9eb0c80a00e50a15a9bc693ad60cb5ffcca8bff0bd5618b6af231460196c00a8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
Size

1.9MB
MD5

5442e6199332c67131e2ac8d200e9363
SHA1

da0a440d8074199683cec3de1033f99bc6fee141
SHA256

9eb0c80a00e50a15a9bc693ad60cb5ffcca8bff0bd5618b6af231460196c00a8
SHA512

9b41b5225b0c8ff9b94794d68326fedabab0585334d585a8dc24b058cec45614a8b7f227dd439bedc6a90d29a5413685f23e91334a59db70580d7230b7944bac
SSDEEP

24576:EgVPrPls+oEjCks7WE9F5pwg8zmdqQjC60jiHkU:Egljllo0Cks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3296	alg.exe
4968	elevation_service.exe
1136	elevation_service.exe
4064	maintenanceservice.exe
1948	OSE.EXE
4820	DiagnosticsHub.StandardCollector.Service.exe
412	fxssvc.exe
4404	msdtc.exe
3008	PerceptionSimulationService.exe
3684	perfhost.exe
4936	locator.exe
4508	SensorDataService.exe
4876	snmptrap.exe
2956	spectrum.exe
4592	ssh-agent.exe
936	TieringEngineService.exe
1672	AgentService.exe
4624	vds.exe
1580	vssvc.exe
4136	wbengine.exe
3628	WmiApSrv.exe
2408	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2bb1b395c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CABD5C61-B299-446E-8273-0F06174CB008}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee09d4d04eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060a6f0d04eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff94bed04eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b6671d14eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c5fedd14eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009bcc5d04eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8bae4d04eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008df29d14eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11844d14eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c638e6d14eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009832bcd04eceda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe
4968	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3212	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
Token: SeDebugPrivilege	3296	alg.exe
Token: SeDebugPrivilege	3296	alg.exe
Token: SeDebugPrivilege	3296	alg.exe
Token: SeTakeOwnershipPrivilege	4968	elevation_service.exe
Token: SeAuditPrivilege	412	fxssvc.exe
Token: SeRestorePrivilege	936	TieringEngineService.exe
Token: SeManageVolumePrivilege	936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1672	AgentService.exe
Token: SeBackupPrivilege	1580	vssvc.exe
Token: SeRestorePrivilege	1580	vssvc.exe
Token: SeAuditPrivilege	1580	vssvc.exe
Token: SeBackupPrivilege	4136	wbengine.exe
Token: SeRestorePrivilege	4136	wbengine.exe
Token: SeSecurityPrivilege	4136	wbengine.exe
Token: 33	2408	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2408	SearchIndexer.exe
Token: SeDebugPrivilege	4968	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3212	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
3212	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
3212	2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3240	2408	SearchIndexer.exe	110
PID 2408 wrote to memory of 3240	2408	SearchIndexer.exe	110
PID 2408 wrote to memory of 3964	2408	SearchIndexer.exe	111
PID 2408 wrote to memory of 3964	2408	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_5442e6199332c67131e2ac8d200e9363_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3240
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b947d0287ae78c1e75038c1c57feba7a

SHA1
7ecb4a44eac859f688e09bd40f22023f89e9ca2f

SHA256
a1b8210065591ad5bdadaeca7b983618358d988f07f009b7d8c8dd641918ecc2

SHA512
a85cb522786ad4d04c3e60a755702e6c585014e0e1cb6caa92d3692953ce1f5007375beddedc756903f42b04d6ebbebef1467d3a071965a77e24b720835822e8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
e324af7c402254c040f72ee4d1038345

SHA1
ad39d75aa964c85ce19c84713156cfe1ffae7cd7

SHA256
c4374f854060be4d67d71597e565e59e8caf1c5506bfc28cf7c64b7b107f899a

SHA512
3a478cc24f6477a90f454b066f98320c3bad0d5575d246c7a4b6023a48deac47a5d436251175cd0c6ae1f1f0d1b69a7144d0c47da50a9bd302402ae5183cbee7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f3030b9d1ee49aca7770e1c55205a055

SHA1
3c8a800f6b59394e037d0a8b71d0ee6472086f46

SHA256
48f7a8b80a5c2c884473f44bd42ffcba17c9a241b078c9b47f67c634fd0b0138

SHA512
09d5bfcf8c27b5ea9a5cc60979f01906b0b0e85a922107501ec60fc4f450559b50099e4d311f76bc3e46b055f566290cc53f8e861cd887d2e3bef1c89838dca2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a4254ec9a92cddeabcd94231b8027f40

SHA1
4f69305fa9be25b6df71c2c5b14ab8a18fa0639c

SHA256
b4f715dd5e236db65cb482c0316b1bc32caa3e8e0e30668562723eaf5769d62d

SHA512
a56d4543afea3568972977ca65e6f80579d1a4a7a241e19d978c30a9677314f149e1c07f0a217267f0003fb7a2be2b7887d033b0cb54e90fb1c5d45e643657cf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4e1d4653594fa7100c71636ca109f1b1

SHA1
6ed6457c0b0a68a21661b98ecc79e7c6b60114ac

SHA256
058bdce0f649377938ee08393baf4234bdfd1b580d99293975313b0f2f113435

SHA512
6b83a3193dc5145b7ec84588deac3416a2c3e061b893c38fae5293876699a181573aa6f9a300404d1d5329f70bc99eacb3aaab3de8ec25b61c7ea1f1e918cc17

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
31194da785530de4b555ee311aee12c7

SHA1
5b572cca94dc415bf0196add369a39f144fac835

SHA256
3a5259c312601faa585aeff1a1a5c602706f6fcda5da9f8a5ad3ff9cd19393cd

SHA512
fc6e62802de15a0fb0269c633b87b99cb5eccd157b79ea35ee0a72c14839af6db93e2797723bf041ff7e4713fe0c5f6bcabc36f4c70a127dab85b035ef739aec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ec2843740586326d3970e5412b1b5fb0

SHA1
4d60ccf4fa9c7337f6cabda6479d97e8f8d0f1d1

SHA256
d0ddd720253509fbb2196ad3e4cd853353995d8333064f69429aa30cf778daf2

SHA512
7a197bc35ecc3ff33dd348ceddd693d201394a6e9f70b57a14b5e16687bf579aa4ccc6eb13f2b571be8dd277115db53fb5c9aabb8c63bfe9fc72ab95ddc0c31e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
193fc4fa3e0975f599052845f0f25478

SHA1
cf741d2afd9805112f567203df084f7f596c403f

SHA256
608057195cadd9f3071ed880f0308563623ed847e804f6e6fdd3933507d22e76

SHA512
9dd7cfac991d3ede84f237de2d89c63401d82d0bf868fd4e4e2081e21b47e0d531ee18b0ed19010295e33ac758cde4af894dc8a56aacf32e86e4b82f27cb171c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
bcdc3b5a2b1dbc306230aafaa9a1a240

SHA1
acc4129bbb2b3d9a5b217b5ba427dad821556491

SHA256
fdf50f2b65e1fd96418ef369c4c3a5df1e8daf42b47be3909135dc1aa026aff7

SHA512
f90f3cb2190bfbe08f9b11e8da9f0ec81af26c7496dc963bb44858cdade8e831e3249386aa0d97b40670cd71f76569c2cfd551f9762b1c1c34ecda1050759ff5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3fbfd2ab062aeac8448a955ffe305c0b

SHA1
ca535d1ca56250668b0494e8595615975aca7ccd

SHA256
26b165eccf5ac32df08e5e75950e43aa5b59031bf573f09e4adb1b53c89d270d

SHA512
fe262d398c0ee2e3afc4ceda60cee53e9fde80215b0b4f7b60a225afefaf535e62e374b27251bdcd3e0009b26eb60f3a1d6af86a59ba231942cdd29e628580ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7112ac7d5e0bc8c1336f7f13cb156203

SHA1
192e26d8dbb22f8bb8c4ef5a2e2cf029c130df4e

SHA256
99f6ae45869644489129df130a5bd15568c14fa1159912991d86849da775e316

SHA512
d829cd56f2d6f4931829fbb65372580ac6d4b0324fc0c7f9c6a9b6098ee0a0269d17caa9a87f2e17b22248b4298b00310dcfea1c20c1dd235ddd9410c9fc2636

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0cef10855d914a367bd7400ea74ef70e

SHA1
40ad7f8479f769cf82933c5a3abfd812e88d95f4

SHA256
b62d61ada6bd3df461d55200a5ab7559eef1e0d11abc30e6acd4dbfcadee484b

SHA512
8b1909dabfd439144cae942baa54bebb7e53934e1d0fd2ec417d439ec696b629736ce48c1d3aa8ca74b7817279b26ac81078fd5590d661f53641988184f5ed18

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
376be2d01e783de4519e949bca7cf46c

SHA1
b6796845b42996cbf72defdc6d03cfc34a5632ca

SHA256
6ed6fcc005dbfeb3cdbc823dd87c96f75c7dd2d6434a916cadb0eabb9e12d01f

SHA512
e159a6b27067c05c98695a42250a7ed1c37a31aa4d63cf4547283929ced63b99912773f7d2d7867a750fe9f6c8f1866d6916a47bd74d533fd16e5378c2fc5da3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
82a76bf68551c9b29ae44ff47652926b

SHA1
673181340e140cdda1f0f75d3cc53946e1ae30c6

SHA256
51721c6a65bde02567b507cf643de2f709e6813ca5e0a0330f0974ee6450ecd4

SHA512
0bb8e45a347a5883aff8ecf355dfd37e809ef7e186d31694e500323defd4d14f415f93741c8ea90f7aaf5c00b7c214bbe67c0903385185075fc0d905d2d91290

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0f41524360fe05f20a0e0526cfd10149

SHA1
5c79664b6b36a5ffc967e9f1b682bc4959ceb883

SHA256
ced0e8d0405c6ccff4bfee07b7a82e6d9e46692a78a490bcffd256763d9f995f

SHA512
bcef1a5bbceef020d7ec57309feb9ba64ee85cd98dfa3e1c18c6ad3893094f23f7f1057499a3bea9a1bc699c2312f04e33817fe458d2474031c123ba6c83bd28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cec7845df25d2e75539b5dab1e40c5f1

SHA1
8860dca8fdd85f0b8bc45dfc6652e66d9f58af7c

SHA256
64aeeaeedbc3fc6f6d70b65193eff73e1d5e0b58e10ef7069269041d4961d0d0

SHA512
d2783af0118d6c2e670a407c42440163db5a388dbd65d7f6704d7e69bd00a13da71c9d9c5672649a830930a08de53807cda13b97b09d3cfa96f46b7470695d1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
95f07f1bfda87b4e47db8b1a5e6d660c

SHA1
909f5753131718629a5eaa4aa5390ff902c243c3

SHA256
892c639c94b710a432fd476344ed1fafb6e5477f4055a1fa65d235b84167056a

SHA512
15d186cfb2589d65a6a6a9d3c01b692bbefca0513cc8fec6dad85f6793dac1e859519b53c7ccd5d94b07efeb3487d55a183c1d7e384ceb34513bb09fb75e4c56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
481c76f3352210068bbea60fb67b0e0c

SHA1
460c2ed2d1982eaa94e825bb7dad966da67f4205

SHA256
d79a39dbfa3fa9a295aabfe6369747be3b4cecef57f5a56b14f17112e1114cc1

SHA512
8422a8975e45385347516b2789b9dba7f96c85f2e314b1a607a535d96082c422bcbb0fea020c29b5870418e44ce9b0ce10ec56e73a03c30f97f58b775a1eb5cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7d81ced9d6c14fbfac0815f3d88278e1

SHA1
78a4a452ba46fb3dc848a0cb38540bf7b96307be

SHA256
878d49817d7a4d12ebad31f1637db188c14b23c6fb749e4854b951dbfbbd56db

SHA512
91d8ee73197ee20f1d97451e46d770f10a53d7b9ad63eef4b18c7939cfbf9a280cc0cdf386b7e8784be853f27cf9aa3ea07d6335027693acea026ec50010219b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1166374c3e846f26d5ab5568c7306942

SHA1
b5db0d56005bde9136bc3b8994c60e0f5be41409

SHA256
f9c1a9498d64347477b0e3f0839bb1290a3f07198174715a39fbcb17a13b0072

SHA512
ab828a7ec18156357ae8eb9c2c04355eeabfb669a3b9ae44ccee4e1d8590fd41f32767127f7ad76caee128d02f8cfae6b08a5f7a5d04521b2479830423a62966

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
cbc64150104f224f6cd91301b535ead6

SHA1
07cbbc3cfc8089596d9525d9d74e3d89d776fd33

SHA256
4cc8a93dd384bddd6b41b863f94cb9fb93f3aab1e4984dd64bb55c1432d26e16

SHA512
08e3ff12783048bb31e5b7c4156aa89ae94e52d255f6b93178d31bfc12a76c9085805bb2f45c69d65b33f81a69c6f9babeefc77393e89f64c93cd7c2569dcbbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
7b4f5903b373d2776ad8bae55f358098

SHA1
9e7fff096b39318060c7d1b275a72e27c366a9fa

SHA256
616e84d89e62491f6334fa45da8e8d9828153782c02a1f4ede3de30fb53e89a7

SHA512
e060039cddd622af8ee5fa498b5ba598186cb46ff324f8922f13ad201bf81df47fc3e435752f41098728340844237e6e9065294ebd7a0218ae52f6cb50982338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
658759117f67945d58b4702a82e743be

SHA1
37a56321d739ff9b9e99c90b2e890641fb597b96

SHA256
0085edcba13ee1a2ee07ae1b9dd6d235e0e7f787697b13c479294695f8303514

SHA512
cabcac68e50024bdf0f163381b3a931e38ac99ee3ea44a73e77438fa34c9c2ae647af86f36679bd79bee78cbe4c56ec96a838c3ed56b6e6c9ab7f0dff49403f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
424eb96b9a03cd289ef0ea20c75b4b2a

SHA1
67c1e21943019a621674dca2642ad6596c4f3adf

SHA256
45c26633083400f0462d50624e56f14dbb7ad3068870859bbcbf7de5aa7ce3dd

SHA512
43c2219ea769d4059a6422b79be2e7cce4802135c68e84c5c7bb107eca4f1b99bb51609fb31afe52c3146a96adfe3ec6b12afce4c3259cf9eb0791b3c7c3d0e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
983da6297b379b156789a62b0d5ee1ae

SHA1
842a8c2316475fd0d5dabe49b89023b4b6f88882

SHA256
86be994e223a4b36752ebe3d8701e0c79f2b61f4130673fedaee8f2ddc378e3a

SHA512
364a34ceb5c947c3f60e9d7744b7e4a8dca555caa902052bf4cfe053be016fc80ac8b4ac8dd2cb05b75e120fa7cd4467bdbae436ea124b0b98bacd5258181230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
d16bb540309129ecd0514cc5a351b0e5

SHA1
4ca31cdb95d1ea4b5c13a5c76591027993fff991

SHA256
2e9cb8d08e2bbf5721d73d12e30d1dc40836a48fdc2f8d4dffe8344ab2bde684

SHA512
274403140748460e9910a128fc498e1cb926580c90261db2d7d22dd4a08681517d220dd30044c947743ac77b16fd9e0fa8242ebfe648eba2b255f61dabcad7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
3bcbd7112b0b4042b82d99d81a231f30

SHA1
7a76f2337c597f98788e6d0165dced23f86af864

SHA256
097de626f6744239e834fab24e0196d05f1ed59708c611283e87adafe02e48c1

SHA512
1e93a7217b4155171c25c25e9a6beb093d85d60d2cc3b988c40ffe0f4e657f4e3b0993ce9878b9c670fa973d9bc00bd196f8c267f88d1f30a8805ffdbc22edca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
21022023ae57589442d741f54c101bb6

SHA1
ce5d3d84645a3b33814c4abb1b18b9ef680a29de

SHA256
af4e27f006edf21a9b2178d8efcc6d9ccfdb5728d1d34ddaaba6c508bda44d8f

SHA512
945ba9e1244fdae4161c58e63bf1fd51432c2e17c3ba2e675ebe1085292364a18b68188a9ff0352fe833d45546ab9d8e31f29150cd19ad140d721f4c5649bfe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
e5d71cc61dae5b75d71741be229ef249

SHA1
bbeafe3a90b62cd67afc249d29fed1e0d49000e8

SHA256
a8097aa0febefa492462c70f27df9af9e367bfd714908772d96ac8b91de0a5e5

SHA512
aac76090cb6bd80f2d20a6811413ae4f107d3c1e9855121e3bdb9b5655238150d0c55c0e129f2c412ba3cc87900f823ac735b5ea1cf45db901f45167a3b656ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
adc1a9cc125bb652397c73a2a00f2d62

SHA1
cf56d77829965aad147fd448162655d0314a85d9

SHA256
49b3c730f1c9a95f49015f852a76c4d24b633ef67bb2bb245e49ee0125e1a3ad

SHA512
8eafb1256110df886bf8d8a0661719916daff2cb97c8a26dbba4a175064e1a3df96164f988fb4446ba3b7950e06451cf5bcf1caf6d6c559faa8f4b393b89159b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
70ccff4cb80e8df2be209239e051ff6a

SHA1
5ed0bf49c7ff193eaf305ecb4062a151884bbec2

SHA256
8b0c42022cf36870cb9fde7dbf18f5b55ad3a35b494d8d1b46866f957b49b900

SHA512
c01901a34faf865e3d8a503d65893a61fc676030ea3fd7b9ab3731489d5e2ccd0f2ef3a1d1fadc5a260587f6af81e94af10170bb8d2c4f8817dfc01aac15258b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
7ab47d6fd33a369596c59ba424968b5a

SHA1
b35a568eaf3cf4d581ab3ba3b46af992b3c8030e

SHA256
279403bf1fe368a5f045306e24d9299cb86c4db55ca12899498d22119f2c9d96

SHA512
36c373b1c0a296de6fdc12e9a81f5810621b7283b72f4bdaf495796175bd615365e73c0684fd06dd72f964ef4d35cf1dca31e888ca5c61ba3d96d52f989a8c3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
7effdf4ea8cb86705fde8f9685d2fcd4

SHA1
8ae443c1da39b3c8a14cb2fc7fca7c53437e3a25

SHA256
b42a2730acab8481815726dcce3906362e7ae00dc05fcef5a71b0d926516a107

SHA512
7827051e8ae1d915f3860ef509c05cdc258ddff999a888134ddab7fcf8ec8f16a8e5a93d01c0afc4cceaa843145d008e0ebf476dfbb64c3981e71285e81c3b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
1e372b43aa001516df234a3801e0507f

SHA1
798b9aeea1243e90672639e2388c414e96501bcb

SHA256
1aa4338a05d53f4033057c164ac395bb755d85e5eb72b6dc431931570b5f0cfa

SHA512
5dd5f079cd547fe4e838a15749458276b58f3c3771f6fdb9a14575ba5fd3fa95c8c0f81d0554e5543c9f5ee221b2024382b97930890124a5a072d969cdbd389a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
0476f873a173bc34efd0dc3cc0a12d27

SHA1
83f0a2bb6bd1dd31809220472c2ee89a2d00fdaf

SHA256
923373c40bb6802eaf56ff14e5233a1c4570b95abd8197d2fbd064ada8a1d94b

SHA512
1912f36fba9bd486394e7f6073c905974d1419f279ead77814ee49a8d2aa6b5bf4837d71dc3a7cce30d4e48448fb2f6721c78288a5467f7809545697f9c30d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5e60200fe0923f8834bcb0c4c7a2b696

SHA1
c994b5565dfc1d4f27e5aabc69130fee6ff5b2a3

SHA256
94c54852e6d12a1030b3766cb78d68589b86300833e0f4dc2ccf463393d09fbc

SHA512
91ca4a010a08e8516d4c0bf0985117a4e2b7c12fb6066adbb69d9cdf635c1ddb9fd04813aadda6638a49808a4d1cebcb4720e35bbdbcf64d30bb82311f8fe6d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
8effc6c1f6624e391cc68d2c1f2e95c2

SHA1
4e8ce7cef055ebf43c7084030ac5378d1939672e

SHA256
60cdf8d3b5cf7597db56a3fe0a728f2d8f2709c93df340f26192e10d7d56c174

SHA512
b30487c645a26f2ed977c6c0f00fd8bb5d92ee3eeb35f8c24a9f10cfc0d7b95441d84acbbda1ca72f52fa41a3874da84819be0cc90a61514fce2e13874ad7d6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
3c9e98eb7dce0126565762071f92b874

SHA1
c553e46f43fba4875923047dcea292f280db76dc

SHA256
bdb57be9ca506be68308cc988f7d1ccd7ee007347f3dbdc35f46eaae3a076a63

SHA512
67ec076fc398cc32fa84fded715b907efe2e0993132b814bfb812c9129eeab7e6cbea5e95555315615b203cddbb03cae8c251ca3871862584b73157a332db0e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
2fa710a53bab63ef504f094b4f3ec314

SHA1
5ae2785ef8c1b5acc44069db3cc16febad249bc9

SHA256
21c48bc21fd64e23de4161828ab8efc78752dbd8d64248edfc2f3ab224ce18ce

SHA512
181bf8d98dfd46f5321132c689a6fd0ae8e8d22491b8a3201496c25e7402df118cfa15a996e7e8262ca7a1c79c19c1bfa71471ad98acf68bcc827bef2e3853a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
4063435ffa150f787d5a8b6fd32830eb

SHA1
e5e799fe2cb4c20d54ca1d3f6f04320d15811687

SHA256
b3702c9a8707f41f3f05b531bad61bb4236ce1e2e66eda1ec7abf9efb3f0772d

SHA512
6ea1ff4c05bfc258e768d20a335dba4234fbdd006e863494833f7092d8af09d3ee7613d2345dfd9e6165f29864ef641ee8471d3df7e146a64dc425ef6684863b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.5MB

MD5
dd698e087a483101c92771c8e79acdcc

SHA1
689aec01794c3c6622d1f038368b9e776e43e8eb

SHA256
2eac507e97576b70a18ffbd2806aca59b1ee741e7461576ae9f3564c200cf061

SHA512
d1eeb5299ec57a86c3ef5644864a771fb3c91a3fb6d4eb3fe4f7e3bc8fbe2ee85d9bd412c76f93043e4509ae180aba424b30a02569465fe8a5bf1d09b449ab81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
e3d8e75b87eccd2c5b538e82532a15b1

SHA1
0a3119d9f890d066e2668136c3cb77c01b848726

SHA256
6b4c1d41dc9b2377b7953c1b9aa8f727745b113d22e73356d7caf782b55dff1f

SHA512
e9da7c5d35726d0a4f14348ad6d6c3738ec2ebb7ceec6d53f2f52d8b77c589cdad41560db43d6d0001bd5dfdebb64c5cdea6f5bc94b2fe55f6aaf8fc98d9f7a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ce136f7f3c6b7e36137c00495cb244fa

SHA1
41ee7c044a0142d532886697bee70037a91b22dc

SHA256
1d95adf11fe97bb305b3140cd57f5b3b7802ebaeb99630caabfb3604d7750d99

SHA512
842f01fe13e08adc5978de93598b8a395f501d64b4774ab04b4abe8eab7e840f2b2876931297b4b9dc7b3bdd628d8b9eadaa3bb701467ec6ea5332e7d52a79e6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
22e6ebcc7f48604ccf348dfb88af14fd

SHA1
5bef0edcb6a549d1119b1f9bc66de05c67847443

SHA256
9457b5759351e2d8bfa62ecfb77de958d17d1c60f91062d7eda98f0444e1f44b

SHA512
9d80a526b0d2c38f1fff030ca0dea0cfa323ec53e86f1316dfea40de91c3c7022151e484fd3ba1aa127fe6dfe2848f1296f84b824225be73bf4136af7ca70088

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b58607d8acbbd6c0b3141bd5797d8a8b

SHA1
a0882dc6740587518263b1956ee9643cf173ac04

SHA256
45342f7da30509dfdb846710e3636992b2435e8992c86650bd8704b9b0a25c71

SHA512
b482d75f8745b724789975770507470ef88f9dbf1ed22b12bb14aa6ba5f1eb5bc2255df5ac20b5af053c4f0f37c837e56ea3e2fc7e4bf5283ea5ecdb0a118204

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e9b56936ea00a1f07965c89f6d37ed3e

SHA1
22d45129ec9a5ecdd6a4ecc07b0ba1bda88cef0c

SHA256
fb697b7d69b016e1542a7927931206d7af279c6578a6f3e4700adc74a181a773

SHA512
20b71b94002ba390276cd1a804755c5ac78941a7de2230f137600f0eecf1fae97e0b7c621300a9be77be4c3364e57ccd99b23254e345c3824b63da29779ad3d5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1b3613babbf707408860a3cb626a5c54

SHA1
85eb9e4bad884cd0745905420d1cd5a21a5dadd0

SHA256
755d80c4741a09f2aa47a6e06ed7d20ad998b9b007e9df5c1a1334d4c1aea6a2

SHA512
bb1fbec7545fd154885b5821ed718a4b2edae0055cdb63cf3e559b63f8ede8fcd4b74d3a5e2308f6db0c250fc55a0e294c8131ca92a049104fcc3ea4a5131c7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
3b34dff9bbc568404effdea00772230c

SHA1
e1d67a32e123d2e15311e93154e910f34ecddb42

SHA256
95ee332a81ad4c0bfc4e96e9b50c67fa35989927c4d733ae47d5f31e65fc9c33

SHA512
be49b523aa55a78a99041fb10a764e3339f941607d677d19ce60983e1c6053d5d74fffe04a1723b2a7a5f240880f1b11d35f7d518a8ef3d4c2d600120e4f6d7e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
be39409f409acabdf93dcff80d9d8bdf

SHA1
a025102e946443b2a232bc695799ba631f60c2e4

SHA256
5c35cd54345a7cdf7d9a0125814f541f0069792fa6d24a86dbd787ae0d9e62d0

SHA512
c2641cf53034cbc04e4d40ea62c38bd0966f517c375e84e59adfb4421209ca2436db92fbcb58f63baf2ccf031f773bb76f8e5d97106b4143ccf70f6e46dfb1d1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
cc0e6155db715ac50895f6aea9224f3b

SHA1
aa3644352e65caa35f5c4188f10a21e330429e42

SHA256
465dd4d4dca1903932736d431734fd0bb55a202cfd9b29ccd5925b73fe0535c0

SHA512
45c299df5c42f89236cf76d7339577f51611db98532aa3a037c9910cccd61262c641c6fc018d81bac9d5494ad1f56dbf7145fad718d02aa0c4afed34760a903e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
92d2e475afffadfef41a6241057564e7

SHA1
3821e6aa344c56a6b78398e283d0b88b00a26492

SHA256
56eb0e8c651f53e3acae9fe64e26fb149a90a1d2607183f89ccb55b62ec49e3e

SHA512
016add648fbc4301f0ce7225dde134ef03402487f32c08b66a4af54733961d5e2588c2e66fda298730e492d05cd7a1ba553cc9bc8006cefcfd5f7247ad509dda

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d08a13441f9066ecf9ba9ba5212a52d

SHA1
ad15583f9399ac833738379acebb268b686fe00f

SHA256
64b3ec9241e2c9163d02e8801b347b170e9c5d936da658287dae51ae4faafc49

SHA512
8cca515cf034b9a51762f2178f4f8595964616d271799aef198adc2526ee9789898e9e0e7e1ecd95fbcc4a752d7e63216ee417dcb035d9f1f8563a4aa7824dc2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8e218a3f5dc21189ca9063bbf7a75ba2

SHA1
4991b7160e7b7b828f82802dc6b1edf16b55c9cb

SHA256
3350a95856b102c097e62cdf9ff30190fa729328fc6cd48e0ebedc7751ca598f

SHA512
d939c113199108ca7b8346bcd01db31bc63760c7204b5cf71bc70c49e4117aa59e9bc314a6d6803e2ff71513b266015b6866bf71ce1c7e9edce449524ce02d3f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
93241effd91e8e999ca2dd5d32c7c3eb

SHA1
4cc9ed65fbfb0f14b0361c2c7f49adc7cffa05f4

SHA256
a4064704520fb2c5bd0c6f862fdac33c3bf51cb71d35712aa23e4b0d0785a7c3

SHA512
ff28edd0c6579aec352c643bf90822d7d4a7572962869453cd933ef108fadea82c68f1f906bb6f369680a5a0d15e07620a76a8b141386079ca02c1a0626a4d9c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2abc78854d1b71937de0f6adb15fcbc0

SHA1
8abd46548fe8a8db102329ca26916991b53015ba

SHA256
1011e48850cee0a3191180dd15ac90c1aafa8e1beeb8691bebffb37f6879bcd6

SHA512
863aa6d2d631fdd4ef7db5963902ecbe04ede1bb0af7c465e55b2db4bae7fd792a10b501c2137999bce09b398c93296cced43d92249e65616acecb6559ab5c64

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9e91863bb2107db477c742f268098a12

SHA1
04f827f6f04bdf1a996d18f498c68dc5fb392fa4

SHA256
59f124a33e0bf0bf277586292dc8e211d6ee8565c08d224425b77a96d7ce7e91

SHA512
90a360b8abdfd97dc1eced82b9bf76eecac7176c177b668b0677562e604575f8364c105e41c539be68b0b27a55358280840697fa24d0f621000095e534bfa9ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
1b2935274a3fcbb776f58a6e4b688daa

SHA1
3a40489e0cdbe4d997850d049a2b07619f8abe05

SHA256
c71a0b62296350b49798c25c34eed2f475eee2c9e9f63280e84d5da6598b83a2

SHA512
23092d448288bda2204862322965671a7c40fa465f415e07e4d499d19b37b20d406b196ce6814a17224bb44e6009f4092aac4031a24f135da2a108e53544bea8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
2320658c30c5426202374d9cce059e0d

SHA1
e772622b5ede64eefb95d5c6d7f2db3107c593ba

SHA256
4a20ef77b3c39cf39be0dfa233e41cf7a5042dc4508e3bd9b0ea8f2e07caa6bf

SHA512
d6ce2a75495edd87f78e6ef531411126204e26835ac84b113eeec41dcd3af9b6a40d653160c6077c7a473bc2e0fbb0e8a862d4d1d58d99fd78ad0e9a117fab0a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ecefbdcd9537a5d6ac9b8b912e53745

SHA1
605f731c96d0d8a1b330d57d1eb5217433c7effc

SHA256
ee887a60ac8b83ab11ac3a9c4af38922c50b67da101df287a08e09dca92225ce

SHA512
d9040c5f99af9c5521372cc8ab07666ec356a7a9cf4622eaceeeef9f3b580cf4cca1a158d3f1b1d0207cc9538a4287f888f7bd201b63046e036142da07f0295b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
43498ff2afe696d445d8b22cc89b3d76

SHA1
01aebf991a01254e92df576feb3f924f56c4b50a

SHA256
6219c045795830583b16f80360deb28a857b0ec4b59f6b33560bd2136d513cc6

SHA512
964ac1e016f5de716b0c967c49fa096fce38a33374b2be96c30300e973159eb0d7e7d4929fe6bc5e1b3aec2826b417175ac3fd978c4d25a6376da9edbb0a826e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c6814ab352ee789e927d8acab97b5369

SHA1
53f66db4a4ffbac655231aa108daea09aa313ddf

SHA256
f33f00eb3ad53feab3de43a77fd7221799a53e007ee839062489fdfef05ecfbd

SHA512
633e5e0bb2dd5b656c2026ea9d2a707067f6792e28238f1b504c3d1436b352ff6f20db9ff3e6dc0cd441684187981832101d6b13540bbf97d69d88c7dbf10909

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f29745348d1b1c3d098e499bf569a600

SHA1
4b915bac1c5782a38450bf1d1c349308fb92d09e

SHA256
3d107618061e3e7a07888141b4d719c3f130ade3d12c01bb2ad35542ab3c0b1c

SHA512
4bbadad58b832a04cdb0918065f7c6cb49350d0789fef0234ccd3d396b1501f775aab7a15cfdb0db84cfbf8f733be45265c4d120f5668fa464d1102ce1135af6

Download Submit
memory/412-254-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/412-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/412-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/936-363-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/936-633-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1136-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1136-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1136-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1136-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1580-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1580-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1672-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1948-238-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1948-75-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1948-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1948-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2408-429-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2408-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2956-631-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2956-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3008-286-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3008-392-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3212-25-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3212-8-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/3212-1-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/3212-0-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3296-17-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3296-233-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3296-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3296-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3628-639-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3628-416-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3684-294-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4064-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4064-60-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4064-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4064-65-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4064-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4136-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4136-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4404-268-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4404-388-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4508-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4592-343-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4592-632-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4624-636-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-362-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4820-249-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4820-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4820-242-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4876-513-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4876-328-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4936-297-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4936-415-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4968-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4968-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4968-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4968-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download