bc08048b84cfddf98aab43e3b15efa1

SHA512
ba0cfae40132ad95f4df670a4bb8cb29d4f4e16d0c9e3a362b3e6006633e2ea184e2a79c63ec8381902e38a746347aceb867bcfed77ebd9affd52932bc41d295

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
aca6a9d9df5cc94b1fc20dafdd718d96

SHA1
9ae3ff7d1dc8d5f1df9f3efc479f31b9e460487b

SHA256
8651641849e5fbb6a9f4cf437e68ec827a1c131df63cd5de70913cb72c657e49

SHA512
61d8f7da00d5c63ed40e30d5172df0c7250550ce558820c76e32c953e165141a71c78e99042d5682a27ee028a9a8e26abbe18e74b4c761130492f3d564e21ea9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
21d24f4fc084f28aeab6663ab123696f

SHA1
b2f35985156389ed9b77af7ccda0bb218a9b496f

SHA256
7a446b94b09b174632e3c0878f7c2ac455a02dfe06c004ac638abf14f9deefa0

SHA512
da51f2a1e74005d23830add2dc2ab8219b1f7502d344aca846b7250764bd53512a454a598f985011633934bc014f9b1fcaf4b4c30d7644b1dc9bd0abee1e0924

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0031f3e643089c841ce3f993802bd8a1

SHA1
3f1ffa233fac62a0ee2a24c70be3ffe90b8d90c4

SHA256
46b9f01665456b39c3fe5bbbdf83222e9ce796c6a77b86c37f5bb34723c28d97

SHA512
e82fa0478ed06cdbec97afd05a5660de9fa39f2c3ab7a7c529a10700353f6a6879a222b59a6e79aa7aa881d35e0d785e0adde6d06129ecf0b72501af8e7b919a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
319239cec0ddf603863b39031f90e226

SHA1
d0e79e8ad1b2865360c96b9e44a3b63f58b38ee0

SHA256
c2b4974f4272a7eea563a5e14972304b8b153ca01c0f4ee94cc70d029b87ccd8

SHA512
60b6c8d20be0b24e5859fa09d319eaad6b6e198e774668631b9d48ff9ada824294b764c5ac5301de51cc3dcedfad4c5353ad90926ada91cb96ca04a3cd7f5a16

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b7598860f6318e09fe55605c11e38535

SHA1
4c90b2516d3ffb9ddb5871ddbcf0a678bebf235f

SHA256
3324bf1d317784ef9c30a718c593e2505c399f009925910236a719b99da1a37c

SHA512
a2f75992fa4e295c2f73671124367d0c1285c20a33ff3aae5386d209373743701f3f132f06c06c74b062cfcce1cac04e2610a4fb464f27f4c6b88c87888188aa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7c63241eb0d0981338ddba919407ab72

SHA1
79841a1fe0a83648ea5d8859415d67ed541b5c4b

SHA256
82f6db282e10eea93e37b6a8ca87c8a96c4f18cd8187675646f8bb2433f3a443

SHA512
796542a9528e0ba56a66efeb16e62b90f8fc205a27ba547775023ea898916a1503dc5ea07db80b61ce0a0f784639ab62ed68789c94f5f5ba99b76aed39d0f120

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4810ffd87821a9905cbbec2522dcdc72

SHA1
3545020672e45a7211fb735da5ef7ffb43f44b06

SHA256
3fee54f67febdb8466d8941b296b2ed2a94c2f3db38107f12f6130f71cf6e47c

SHA512
cfff57fa9adf674fbcd0e012fb3d1f4271643cf7928aa6d048668929431c78b260ea3fb03d8dc52bdc49afe603d397e525350f310d8025b53432f48f628abe31

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6f36f8cda9a01d39376ea411db8a2f33

SHA1
71051a9050a4639f9058672d6527f5073e93a6ea

SHA256
998e583f8ae637e03c58b75d8742a81198c8b9098f864d536cf678e60888b0e8

SHA512
0a2ab2fff93c24b28513d739d9b049a04bed263533365afee4c1d78c1c362fd55752f0e97c4a5d1f0404efab664d4fc3a1a8da241f67d6becc7947b4fb29a0ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9771c2311b2a7ab430a3dee82508f9f2

SHA1
360abd21752c2d6b7681104559b73079a785df81

SHA256
a187df5e93cf3c1af919a362505fb4e1e518a65d55eb66c892c25ada16d40c6d

SHA512
8c2a242bff372ddf8d6e55b470d16f4b6fafd95fc8a09dca78bdc203f468de1ab7a949bbd0929fd093389ddeaf620256525a12ebca967ccbaf901723a3f03668

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c71b714179003174e0ff947303bc71c0

SHA1
264c12004736ad373556a41794a4dc961b28f006

SHA256
b73cc31511face21b45ff8ba2602a66be0350d0e1aa48e6d65456d297e03f962

SHA512
607f36ad450371b14ade14903ea359c73ec79671edc1fc35629ec52f7d04109d584801d5853401ba5c512dae86067212101b824a5521ab80e5731807c16de6d3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ec9a5eab687d306e65c3b15770580837

SHA1
0f5608c39bfa56b60d8a952cd30adf6d7c590b05

SHA256
c483e14cff24076ec4b63fb75a2a74f718b4b90f46e4a065e46b1985e263c052

SHA512
c26e8cd80951984cfad0fe24bfb13b40e42a5e9cdef4df6c55e17af751580953efc2d4f5c98b14154d84844e0d61f24693c2da58d24f16316a4385b4a65d94a2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2193025519f1bf6f300488e01bac1127

SHA1
7bba8370594b1c3b6c376b52996ffafa7a763c6c

SHA256
ec44f3c613f6fd22614fe98cf7fca2d683ff4c8eb4247daec84694036961eb78

SHA512
cdac119217ce55966179703197d4eb95846e00908ab64209e24513192f26b4638a8dc92b90e1627330e2717547168fef1ae279e99a6b96577a6058d1615ea29c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ccd1c1f3db2199a6e35b28dd2efddcf3

SHA1
fce41e9ce9462e75090bdac3a782d5d1e0ca69cf

SHA256
42201859dd23f91d1f2d893dacfc80e8f21c6e13b58aaed4addcfaeddcf34843

SHA512
bbebc8e6988c1feedf23e3dda20da3016f9d8caa2a91c76dac5770b4708f107d79f01820e7a4d095bdede59a9baccd7f0be2624bc90e00a9d0311bd50a7d4a52

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b9561487ac521c642bb9024f98cb67b5

SHA1
9ca2280ae7811ef7a7e31d08a380403018b52195

SHA256
df953a88c52e50ff1051ed3260f56ba96f6f10ef218e206df24ccdd08aa3d956

SHA512
f004fd30fd91a61446b6077a9b902bb04b0e484a65eb6c045525c713d601a99f566f21c92a4e668366ea78adaf608f6382e600926937f943443bc3135e8d5295

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4ef47c69b319687e35b600ca47927256

SHA1
bc56df9cfc5fd57fb31e9739ccfb0dcbe21fc503

SHA256
dd70830a5d2414d3caf276095c55c6a36f0b6df6dd181a778c38916edc59cb53

SHA512
dc8e0a9307c49a45f4b46171829d9c1b576266541d853c8349b0d5e3878567d16bdc2ebfa930e1a28becac4430907e2d4741bdabe3d094bc0d34c9cc2204cb1d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3fb8805227ced96dddef90c91d844c08

SHA1
0a10909e4be57ac61a93c553275bd185fe5174f1

SHA256
035b4ff97847fe78b8e928c01d1a11c94099ed3762e65d1debee325e6d163dcc

SHA512
7c01285da5b48330bac4f507c64c02e66066d81e1a75c7075bfeede137c2f49d4358574bddd4ee9676f7b2cc8ecd74130a1fb6ced96b6f6a2db4152c28bb748a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9bd4911545b1333e9985410de1086a94

SHA1
71ad5e9f92a2188340b62c245bfd7999860187d3

SHA256
2e1364f58149026f0e06f6dd125aae6998623c1faef72e2b0fe85e9c3e5da9ec

SHA512
6c1dd0dfa660d6175c4a2bbdf9a07a26b48f740434616fc507d94715e91d9c60ac869b34324537abbd48097ab7164b81305a16a6aec27f11c0e53b1d4ddd5bd5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be3b9c10784b00e36f0179b72aea467c

SHA1
09d395099a1f8feefc1deb9350313afd539e1455

SHA256
ed5fbf786e4bc2980441630c8f9d034495fdb109777836dc6f6d736dafd11718

SHA512
5fb7e2ce170d5f2ec1c052f411b98585c00f44f98f35a88bb81c70e9f078edf0b107d364eabf34f85192ef8a9e8544003701180f15adee27221f77e17ced0757

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2dc252ac8338301b2054a50283f570a3

SHA1
8613b6171d38b3af6a998902b8000e0cf3de972c

SHA256
dc48ffa75e9bdd237f8d5c640acb32de23a21be247453e6f0ca1dd805f7ff24e

SHA512
be36c3fd90f039f5a55a9d803b2ba35ea30dedab94da7cb381c22cae98ed9a75364933562ec3b2686a563eda49bb93be56cf2a1f32df1346793149b51c7bdbd4

Download Submit
memory/400-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/400-246-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1572-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1572-606-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1584-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1584-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1640-63-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1640-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1640-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1640-57-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1640-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1996-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1996-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1996-413-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2236-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2236-42-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2236-237-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2236-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2320-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2320-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2320-71-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2320-77-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2324-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2324-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2324-262-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2324-256-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2676-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2676-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2704-332-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2704-604-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2812-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2812-32-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2812-8-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2812-1-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/2868-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2868-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2868-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2868-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-598-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2980-312-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3044-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3044-414-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3176-581-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3176-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3208-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3208-468-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3624-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3624-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3624-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3624-236-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3808-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3808-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4284-603-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4284-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4436-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4436-269-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4436-270-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/4500-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4500-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4996-331-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4996-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5004-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5004-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download