5854b7ab1e44b525d247c66e934952a2ed0376864e54d2ddd48656ecf8f7c3c8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
Size

1.9MB
MD5

c21fdd90aaa8e36652ecaaea7fdc3529
SHA1

2992094d7352b133053dfaecf00f625212c312ab
SHA256

5854b7ab1e44b525d247c66e934952a2ed0376864e54d2ddd48656ecf8f7c3c8
SHA512

be650a0919070d40f1a82692c28763d0c56e19e8cd5b9ca13bf7c6cef8dd3b171bf698a617d362f653967a9e855b64ddee7a5b33efa9548ca97d7873441917d3
SSDEEP

24576:a2lmf4R/8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:a2Mf4R/gDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4572	alg.exe
4108	elevation_service.exe
2368	elevation_service.exe
876	maintenanceservice.exe
4944	OSE.EXE
2604	DiagnosticsHub.StandardCollector.Service.exe
2312	fxssvc.exe
3412	msdtc.exe
1688	PerceptionSimulationService.exe
1532	perfhost.exe
4324	locator.exe
5116	SensorDataService.exe
1604	snmptrap.exe
4804	spectrum.exe
3380	ssh-agent.exe
4712	TieringEngineService.exe
5008	AgentService.exe
2716	vds.exe
1644	vssvc.exe
4472	wbengine.exe
968	WmiApSrv.exe
4340	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\efc87bb31ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc1573bd23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a40c4cbe23a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d35779be23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000839f7cbd23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000627956bd23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000483e5bbd23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8da77bd23a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045fa19be23a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9d4f3bd23a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013aeecbd23a7da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4108	elevation_service.exe
4108	elevation_service.exe
4108	elevation_service.exe
4108	elevation_service.exe
4108	elevation_service.exe
4108	elevation_service.exe
4108	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4604	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
Token: SeDebugPrivilege	4572	alg.exe
Token: SeDebugPrivilege	4572	alg.exe
Token: SeDebugPrivilege	4572	alg.exe
Token: SeTakeOwnershipPrivilege	4108	elevation_service.exe
Token: SeAuditPrivilege	2312	fxssvc.exe
Token: SeRestorePrivilege	4712	TieringEngineService.exe
Token: SeManageVolumePrivilege	4712	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5008	AgentService.exe
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe
Token: SeBackupPrivilege	4472	wbengine.exe
Token: SeRestorePrivilege	4472	wbengine.exe
Token: SeSecurityPrivilege	4472	wbengine.exe
Token: 33	4340	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4340	SearchIndexer.exe
Token: SeDebugPrivilege	4108	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4604	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
4604	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
4604	2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4088	4340	SearchIndexer.exe	124
PID 4340 wrote to memory of 4088	4340	SearchIndexer.exe	124
PID 4340 wrote to memory of 3540	4340	SearchIndexer.exe	125
PID 4340 wrote to memory of 3540	4340	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_c21fdd90aaa8e36652ecaaea7fdc3529_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:876

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:60

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4088
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
91e3e78b25a31a4b56515d558f370973

SHA1
129d9ba78ae549c754d74aa642211ef5293579ce

SHA256
9e6915194d4beeb19df4b5e4aeec64a5622dd95095b36446fd7b975390a00ed8

SHA512
876466b8ceeec4ec522c1132a107563789937025d86a3bf87164d5464e9435d651a4275d3ad774fcf7153c50fe1186d6752c795ec05abcdb485edcea8efc9b06

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
446d2829bd47a5d7b1fe44e3144d7041

SHA1
bbfeaaabcb706a66ef7c59f2bdfbc0bad470b2a8

SHA256
6325712a8326c105534a95d49bf31381af244b08e1de9625cb1a5e362badd23a

SHA512
6d90c85e892ae3bfecb217e80c9b7c348d29ac8853261138b9096a92a669745c867afe5a7db2644388503c5a594d35d04049747448eaca8a610e6d1ef664efd6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
bbd4f16b292fc8234b111660ab8d2b51

SHA1
2214b0d768eee9f87ebdc663e2d6fa7eca311f4b

SHA256
ce124d9c8259f498d0587576204b9ccf6296d8e6f04410c686ddbb29bff3e94a

SHA512
53f3a7095389eb5b6a9f9641b91eac761a821bfb698dac38b59821c000e264048cac69ccc01e4101e793b9ff1f18926dee290d96b109de7f52327190f5f7918a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
666ee823d9ff48389104f1db6c048e39

SHA1
3d0b59ae2d27f7e8d71e2c5b91a94a94b563bf6a

SHA256
86e095a743650eb223858d2656329178e1f3ba15fbff8c3cc293739e91b843dc

SHA512
ee495e04140bdc0c0eecc1ac77d5ca6fab2994fa0e0f00752f879a04e52a7c53beca74f79d060718861b6622a74edcad6e1d9464a371a395445e454b0988ea28

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a10a36726fd348766c147b18b61efa7e

SHA1
105392ebdba5ccffbc9e472b0f4c9d98761be139

SHA256
aa568c5ad58293156174900187b2025d3f56c83fd3799d6bbafc6162b6c6728c

SHA512
5421f2691dde6a091bedbeb63f67bf4607759039aa78d918cf95e6725db910dc5df5c74b88998b959658a386cafadfa5a06d92df782e50d6d3b84b8e9d666e79

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
33e25d3acb91e87dd7a77b5fff59a344

SHA1
a44f8e566e0a3921aedef2a35b1251b01355ef2f

SHA256
70845584ba92d10d8dde9820177177b231fd3ce676407069f431d70822b7de29

SHA512
d1024b5d2366f91db721fff23ec3e519a56f91405f2445500f2c3606cabba7ae17210f2438147673cc475f320f1d5567ce5be206b803f4249ada98ecf55c2024

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6f7e211f701bb28f7bb523da75068839

SHA1
f2b2471d7f3a359b59a64609aead20e10fdee770

SHA256
a47f4f3412d2c2d21137b0f8ba658772d8d92d1aff99eb0933838637bd03ba8a

SHA512
fccc61d7642b4fdcee2d2693a2bbe7a89aec2de0a32f3ea4b70f0929204189d9f691bbd352b0a08fa64f5269e2036c2469976a6077563e2c2b928225a357ec3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4b61b730eda7533bba13424e21b8c14a

SHA1
acaa1266b87055743ff1e9f42a5130991d9b3f68

SHA256
a660cdb93763dd7af2836b14116da9c4cd31cd2589af70b2d34a78a5da4aed1e

SHA512
c7c1e99d04c3c930344f32ecfc2a9d745212288c9176c34058fb65a5371d1a6abba8ff8560fb4ab0161e7b776ac9a6217e382a642707e1d94c6ca24c0dac86d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
32d5bbacfc90f3c09d50120aa21024dc

SHA1
5256c33f118ff2003bc469e3bdd638649b5b6049

SHA256
6baad5da237cb3c9e055e35db14585c476eb6a9a06f9fe066bab64505034eade

SHA512
fbb1dda19babec40c0fe4b6dbdb2cf681da554b6b11d678edf93edca2bccd6ab5c59c9607ac31530d4ab61d94be65a32fe8cf81509d68b3d4685f9b1a0c330d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cd625976a6f52b9d763687bccf7b7c77

SHA1
cf3f56f72ecd586de69b406e3107c51657500dd3

SHA256
9fe7263baca2b98e24caf20fe58b2cae012a5e4a7b3ecd63f3b13b6020189d7f

SHA512
a8ee9039ff2c5545af8563c781b7f0786f063afae59253cd871872a7235803b96ce8e58e37e47c55658025e04af56596d9eb2b4ae7538dd85a15aad6bd5b61f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a582214237d34918821f294ed01a311b

SHA1
71526610831922de48d49650723847b030e736b6

SHA256
99aa7fd00f96199380aef91b47cbfdaf004d096fd26d200ba307b5176de224f4

SHA512
727df416d16f5b6d69ce3b2111d9e7190fa2076fe252fc3e02d51c68fd948d0436d4993eeab48963ce4fd72f30d9d22caec7db12963f48889ce95b7efac5efff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
34dc089ed0db6983041e5e6e0af7ce9a

SHA1
961f6b25f8a79c48d0e0ee198dc008c837d04ebc

SHA256
f95b8e7e9cbed3a8fdaed2bf1e75ad4d5dfd337ae850aa2dcfca3828d240271e

SHA512
e29a50d50d0a9b56451fad7b7b52f8d02df3ce79d25384d2afa408893e709c835c9b7f7d151d18824345d7d8a2288c1fd42a01e539a63b10acd17d24b8ffa63e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
c1439bb7f2108309a85cea0096ec920c

SHA1
2c8c704259628dceec81f85591a04e9e295fb735

SHA256
e3c0e16c56aaa457d2e44adeeb7da92999eb11223f91f6cab5a68475b4ec92dc

SHA512
265877d2e8a0a847cd3153aba2499c32ad055b181e3d71579b9e71061f4ce00800a20463d6cab806b32fc1032267791600182673111ee310f22485d0fe62385f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
618e29a976a51e20c700d8e78bb9093d

SHA1
5fdf0f2c74ff0d39ed4b26b9978f1c40a26de85b

SHA256
427e117f4e57fa48468dbc4dd05d4472a6046053411d601f48a2172f09c43b04

SHA512
94c841d23da3dc6ef0f028a52126df78f69a543895acfde6172befd78951a69ff88ba974e3492352f67413f08c4c8bb67e20d05bf1dc750d36193cceeade5240

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
747b38f555e2be4f6aca9f7f112021ae

SHA1
8c6225ad89a298c9712ce8cdde37d775350733ec

SHA256
b720898429521f0fa511f1a269c751b3205e26dced0e1a769ea86854d5d763c6

SHA512
71d34a7c839d4c3638cecadb186022c97f6e3c3d27fba09c625375f953cb6cc3b8e03bd608e1d0b91354a916df1838ce5c93b4cb442d23c85d332d6aa88b306d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1ef13ea19a95cd90c1842857b70eeeb1

SHA1
84c3f74c38ebafa178758ec58a05d8f0d52c97ed

SHA256
23cbbaf4025a30fa3e54a99b6fb47bd1d07ccb3893366d86be615e513e2a4e43

SHA512
4f2214c916568d5bc0d904117ff1a87e784c8b81be5b0730ecee901edccc0ed813ddeb9dc8a99a8e5f9ff0d7df1502dd19ad466f6fadbdaa6a84b643c08ddde9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
146044e5f046cee7a7418f19b64d775e

SHA1
fe434e5c99374df3619da54ce292235643436988

SHA256
c0f4b5b1f841f2af77d3d2c84b0c3cdd8aa3486b547b90cbf7aeaf3f2ae3e805

SHA512
eb17060ee1b778c99e66dcf8cf0868300888eaef3d2677593fa9815c4b9d5b60def4d6f0771fea57456c80494e238be00027d52275c86571bc074d13557c1262

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
15e64a0a05a8fac8adc8065d54397344

SHA1
61e7227ed82c2ffedda8794ead76a5638aab37ff

SHA256
017cb9bf1b98be89052b1d056026793c1dd20b6b9cf27a0227e278853ada7e61

SHA512
82c5ca296447628e2a6118df3088223cc34b492ced05b5e982b39d744b8580056b3b0ff503d9ab8ecd46a17bff162ab96e52287c24824114a5686d4eb93e71ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6c7a5a2dcd52f0010c4d641707f8de14

SHA1
dc89efc6a3ed201d8fe972d6f340617817798e80

SHA256
27d9fb68d90ae432c3e974e8cbfde647d909890613a95a5e40ac5d190b68202d

SHA512
552433149d9c19450264361b030f1402393321c81febdd67b8c2e83c28c76730e355f896eab6afd347513a906c6318dbe889bab95b642c3153f4fe79bfa418eb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
90b453f417ce89c500dc16215b38290b

SHA1
a5d5059ff60530da94e334781e78c53f9fdd48bc

SHA256
53cdccb002d79a1e647ff4aeba7f6f8f34fd25294e4c4721c23b18cad0126d89

SHA512
f036e82cd899d9e62487a7b673502132e262f2d6bcc30d68b3e56a41217d1cbf532a88e9b53bb2f3f85851da9a44f087651345187bd57b148a13c1db9ba6272d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
3c8887f1ada18e1e39d599ce6e33d8ca

SHA1
ec8af4fa9b62fd700e6dfee158cddd918ffb08da

SHA256
328bc50a56457d02e4cc371e23c67dc23266486d40b54b6190681794c9b71072

SHA512
6ca453c68b19c775c4dedbed2a8809fd4798e7ea43eb9adef4e724ab7696b0a4095e1ec8dc742be29ef0ce6f1839a2ca030cdda4df7c6ab952123f9b56f39337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
39ce42400232e65f6ee02b286a982ccf

SHA1
5fe38d9c178081804f11e1a1b38a071cc4709699

SHA256
3beda870fdc8af871db1fa1374d436e56cb9caaeeee7d32a5f537df051b9f97a

SHA512
14468d23b3f36ed2fc39c105ffa320928474bfbc1fa9aae1a1907966dbe3408a51990b40fa7805612327ed614946bc388f6de2518e7174f1ef6004161c3657f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
ba384ad27274fcf6f15bf880561b4191

SHA1
0ce933fec2bea68b335c4453bee1618f17c89f9d

SHA256
e18150b8d7e1a1a7e52b7a0047cd3a1bccf3a4a46d09d61d1b9276560a18ae4b

SHA512
083271941253402a7eee8135f2ba082ef42fa62dad41c00398c15b51655d418cab1697086abe08c4b81ea0336a8d8df3cf9118d7c152abbfdeea59582f81b100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
11933424365a096744e6661f667576e1

SHA1
45e26f618e21b21a5675a41a5c8b98b64d423d32

SHA256
4b334b7948d5349ea107f64a7c3a374fe7329ba4e75281baa6747fee489fae59

SHA512
bf896f29693b8d32ee80aa2aff9ab2543a27e376872ae80b4cb7df59d0e78bcb693636cee0b5f352ff0ca2b42c29c99bf46d99e730647e4176b08c343593c4ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
749cf69dbc3eb1c18ef40c3cb54b0f1f

SHA1
0b600897b20b59cf0d7f780870e6719f59504d51

SHA256
d5bc666bc4b93c9b599772c47a5d2deca85a5207ca54aa7f8aa33e13517a2be9

SHA512
b6354ca5c7003337b8e1361b51f62b9be16ee2c5ba793834541c3192f24a662a04fda08674d58473d564a3d3e9303e55b725ab2ea6ea682a2d9832205cff649f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
926eb53ccfc39442be319aa08648146d

SHA1
f95ff45342773b47039cb9c87bf15de15ef6d25f

SHA256
9a9181deef37c657fcef9119ea48c4cdb9145d6f89f0b087483eb36485392692

SHA512
594a92752db641858009c3691f50b9c60c184fc591d2078a488c617f9d8a80bce5c6a46471aecc3a496eee280ac3ccc7598f00078ae8143f8ee250f47d4969b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b7cf0127c3926b07be56d2882a50847e

SHA1
103dd09e55685b97680e3fa9aaf8e5276f17da61

SHA256
dcf1f7d3a1ce5c9e629d638463ceaa1cf0abd232575affdd843cce79b9bfc025

SHA512
0afe976aa6cde43e2ef3f52a53d0621f17cbdd683095135610b1c74b4a1b36046947c47bb3a4a289b32bf74d2301186e84b4529bc2698f4797bdc6c5ac233679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
844afaa96eff809a1bb288b2b8fb190d

SHA1
b054179f9fa5d7f17cbc762df43e46aea2d6c79e

SHA256
d031def314602d9cbb63e9bdae220708f226f78ebded63df4c5c7a4a4505be6a

SHA512
a214050cecc4b19bdb0e144dbad0a430888ae985228835cc8fa34d80c68ab56f4ab2226fc5d1bce1d569ee4135f2c47291c911d2b5c43159dba9679c5c4cc06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
e18884157d8f6683c1f8fede16fc27f5

SHA1
537d2f05b0fe10bd6139cb255067ca55896fe485

SHA256
cdb5f68abeb4420b436764d4f69e9535f0263ceb89a64020dc8fb27d4109ed7a

SHA512
89f8927c00bd04ecb5c08eca9952b268d99b37b09bd9f82e58401a99dd3c76e6e18c58606f818e073fe0fe9179d29ba1b6d3800c1d29707183531b34e7cd7247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3242790a64324ddff0396662ab4b63d5

SHA1
d1a081333905ce58f670793cfe3e66d2ba88b5d7

SHA256
adff9f119ddcd68e5afb22ba698ae8f0dc24c779afbebde2c972af66ab40ecff

SHA512
3df7eefbd7b3e86a90e5572f8c1b902bc08df7bf64b48a3a643afb9efe137a8520635f612eb9a0b5bafa8ef566f5120e2d0fabc07aaa6c3ce49b5d07c8f6d2b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
e1caa6878c3600f0f83c73a01d8a4ae2

SHA1
9bbe0646fecf51c68759b9ac6e28c34a7dd25d5c

SHA256
6111536cf21bef4ce38beb92106c9d56308a8fc04a22537ad67a0b5aa66bf5b2

SHA512
89284c6d137da55b38c82c24e3bb76a7d0cb075fe8f185d7c04b34fb707bf43cca62471b59a02aebf21c75b605d8017d1479751215c4a4f179d2199579279dfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7593c970377c939b967f5f586f99f4dd

SHA1
cffceb02f157790f415b872087e2f60132b80e4d

SHA256
0c30ce787d6dca80f71b297fd481ba135293fae0965003c3476fd31f7d769ae0

SHA512
f66fa402c37bb55ae9e15524f1a03f10cdeeed1c837df1c3cfb89c3e07e07076efc023dd1cbd7b96a677a94b0efed22b3c3f0703e1842913f9ae2cd733fbef62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
086dede79e22e6bd1c1e22a130e63885

SHA1
6f0184db995950fb7286809c87f53c560ba78c7c

SHA256
eb67d220cc05140d706ab2e54a062e121138ed0b9904a860ed348043fb03ad65

SHA512
0ca30c2674124d8301f0d6729d22478bf1c0a065a0c8a5c80866db3cea5bfa1201faf3deb3c3383b89446ecb17129f3cc8147ed56ae1e736bf1b3b7bb6fe99f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
603a9ef104b90bbc787dffecf30e21a2

SHA1
419214758edcfec5e562711eba6a9c99f586afd6

SHA256
ae6c5b53bea68ebaf179fdf41da1f2f6cfb01b2d22f5005d883517cb69d2dc4e

SHA512
9cadc80977e4b7c7f6a425d81b27ccbd44dd0db94fe56a64017d039664ec9c74ee5ea8697953418b1b6776597b7aff216e3b0de6aa983701ad30644cbcd73a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b46db5e53217abfb78d672a4312a7150

SHA1
d1f0f1ccf3ebcab111c79ef2486871d8f18751a3

SHA256
eb8e7ab28e9007e3c323042434138ef41dc35e41d8a273a6e886bddc21032570

SHA512
8c7a32884fb3cf3858f15f8d0cd14eb0f9463b64daa8250ee8d10ec2b28d2543164b611ec9bb1420f084cc61afddd15298340f4cd8970f0808612005f5028e1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
2ecfb682c88527a8b0c4aea02f46d2bf

SHA1
f2b6eb7cac8766a3169b8e985c86030490a44b7f

SHA256
28a701b0235deaec644cc2099e6df9ccf4b49ff1013eeeec05479a50efb6b1ce

SHA512
e0435bdc55397e2832fba1cd13771c3ed84f96f46e01b9b859c2e9de94c7f1102ca368997ad952c6714035d0c812cb9844abd4bd10e8d526fb105a48e0bddab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
9d1f46886c145cc59d1108cd14f6e706

SHA1
e06a715cc11249adee060d88fb8295f1d347d649

SHA256
afb077b2433ff5dff0c97696466f6e5756cfe8b442c25b2c2c82438bec923edb

SHA512
8b667357d9d7f71296be6c607e5aa68932957aa0edf54150598c8f480af7caef08c56376911667bdba701f4fba3099b03d66ba60c4dcc9214fc906e473603f02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
b5aa9a4ef9205d598bb7ab26fccee7b7

SHA1
6508a93e1d1167adeb82e0d6090597108b3e7e86

SHA256
a133973a4de6c742729d0d182f3962c9aa55c6ead0b3d1df8d2dc102912da04c

SHA512
bfb3036a20dd8869695eb8b0265651afed0014c317825d0a4b91b7a4194a534042adc5fc8a0b2ccb2396e6760a06320e4e157bbeb6e353279b86946d0641b280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
62d65237ddd9752c3e48bfd0bcfe3110

SHA1
de4ab5d2a143b13b96abb625ff55b9bdad0bf853

SHA256
fa61203605f65d7734585faf8162be11c334a8dc9ce6c5906336eb9519ba00d8

SHA512
19343a62b1c19df98ef8cf0efd6d5db32670ed06098f2ae71224cefcbd885694e056d323a2c5b8ae06bca9b6e52dbea5f6c63c346197553c739346db4ff3890e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
3bb8e13d6368e4661a38f9fd0958ec1e

SHA1
d632880f0c16b17fc42a6f4b2c53fc0ff17e7a27

SHA256
f3032ece8e90b858cf743e6b6d8833a3f72e869b0c14153bcd8c23504b3266ed

SHA512
d6c8435eabbd8580735667ee0a9cf3f447c5979745b90c36f0dc04e2c0904b58046706adbc83883efb57afee4e7eb27a309370374f830f6c218a362ee852d480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
3646370a2f46a7c00d30bd3e50098fb6

SHA1
2367ff244f033137ee049f154d7758d8fe980b5b

SHA256
4520577831a044291a56514ae136dcb18b163febb053ea851175e09a2e02e61d

SHA512
6386ef1b1611f06c584d5d6b689a338bd0b5912ab24c79651bc573bde681dee6a4fef966569afc844f0a5bffbd3f69fe89fb0f9fdb77ea011730b7a9721455e1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
de444d75343f9a35db20b5a934c6cbe7

SHA1
999788188571d8b17b0e5d7389a4190f8d1cf332

SHA256
71f3d7e661c34e70caf754b546bb11b81527c66adac2edcb99ea5cf5ef500724

SHA512
d1e3ccfa559381e3822dae2c2ca9d186e85abee0676236ed35d07b22557f54fad04b11005c413259c3734790f3be6091123ba84af58c9f1b650ad6e83a043dfb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1d5577734121b5cb1854b6f8f02b2d61

SHA1
35563b5d9343c4f5a8314301df4f138a1ee17e7e

SHA256
b23540df67920f6df20c2511aac8182a3e3eeca6f1a654afaeb9234baeec3aab

SHA512
23510d4cdd8cebd2196bd77ef117278c4e248f9187923745719ba07e683e212460e0fd34e0982475b599b4a59a202ba0e5dda9813f8d609c92ee8d87c087f231

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
beb5d8849789ba713689a79852b8b223

SHA1
d097d3c7b4e0aa48e2a39eef392b79d84732a7ba

SHA256
2b98e5893b86493891fe0c57de33b4234eb82009b7304221fcbc4de2bcc2cea9

SHA512
9f01b19acfc38ff65238bbf3292b4a42fc7e3611e033095dd7a55065f77eda971a010d2cc108d30df287427d0aa6bdc85384f8cdd27b5d1042f0549b29fe5d7e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
b3ad6caf1e9628b2a310a40fe5adc72d

SHA1
07deb2cefd1bb25fb4b0488ae06ca28c7d412a24

SHA256
86ba5db96b4bd81f059065c6a6da957067877647426e9001d6fbce334278a95f

SHA512
6e2503e8de00d99f375474ab6494ad81b42616fc782580aaf3c1c4f7f40b791f981d528ebeac24a3e5533847013595ccc132b801d71a417a7a56acc915b840bc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3f0a00cbb98cba85fbccd027a39d0bdd

SHA1
c5228311d4a69f7b4f03676715c2427a1f5808bb

SHA256
f0af5c2118c82ffc3c85abab8660d1db49a260ba80d85e5e805f5284991ffb66

SHA512
ce49521595bb9de3d4800ac9039abd6d78d841e4da3d574056aa4d4c4377f046f69962fd8245fb962ea655fa83a170883a0ecb694ef626254d8b8160a6938490

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
19eb8222e85dfe5ebe9117639fae5b3c

SHA1
f3c689dafc45a4c71e2bfdac3e20eaf7588e32f9

SHA256
b5bfd6dd3cb8da113db29ba2fc095a303c95d18d25875b3d4d01bdbb1dd718a7

SHA512
56d5934573ac6f6fc031ff62b11ee670e7162b1ae2194dbd8c8a690e63f1a40ca8eb0db3305cdf481f222cbc777338687eff0a10227b751eeb156afb0d4dd4d2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f6f2c1a02fb8afb7ffc866a0049af661

SHA1
b9c6fe4fa622894713f8ca5747ce410e3cabafe4

SHA256
94cb007251216a50d8e23c060290e23312293d53b2a13038988d3b2d927291a4

SHA512
d499967454323063030f674cb6d7f8d65a64dd064fe2e110bd4eeb9a9d82da2be142e80f752ab8a78316f29344d436251b8769e7427b27f8de6ed256355ab409

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5fafcd38122d528a1775db09f4f47365

SHA1
54d95e2440180192b809b2299ec9a238250646dc

SHA256
7db45a8c65631bf698137ce7b428de5036e0682eef127996bf88064bc8e0715d

SHA512
fbb0a7a1ec1b89320f95215e468b4e8c703e9b46fa1246afb283866a9e46f9be81ef28256dd1b42451b04894e7de36247029cbdb02e3a42d63a26c59d2abf22c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
091e01d76ba60c64825bf4671d9d4309

SHA1
35e017ba14b5c2393f925b627684d293ae015b39

SHA256
99d267819af445eebaba80c8c1e05d113192c44315e283e328f2536876612032

SHA512
08ac42ecb6a2a7af728c78548ee57edd10e20b3b622a07e2c7261b51391d7dc194f60430701e07df881bae280aef0a3f25289d29adb8c2d5e88236e44d566660

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
114b9b30356e78d62e1e6751560a9c1b

SHA1
e4eb8a952f283f830d4ff977840814a30c09d761

SHA256
2096073500d13de2ed6cbf3ea33ba3f586414636da1344edad7c40fde1bee7ca

SHA512
8fab53a49a7ddbde58613f06f74d98dfc6cbeee935c9280f8d5f49371cfe4ae14e6dfbbbdf50c577780be87835991d75b2e5ce2dbf4c161a9d3ec8a7710e6a24

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
11ff04e788136b10e2550299470888d6

SHA1
9a51cf4b4a5768a325cf04e905a302c86707b5f8

SHA256
8abb73b8994aa9c5201d0da081f3db639c10bcfdaaade8115cdce1e6565537fe

SHA512
209db26053bbd78c4688cdded27eca1f4e3a55ad8dfd57fbe53de1a13a9f06bccbaabc042e9c4238619f80fd5ee7f80f83266323acde10e99ae37335a1bbe825

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
729826e1bbe18b6d0dce755c03b4c067

SHA1
cedb36a2b45b0e95231bd17eef10f4dfe67c2f8e

SHA256
28154d6a944f9b369974d784485f719623d31549acda5cb9a56d23b150cacc8b

SHA512
6bc711087b0daaffb32e26b1b9bc277e1a4293175a05e390203f84928e5735f1c7e211f4c801b083d5819877bca7ed90fe981f0cbb81dcb31f2e02fced3efdce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ea49b055235ce148901f13e1682470ba

SHA1
cb468f9d9bf94097475eaba3eb871c91b9d1a975

SHA256
fbb11fd1b97a1838ae8a6378eafca263ac096c7079d4a8fcfa6782c20a5c52d3

SHA512
c1e45c50d856cb2f27e6737dd8d0b1b8c7576b561db6392ff7ecf8b0f82fceed759fe00636153e1d21d1e1dde0e8393c9af5f9227fc34c369da63abc09b01ce1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
75f16ebd0cbb788d32dee951ad3fcbb3

SHA1
2b3bd3db2c2e8ccae8b619ced8fbf3690977283a

SHA256
210f9eae3b0f6ced10514fe9b4122a42972832249bd6b0791d6d798f74ec5b2a

SHA512
1e4c445895917e5dcaccdaae9c4c5a0b5f93bd96a67e94eb75c932d3746c00b47537cc7df3c16b6440281d6843d50bd9aff405f859fafb5ca757ba32dc6473d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
8b9904dc419bc6f82f4486acf39e3570

SHA1
e5f220bc618a81db8f7c48e21cf06aee97e89b24

SHA256
1cca2063aaaa4e5ef87223d327870b9141eb7e44926954c0a5c8c18a7041efb1

SHA512
29a4e9399257db743abb3752cb5581b876cb8bb3800191e33506dc6c9a552ea010d74edeb5b744968f2f681d1906fa7e00b6e7f55838a31f9bb737965754b791

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d6bf558d8f73578d15b7cd0c03d1d7e5

SHA1
eb94454e1bf713da1acbc9a21af2f96abb113293

SHA256
bffaa8015d94388b805a4241ced75d7e4de9e10df516975b6179ec316c2901ef

SHA512
70b463656a2ce3bb2839fabc230efe32c11a3c5e7f117a5b25d1709e64c382382ba95a204b0b95232a6a26046f062c919fbfdd526e0fdfbcf971a4c576966869

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f3ccd78d3d46103ef4fc827871bb6c01

SHA1
321c080b83bf5f59d72ae32b6dc9c8efda778745

SHA256
8811231a3f8e0eb149ceb43260f0f85758340f2d840dcfe438b151e833eca989

SHA512
c4dddd2149c5ca2724563b97ea996b2e2d17edaf0726228497bf3397ee44b7f9afdc51b30611ec5cfd58b3c68486a249a2b67b34f71312d61cada69e204939dd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
55005394ccf4413090d4c155df31a6ab

SHA1
dc9875976acf7a025eecd2a33e9331447592162b

SHA256
fe3d516d37c1101aea20b0be5af16d3676ca42c6b7a1404ab3da93749451beb3

SHA512
3d09492b6969a8037605a869fb1d5355e06690c5c4e1070a2465a9a4f1ef28fffda18460ba9b873cce3ba8a43344951193c3258de7d83fead81f535c2d7301bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ac06590b155b2b948f0711fd29029b6

SHA1
afd9592a6db64e8f2911d98f655cf4f41439c5f8

SHA256
152aa9bd05f1269aa2d3db4b43f667f19831fe8daa7f0163c54d1861b07e0de1

SHA512
42ef3ab101c17325c69fc486edba174aa23e423c4a40fe7ff4eaa5eab562e632a699cf057cd1e2fce66089e64468e60aeadd8c67a3e84b6f59cc2bb1a524b182

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1764bf9b6eb33c1b6d83b9c386691777

SHA1
a4179f3c495718bbd5c4beb24a39dc1de23893ab

SHA256
34f694e9fd7bd9eb1f75e048c02cfac80e8b9e87b76b1e7c35c90d273292a72c

SHA512
581d7c11fe11380dcb7efd7d598a0f8aabce0aae87d5f362bd532d8ad7be18228e3ae0e3af4dbbc0d50135d01b43d96de1b5cef52d630cff2073eafeb156e007

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
655KB

MD5
f7fd880a152dbe35d4c6327f0058e315

SHA1
44ad5e1781ba50be8b3da41e28ea8ace1fdabe72

SHA256
07b7ff72786d62264001e233481bfd1bf393b2cd3fd4b20ea77b20c2b15a958b

SHA512
5d7995b1a5a7f19a56a08147191e8937b9e87908ea4378b2e05648fa0d49d517e02569ade2e6ae6b10bc3451222f9a02d91fdf68c46e50c7d5f7cddd94078797

Download Submit
memory/876-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/876-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/876-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/876-63-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/968-606-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/968-433-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1532-412-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1532-295-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1604-577-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1604-328-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1644-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1644-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1688-281-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1688-400-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2312-255-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2312-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2312-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2368-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2368-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2368-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2368-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2604-244-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2604-243-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2604-250-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2604-362-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2716-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2716-603-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3380-351-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3380-599-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3412-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3412-388-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4108-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4108-40-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4108-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4108-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4324-305-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4324-427-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4340-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4340-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4472-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4572-235-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4572-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4572-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4572-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4604-2-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4604-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4604-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4604-28-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4712-363-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4712-600-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4804-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4804-593-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4944-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4944-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4944-67-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5008-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5008-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5116-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5116-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5116-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download