b5908683888aea422c18ce313c8f50dcaef3671f30cd1da0e9df17ca8c325abd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
Size

1.9MB
MD5

1696944c75474468dec388a8c55b8771
SHA1

8f6f8f00c1cb61d9ab8129420e29e478dddb04ff
SHA256

b5908683888aea422c18ce313c8f50dcaef3671f30cd1da0e9df17ca8c325abd
SHA512

c8f899a49b79b0df2086014036fcbfc54020a516df68e4a8b6488d87096780c099704316398c4ec15d26c8ab312bdfd5766abe04071f10ae01fab59f13162e72
SSDEEP

12288:D2lWRPPhA9PRWg9PUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:D2lmP4RLatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1448	alg.exe
3992	elevation_service.exe
688	elevation_service.exe
1076	maintenanceservice.exe
1884	OSE.EXE
2288	DiagnosticsHub.StandardCollector.Service.exe
3696	fxssvc.exe
1992	msdtc.exe
4224	PerceptionSimulationService.exe
868	perfhost.exe
1996	locator.exe
3596	SensorDataService.exe
4328	snmptrap.exe
4924	spectrum.exe
4620	ssh-agent.exe
4776	TieringEngineService.exe
5096	AgentService.exe
4212	vds.exe
3056	vssvc.exe
464	wbengine.exe
3168	WmiApSrv.exe
3404	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\797c49daa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060636673ce98da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000730b8b72ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a836272ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055f79672ce98da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5949472ce98da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072b43673ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048207f72ce98da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fe3a272ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9e56472ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d329272ce98da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3992	elevation_service.exe
3992	elevation_service.exe
3992	elevation_service.exe
3992	elevation_service.exe
3992	elevation_service.exe
3992	elevation_service.exe
3992	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
Token: SeDebugPrivilege	1448	alg.exe
Token: SeDebugPrivilege	1448	alg.exe
Token: SeDebugPrivilege	1448	alg.exe
Token: SeTakeOwnershipPrivilege	3992	elevation_service.exe
Token: SeAuditPrivilege	3696	fxssvc.exe
Token: SeRestorePrivilege	4776	TieringEngineService.exe
Token: SeManageVolumePrivilege	4776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5096	AgentService.exe
Token: SeBackupPrivilege	3056	vssvc.exe
Token: SeRestorePrivilege	3056	vssvc.exe
Token: SeAuditPrivilege	3056	vssvc.exe
Token: SeBackupPrivilege	464	wbengine.exe
Token: SeRestorePrivilege	464	wbengine.exe
Token: SeSecurityPrivilege	464	wbengine.exe
Token: 33	3404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3404	SearchIndexer.exe
Token: SeDebugPrivilege	3992	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1888	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
1888	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
1888	2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4956	3404	SearchIndexer.exe	121
PID 3404 wrote to memory of 4956	3404	SearchIndexer.exe	121
PID 3404 wrote to memory of 2188	3404	SearchIndexer.exe	122
PID 3404 wrote to memory of 2188	3404	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1696944c75474468dec388a8c55b8771_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4924

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2d47f0dc389127602505ef1b20ca2f7f

SHA1
35fd418e3fc3b2e8cd2c1f1772bedcc106a0af48

SHA256
ccbb56f905d601ca591d45221a0e00b1703b4f4f0ee3815d55c1bb5a8d143372

SHA512
cdaa768229fc36364d93c6baa0e8a71a53a7d4127629f000006111c9c58a2d3541eaded429dbb8ff4b9e6b0dcddc245cd8faaf8dbf07df7979e867188939cf90

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
23343214b76d0afa683a71d47331f51d

SHA1
25d3bdaaf6fdbc51c4f0a0e64ca60dd05934ad23

SHA256
520a2ef4a24ebd5584bcf5f964415fc69fa572b2bfd305ebdd2ad88cd8071475

SHA512
d6dd5818b58a12e9518f693253948e518d19d674f5d18b8a47fdc715217fdfe61427545a4d6c8f83efa01b60c0b63f777b5a0e8e5e4964dfa54bbdd73ad1fcf2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9feb2bc5c11351cd9af259d7fbe3c480

SHA1
468d4e66b706919b756831cdce3c5ad381a7d95b

SHA256
a1dff344100bb775e31fe0d8e50ce0e8e00a4a5b69fe20817fc5dac1f0630ed3

SHA512
313426f1b58755d1898fcf01ef44c94b3ced8d0910896e567e2333ed63905d2e7543f1919a3a78a2a670eb20ca9b49257ee87c2571bddb9c9d2b9f932313e9eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a0806eddd2a33bbb73d81e81d037d45c

SHA1
b039bc91cc3cff7104a8c9e11d4917438821563e

SHA256
f218040dc384bcc912e430ad8de78dbf0c7d16451703476333b6794ae60f6795

SHA512
ef8d738ad4e7bda1b5aab4d80455152c3dee3bdf11e03c7a7442124669850c70773963aa8206f7635e74f5b1ca5aef49f68e75cf8e50b1f5e1ea89ac61534301

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
642bb7565c3b98aabe30e34d51ea883d

SHA1
ddbb04afae659e594a0a8e1d12cac057a8add895

SHA256
2eff25dba9da61a52dfc6d985b94a55cf876ecb50b1a34076a665a463c20a5ea

SHA512
d6801249f670e75c8ad4c01f8754c6b1eda284833647bc49498a9bd7ba438c77a0f7ed3d04d1cd6cf0715e691611b01f432bff33b4db4496d726483bfef4dbbe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
55542f9f98a21b04c9fd2981f7282be1

SHA1
fca70f4cba1894e611e0ba003d309248c43fc86f

SHA256
2c0754f10daf0b6accb6cf5e89c8b17c0b3f8ca4afb24ff8dda9e5eb09f2b521

SHA512
3349065be80f59863a61f949de92ae417569ba058d1bb6fa610d3a585e181a39c5ad5fa2edd0ea6f35b756b81ab1411be0e4d22f9d5b69de75579a5065b5ec03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
dc797a70398d532e340d22b7efcee8a7

SHA1
3a3e0e1410ce70fa277f91e40704923040fd51cf

SHA256
219a9b1dc2841fd60b49d6bd5a3ed1473a620fb875f51b248ad1d4b4f1074af0

SHA512
3c337c26c1f483e7a228feebb7fa3f73e46b3b9e9b23f77ab6b5bdfdb84a5fd7c6203e3c5e30195d41cf63bd076641bcf9cac2ac95cff70f3313d5957d54590d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c60241b953a946be11c1804d5bbe54af

SHA1
765e0bf01cca0312bd0baa2a2fa562584cd598d8

SHA256
915edaf47b1c1540180d4902368ffd5be321f6bc2aa0b2b930f7cc5337b990cd

SHA512
49527e20001975bae11411314173af0a5504201b72ddd26f3a73214491f9f63d3902f023128eb556a58077934189685b77ce6a9acf0813e15537e777dfb378df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b2b6219f1b146300d3724beea69c6ecc

SHA1
ce2921dbc2637db126a953d41ebd37e67c7cd5ed

SHA256
377670fb1c48a25ed581a3cbdffc771d91b0f1f6c0e08ce5fe797c12cab2612f

SHA512
ed942cd3e17600b50728a24af692d0ded8c9c1b790efc9e4935628fcf43eedd379681775dd15f009dc2edaf5933b5d04186a1d6b899e90a07c674f9aba90f41e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c146847c56ebd0f3a425bdbc979ff3f2

SHA1
e51f2976a817d8232173d76465002d790b3075d7

SHA256
7cfb7e50a2d02c62545f56fd379562899d4e6e446a248462df3900251e16b4b5

SHA512
cc1d292dfd64c6cc7446565e8c78c941bc611d54e8af3a9b9f8c52855d511808126c11b3ab19535c59f6d28440bafce0202443c2b019772dbb5a4c58d00e924f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ec7f37758772889a9f3dd1b676c1db3e

SHA1
57e1d87f5f86061c807f1f40296120f51325c2ca

SHA256
3774a13e2ed78fc2f31884ce2bfa601deefdae6390db80fa66aa13d1da855041

SHA512
ecb8ae1bf89584075bc6abd2aeab4bcc618ced8cf3fce74e5db823ec783ea5c15b4420dfcee745bb3f04733d46c116f78a571be00fd2d2330bfb6e0cb56bac4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d5659d378bc316cead0934c1f2e48972

SHA1
59d2ffbedd6ee40834762e8082a3ff06ebcebd0a

SHA256
6e2f27a6ff7f2cf9abcad73b59b6c53c629425090f2fc358a7d46ab1ab43cb43

SHA512
b00cb3bbc2274c94d2aa9dbc94a809f644f561c005371d4a161ffcd9be0f1b11511bfe99c2e1d672a323556bd6c9e513e13e588d953ac11c783a3ab5b20e21c4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5a93246c5097d84081bb82c8e3837883

SHA1
f1cc3d1a571061be550ca0762b823e3d8348fc46

SHA256
9e33bd0e7665bf7ce7d5b2b32e9ed82ef9e78f688566b216be9483a81b8ee6d4

SHA512
0ae8824f9b8301806fba27270b2c4379ebaf309db0b98f7d110f7338eb9a99331544c3ad64dc0cdc78bef10394f23c025c2391ca1e43e3a71fad28759553521e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
da672cd2aecc509d49fde19c77574bed

SHA1
5a42e884734803b8bee9a2ce310f08f45c480064

SHA256
8d57b43d377002fa40a485b4b412f097d7bdb4aa58981212cd8b15e7bb9580f8

SHA512
6def77509991d094d71f8906a813ef6a029451869365b4ae87ae782ffe44ad8765def8b77ec4255b3c2ad0a710f7ac78c8991340e37b9fb719b77d423484178d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
68aba1522065b040de6cec4e6c437be7

SHA1
984b07e0b5b75dbd5b06c06aca6382d8d37da2da

SHA256
c317002833f63299576233624e3cddc314a3c2aadd66f91998a341b18ec06cfb

SHA512
db9d88f8eaa304a3451b2b01cd82a9d0dc798ff222c07dc5c3b7bab70780a49fc59178b8b7377060db034cb62d757933ebf02a7074e2316a38b9591ac145f0ea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d2992e10be4d34cf87799e86503ab1b4

SHA1
c451bc9b40d5283100c509aaaaba726580943944

SHA256
b83032a6247741dabe62eb2b1d3007c9b9ce17c38ce963034476483e1fe5c682

SHA512
8dbfe5d13d46951d2a333f049f3d6371c367519a7d4ff07ec950b6fe811b5b9042b46d224dac69733ea6c7fc91d95976694fe6674a4ed03b4fd9eb0a6fcb849a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8462967de613e6adff6148b24a869b63

SHA1
30a084148d9c78ad4876b714aba31d2e0ec1534d

SHA256
339c26592c867648b6e9dac9a99183b97d4a29b6043f2a9a72ee872ff2723873

SHA512
aa20e74bb81752ef0904f452d283f15eab697c654cdbec3d8f7ec4de2b0530b043a0ef47d677388d5328ff818ab08c6a43d926f834704854a3dce7a472cda4ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
065b1cd716a63a9c3230fd8ed1617614

SHA1
7e5e57ecca33c12706fec5b32eb17654335d89ec

SHA256
2ee5c330b6dbf912627864d90a40bb95e0d810f72262e4e5c722efc2c5092a32

SHA512
af6b85b778071be8a315abdc9762ae389171beba3f46af7bf75b38507b337a9345ce518f4c88fe8595b958b69755a93df588c92188ec9cd486425a607231e7a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
15236cef0dedd984b7216832a83174e5

SHA1
a91e7f480eae29be8a42350b92246c60503aa927

SHA256
0a48f395b76b9d5e7666898097f3e74dcf022ebfbbfb157070cdbfa0c8c27bf0

SHA512
74ad2a9c5e0e64e4e76a07067f61d6164e498d207bbe02f485635c9de611d567c06cf22cf8c1d1e6d5b963897d5c1aa08a0ff673b7cd1fce8cde38c09d06af4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7532bab4b5be59f9d530de4088d05aec

SHA1
98bb5d180d4492a3db323f0da90d0fce5a061262

SHA256
a74ea8b09efdd542643bb0c71913f64a35cbd77fd6b8de6e57624625b754a756

SHA512
ed699c2170da201df5d88996da40e49cff0cb76e99effdf51f8ce2ae3b3dba524c832af09580552568d8ab20192fd3cd1473f63def73d6d76d805463113e88bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
ac5e6f17cebdee5108e5751309248aef

SHA1
fe679590cd9fe5f87a70d63bca591d09e5eb7253

SHA256
f5fb8ff10788550fb8607ea842fecb2e0e53b5e0838e45e53381bf06b877cd31

SHA512
d424614228c0d6a862165e96790c44e2fa53e49e4e89de02a87541a1c9b2583cdac074292dc393c1a43e5c407154a2f7ed8b01f8dbf96ca07724189ad4236751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
960320cb3b5e18c1e7020e35628932ab

SHA1
e5eddae22264dc98692fd6aed7b8b03b0d5f92d1

SHA256
20ea545733d7198362986eda480b80f50406dbe380d48333d80e6fdae6d5200d

SHA512
a9eb85d336182b6d1d4d3366899aa3545e5607ea2c150080b20e1066df20da8c74195874f02d646ab35c2b41932cc8ee9e900ce32687513ecea6ae72a10e5b89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
dd1dbe29cdea6f908c4539c5550fa092

SHA1
c48d0c53bef889de8bb2e7e2b321fba27ede9325

SHA256
c88d57ab43db5e8f6b6b4c42d463349036436ac525cecc207bca179188863426

SHA512
20a60aee45018414d4d0420cf32f496d928972d001ebbdc5139b69291357cb3ab10e9217aebcd1911eff715bcdbcd28f03d2d6e06add170e1bb00e113f10ca2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
c8a87821e33a0a986c8be735e1f6a16d

SHA1
b2ea8585ae29487e349c58fd90fa9e21fbf443e2

SHA256
6dc43d4e57c392870135c84a9eb4cdf73948648664547df551eeed64c290fa53

SHA512
5a6bca4cd897c4ae6c1bcb822f91b96d70e2ff3225ac5314080659b6377c95e101ad3e155d6270a07d2e203725b62229c0a364ab1ea51f8223fe4402c3393f1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
cebe74df0cc8a6462463f8b41ff7e48f

SHA1
f56bf3021294779f07e2532ae35db0a4d518ae5a

SHA256
0bd83c7a2a0c2ffc8e88b304cc9e36e8405f04e227b47cb682ce8b67a1ba80f0

SHA512
3e62bed132469c4e2628537664e1011981b918b3dc1f84d9e508fd82778fe069900ab9d07ed6096b9bda34096eae5a3addf24d569fd40fd590cf50fc80c32cf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
4ab75831fc314536fad98ab7cbccdfe5

SHA1
559cdf21960ccd8a0f46b6790f255724500b2007

SHA256
349619b701f474ef68bf6398837d50de5060d3f9eb37dc8ffc71abf22cfe779a

SHA512
a121c17440110f556a93b06c2e5ce13c597b10d6e1b51bcc848d7c7a3660f5d976aea4627be58c050596b16cc3310f7f612a658dd64e62f227bd40b0f8cd3ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
0e49afa037e5e4123580b7f542fdc89f

SHA1
6bcaa3d28a1df23b880721eac381cc74a5188ef1

SHA256
f18cee9a7d3a3c284a4844e875782a5f50968e3a50ba80ba5c0170a3d2a06f11

SHA512
f39faf2aaed1a11f1c34f8c87e18ca0985ed876a8f269484bd4152e0cd576953f3c91f0ff2efab96e00310bd7b6eb120ea5783d2469ab2741bc5ac0748b4d88c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
6359c6162d4df6423c866559b75f9ff5

SHA1
dd76fea22167b7972c3c3b6f295108d1dc1e8635

SHA256
b45d780d03fefab7c78f329d0f10cde74a7612f58b41ea51e65e85aec6acccdd

SHA512
741abd236cbc00ca30a65324e0426f519320469577dd39a95dd2195142d1af14a5f1eb3a7ba80a6d682379e8d485126851846036fddf819960aa211f98591686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
6c88f95ea08962e5fb4b3284f84733cb

SHA1
a4c41201e28d5388dac4a567d166a60eed6561e7

SHA256
42c11ccaeec0806ab898bf6790eed9584f0ab9396ccc38ae7f64bae4c8a5783e

SHA512
f94bfe1c63737e5f0307bdb32f2b498574c9a5ecc10f0f72f756a37388d289df26714a7731ced2df8523ad64b960516cad8d0477a8eaf60fa5144d016ffea3c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
3f3634ae8ea7b57e8ddf5ea4beb70997

SHA1
05dfb70e86a98d1c1aa5ecf3bcea60bd419d260a

SHA256
e00c4fa16d5b67273cbd21d624c364eff1af19e8b6f8944f696a451939cc7a03

SHA512
d1e4b69b01b4f105b3f64b44d2f2f5e0ae8b048d59881ca7bbab961325f1534b88fe2651d8d12c529a25b969e8ac89755a25906a98c3d7d2561f1ede3f26d969

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
077f6aafd41c79eabf359c4d7d06ad1e

SHA1
dccdd6d28c356edc182946cd8f78d872178bd003

SHA256
cc9ddbba8d785f474af46b6d452de39d23a32c24173e58504b1c438e71de9c8e

SHA512
64c4c8003e60a23c7a02cc4b5c646942cc46067e73da9f7108b059072b43b3ea7ca8ee558be38462e726dcad78d07f18807725323fd88579099473200d2fa89b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
8a805b0e04314a2d5582e4038254a477

SHA1
7856200a2960384bca2527f257f296ce364a9395

SHA256
8735542b1fbb30da1fbd3080cb347f34a851ecf4bf19c38d25ab77e245091fdb

SHA512
55d1831acb6ffa126d71bc9867832bda6daf33fa60320b3a99e5fe6323f152d7531525ee542ed03e135d739290595367c1dbe39076ba8083e00376e21b3bcbbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
ae4f4c5f98da4692cc6647541072c109

SHA1
f13ef656098f12305c4063d9bfe3159748f914de

SHA256
f8a2f893c84ded4cf3830ce8d3ad4c08683a16fbe25ef1ae4b109aad4fa9c71a

SHA512
7c00a29482855f9305d298e7ca5a3cc55ebc8b343e83a1a0adf23afdac0d22ce812b9d642bf71d63aef597fb15ba12df5e581545c60fd6898e82d54e466c313a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
418e4f8f3b92889d994ab58ef401b4d6

SHA1
9bdafe43883d626d3f74a14fa6b222a1de9a20bf

SHA256
c9a85b695118ee1590b291d5816857c7a38ae8e16a1d3fc04d44623bcc8a16e0

SHA512
fb4c1b683227301e17d06fb7f3ff3f280bb4106bba42ba2e1b230bc8637846cbee1737cb95eb28a419fe79fb5dbd59f6041a1d69d0ffb44834f7fd8c68e0fe86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
11baf3575419de904c756ad48c7a6b75

SHA1
a94b452f222ff2ba21428b312e6bbacdf15560e9

SHA256
f7e817916c941842810e06a4b3c3590f93f6ed26361bc309cd67c3a91067734d

SHA512
b9438a256f172ae1e7c0a09edb17dbfcd900b298baf20dbd95c87d64b620d1ad3cb14c761f300e1cbc9464123fce4b78792007c08081f49010940825f097b57c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
b329fc64c4a6a3372725e057491c5cb6

SHA1
9b1d5ba7a7f2edd98bbc0d9f0bb9f1d4c5e29367

SHA256
e7c0122c4735ab5cc0bdf431cd60f106703a3bcb1ff54c78cdd2d250877afbd0

SHA512
cfa787a380a7a52eaa3cc0fddad307feeccd32863a67154ae9dd830ab53391e969224a8aa807adf204dfa926544538888a15412ab96e2acb9f29c146e741f91e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
378a1d7f888a2c2fd38d4ee3936ccab4

SHA1
b6c9c2e47597d296f3e00df11ef352ef9c03d61a

SHA256
be7aa46ddb2a56bdc56085c0207aa66078d7855b3daa3ef498e6056acff74d90

SHA512
234308bff5bc90515a02a559349e833483dc8df0628dd5e75b35b633082c165a698436b361c52efa9d8349ec1e331b713c80e3e705aff2a786ab6bd2ecce9ee1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
881d5ee8a514c5b35a99718e92255c03

SHA1
211c58b4a85657e44e3330e1d0ad0e1eea124a07

SHA256
2dc4ce71397c73c9ad7a361f99f1221ff85240a96986561ef22c08467203605a

SHA512
95ed0e5af15bf1cae445b7522a096d69181d3bec24fe7ce48f72fb7bad8bff3324ba8492459b953e0e7d62957101afee0d6caac3ef88e8bcf8d11c27377dc734

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
cf692646d00d75769f96bbf72372273c

SHA1
48daef32d89ec37ad993c997725038473aa2b4a0

SHA256
b31d4d7c86e97de3eed478c4c3de5f82534c39c505c566b5f4c8a5d5a5de30fe

SHA512
e25eaad8f711173c17bc4314c881326ee2e052abec5a92cb786574743605b2e638a30a756354b3bddee5646b41b5377d608fd1b4192f3aaa6651383e562d0c9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
78064ec4ebce3a1b48b51bd6834ee13c

SHA1
db6bc9b13f6e0460e51977a27011821d16b3dea0

SHA256
b9c868473bbaabbed1b701e7aa6ed300e76d709e5348f6fbf3ede4a144d01f49

SHA512
160c30a3b86ac84a293ee69116c2e1de9463ef5d73b64221f60d2d385f1afaee240f724be8a714c49602c04e0d251ed1cd9c6770741adcad48e65c8bacfe0052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
3a509c9d9520704d643b3f453ecacfa2

SHA1
533956cf9a36cbe883e558ff2f06eacd1d6314f6

SHA256
82da7d9f68ca308c4226e7310798faf5d6816554e0eeaa31f85fd4a21dab3ace

SHA512
fdfafca24c2e3122e2d1d026b7cd0a92746680a396a5df4d9ebf82716600f8070c3a3e6e3751142af20a149894c5d6dab19f90613c0dc1e85fab5799ba7be9bd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7e4e0b083b9907466b7efa3c5c706883

SHA1
a3b784365bb44b38da80a26f9a6174ac85eb662a

SHA256
e25752b190af2e82c1dc075ff13b9f08b44124ea0ba578e1b23c6556774b6622

SHA512
7d06601b914d5a29f91f6f92f17c137415ededef1acb920f15bbb8c7df30e0a36d67218371a2ae6d2ca5d980d85dce1e7e1590101dcd445b43bb87415ae4d4d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
94a3fe91384ff865b1988a3123382030

SHA1
b1a80eb5c8f923f121528e2c127f875f8349445a

SHA256
1b83b18258153c72fd69c91bce9f1c11a7e2e1a23596a29ddcf706af7374e03d

SHA512
46abae4784952394e562befb6a195949084450685f36510e63f8f6fcb3376c9db9a69e7fba8e5ff6fd103a7666ce4e93403e246368fd97bc7a1c443a8e37116a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0ecae302d411bbd5b54f0e445ebf3efb

SHA1
19c116cbe532dadf45f8f17f69c0eab00996b286

SHA256
9709c7b842fe42d270379651fdf6ab2ff0195de2b017e8775dca47dd97ce1981

SHA512
3ff3e8e73191a362fdcbed30caf7bd1f440b594e92778f3643f7419210391f7b5c1d756532309eef3eeb245db98dc3986837234fd55a22c1b8f5d025394bbeef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c4d62e37c0621b6291f48992d79187e5

SHA1
ac99ad4974d830073ce202e15b21ac9d046d1b00

SHA256
00aae9883e169b510f58a72c354e05c9afd862087d813cf942135dc0c7a34ad1

SHA512
df32e06f94005825799dd8d55aee98d78ac336bfc450e92be77fe61759a476ff4eef391215af714d0160ce27de6b83be2a3382fb3dd11862839e92d1df4eabd8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d574680e15940a2df4a1fa26838aebdd

SHA1
7e58fb909c65dc6831ae5b30151bda0081fcccec

SHA256
212e1aaf50366cf619df289882813bf8116b144f743a0adfaeb3da6b7ee20ab1

SHA512
3aac6978e0644bd8b152711fe9bd652236d6fa2e64571a97254a19be7b04ca57b1fffaadf9d28b1fe65be2eb44ebbef8b347521fef550c5620ebdd78db9e0161

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
9c0432ddebd218e4cf0d3001b9dee07b

SHA1
180e1a3ae2e3c770a089a861a8c4809edc2f460a

SHA256
fa80d26edd0ba6d4dbe458687721607d6fc70372d40bbbc6c1551e6dc44e3b17

SHA512
12b571b2db6a3ef3bd499fcf158ddc982abf6bbd5beaacc760dc4fd4a7d346ebf111f79c226b3991149898093df92e42a1548b183b2de479d3df3d9eb0997730

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
a35619af88e4cf54c98170c9a76a9aa7

SHA1
9cec1b639de2393d5635c5a87c21005ee8eaf004

SHA256
3b29139a1721128462d9377478135bf00122a0ff5674d5c1aac32e7cad79b572

SHA512
303048f013f11910124d658da986a8df033db7f2c2ab56495f4712e06cf08eb7a349f8ab8972817d6ced89f84f347b4c6a4fcd50290ebb2239d5d927e906a052

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
af0180415314010c0421f91efb0e6e8a

SHA1
bb0be4f5baa725766b7dafef1e0ed9e01f707f62

SHA256
106fd73f0b3651fa6b2b04a8126f0889c7315cefe472f3177e4747285c828b1d

SHA512
bd8d5434a8ca8dfe9e5044acde002ba3ae00cd8181b5f0b8433f8e0090aa311d40566f9aa0ce7831e6dc4b68ce182630b46b1c1234d0865813ce2e370fcaebff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
17013392c124e8b7d3d6385a759973dc

SHA1
2fd4308514ce7a2924419b9aa8f0ff14a1df0c5d

SHA256
3dbc5b1df365c9a6f33b11d1a134ee63ec63c5db887d332e21bd5783586ac55f

SHA512
855689d14a7c119f234b98799393f93921983102ba9965786495e6c4a3d17c06c1983abf4ffccaf7631fe14f135c37906e4f2d026aac97e81d7f18d48978b37f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e8ce3a09dc0ed8575549fd14c07b9879

SHA1
502fc14e95e8ba83ec07f5da48cb90ded83f2430

SHA256
1599c8e354bbc535eb2f89f0b3a403dedda015c0f6643e9af39175d31163a2a5

SHA512
5a23f93f257622c3cf0a9cacab730405404d31d9eb01026a81f870ee4c3dc442dab22355fad918278bae197e18f72730ac9a4b314473d7dd216ee064459f5527

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7127b98f8f600ea822178481f44494d8

SHA1
74d58a6e21309c6118336247c2eb0eaaea28aeb4

SHA256
31a95f49bb1e7be04b5789eacd6e10498fd349e05ecd16ee05b8b19e0c023bfa

SHA512
4bd7d950cdc4e29875d551afb9b468f2ba8115dd66b9c6414db81f6a10dabc4ed272448b754c5f6d2b5b987c992a96b808aeff89a717ae7b6862a992c88355f0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
417afbe097854db1d894e72e96923c7d

SHA1
649e604e758b7e1d9bf851698a310c4999c0f528

SHA256
047af4c2a1aac31299a254db44fa010310bd94ae74336fdaf6e68e3b572489e4

SHA512
63dd75ec0362988255387581c9bb808d7590009972a56a4088d739e9360993ae0782df06a865a23ef184c6a9cd2e2faef3febdc92f0e48231ea7a11a39d20a3e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b4489a56be75a0395df841163dee88a0

SHA1
cc30677b25ff782e4bed4f8d977797be05863603

SHA256
b37428464d715ea2cfcd18e43fd06ab51eb13f8b194c918ddeed309bcde62597

SHA512
f6b73b4924dd9ac47f031ba6135d3765fe04d6c342da3819e4ffc49326e5e574575560d752d7733b6d09cba9bdc56c1ab3a8e20efa7f899e9b8d1fdb30f4788a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5d01195715f385019ba874d5d265e55a

SHA1
354c272af7aba6b1ad9fe887520fddbc130a09de

SHA256
9be47b27c022cf648b5d039dcda61ae63cf556a12b490f75ba000c25d7b7bc7d

SHA512
c732da482f9943b84c591d698827907afe83504e5c5515d34f8f831f794ed9572c253b8b2183768e04876218c72afffa0e61ba289a052facbe7a74a927ace6e5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a4f07eff9c92b56b6973fe2d45d6bbf7

SHA1
b49c8d3a95c947078e0eefb7f02ef1ebbe889411

SHA256
cdc210d4373e20cc24a6473fd4d9df171f35261485073378877880faa7ec8f2c

SHA512
e78760e2c2b561ab28474f36b49cdd125dda214d1e5b4c510d859f379ae31f58980af4243dcfaaa861fde70dc2027aa8f6e34193dc10c51426935f58a5954418

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
31f6002a8af698aa324fa32225f8adfe

SHA1
e20eb2a0663ce2f3ccad68bfe725d00ad3144192

SHA256
aeb9dcb66f61f093ad3427ae8ad440c59866c6b668a9410c4746180dfb6520ab

SHA512
eb136fd02e03ac83d2c7f7e388914c4f20702b3783fd55471a8c7b4fc7385c5ecda3d5740bdf08b1d8d24076b38315e057fff8e3c6f90d0c1e45ea988d0668e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b933457c8752941799e4bbd9279ce331

SHA1
9d7ed37b46784576fb7dcf4afbcd6aba48c75160

SHA256
a9e54b14d8073d056fe08dab0c2f98fa3f8aeb3a8635fcc3629032f5ab12df1c

SHA512
46263c9110d47c133ee91e5bc9708c4e3c0f6738c8bb0850afa239b99a273a93667afa98025522047d3d60db562dab662a5b6e344c1a549b9e133131baf45989

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
833640581afddbcf4075f4a97cc90301

SHA1
7bbbebe2afdce84ee6ec08a41daba0a8c00027cd

SHA256
57fb14dfe4863941a957fc5ff81321426d5a540a466da6d4c30caec0778565a7

SHA512
e62d6a751f5fd0cfbe8d3443bc5226b224c134214540efc5a78471ae0153ca15dbdecd27b3f1e368c9531b27c44d37fc114a41df133248ea63309de73f1f44d8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
838df4d38ddf06756730f9da58b2545d

SHA1
1c876a37eedcde89a69dc53b7a79a446f4cd476d

SHA256
5f6baab9c42e19812f4717bc095ab4b19672afafce784c3b24fb542a487ae8f3

SHA512
dd27f64b62364c7c85b40330e034059959eeb75ecb728e2665ae6a1c89855b843ee06fd84ba990a85bad4bf03d36219f5e8d16d7963c6efd9ff81f71ed804ff9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ff0034226e037288c3563a9134662073

SHA1
088f528b9442538ef254fb20f7f17689c04b48e3

SHA256
09c0f6013e5acd0feb910eca7ca7b975277ae1fd838b8d27311c03b961a7e98b

SHA512
f5164583196d8649e925f3dd23aaacd3ec2e59b854c121785aa4ceada27e499f329efef7b68e5c5272fd87b8e84591808e126e7331999643017e53cd90df9415

Download Submit
memory/464-546-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/464-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/688-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/688-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/688-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/688-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/868-294-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/868-404-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1076-61-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1076-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1076-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1076-66-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1076-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1448-21-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1448-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1448-234-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1448-20-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1884-68-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1884-76-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1884-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1888-8-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/1888-0-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1888-1-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/1888-27-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1992-267-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1992-380-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1996-297-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1996-416-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2288-242-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2288-249-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2288-248-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2288-362-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3056-545-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3056-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3168-547-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3168-425-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3404-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3404-549-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3596-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3596-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3596-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3696-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3696-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3696-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3992-38-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3992-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3992-29-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3992-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4212-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4212-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4224-291-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4224-392-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/4328-320-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4328-532-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4620-540-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4620-351-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4776-363-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4776-541-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4924-536-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4924-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download