1df9207951f2235df0797fecc3e2839ed0e9333b5956f884b15bbdea2955ffac

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
Size

1017KB
MD5

100e91c4ab2cee3f4cfd8039b09687dc
SHA1

64bb8b539f0e7cb0f5cb94cf99041064c785680f
SHA256

1df9207951f2235df0797fecc3e2839ed0e9333b5956f884b15bbdea2955ffac
SHA512

6eed97793693ca5fd7c0d1e8c49b2dce2ebc8edef682b47d54353d82ad794ab6a48525c64fccf706fe0c6f28257e9d634ecf8117b31d6c7139541bbffc4cc529
SSDEEP

24576:92lmh4Rn/i328ab4F+rM/aXq6bJfBUam6:92Mh4Rn/i3da1YS6ozB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
8	alg.exe
1548	elevation_service.exe
3000	elevation_service.exe
1808	maintenanceservice.exe
2508	OSE.EXE
1868	DiagnosticsHub.StandardCollector.Service.exe
608	fxssvc.exe
3752	msdtc.exe
5112	PerceptionSimulationService.exe
5044	perfhost.exe
4860	locator.exe
884	SensorDataService.exe
208	snmptrap.exe
3296	spectrum.exe
3044	ssh-agent.exe
4388	TieringEngineService.exe
2200	AgentService.exe
1156	vds.exe
2288	vssvc.exe
4344	wbengine.exe
3916	WmiApSrv.exe
1972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exe2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94ad585b85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054d908113099da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a41404113099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a3849113099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c570a123099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000602917113099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df8cfa103099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca66d4103099da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026c7f5103099da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d2a3113099da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1548	elevation_service.exe
1548	elevation_service.exe
1548	elevation_service.exe
1548	elevation_service.exe
1548	elevation_service.exe
1548	elevation_service.exe
1548	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1500	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeDebugPrivilege	8	alg.exe
Token: SeTakeOwnershipPrivilege	1548	elevation_service.exe
Token: SeAuditPrivilege	608	fxssvc.exe
Token: SeRestorePrivilege	4388	TieringEngineService.exe
Token: SeManageVolumePrivilege	4388	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2200	AgentService.exe
Token: SeBackupPrivilege	2288	vssvc.exe
Token: SeRestorePrivilege	2288	vssvc.exe
Token: SeAuditPrivilege	2288	vssvc.exe
Token: SeBackupPrivilege	4344	wbengine.exe
Token: SeRestorePrivilege	4344	wbengine.exe
Token: SeSecurityPrivilege	4344	wbengine.exe
Token: 33	1972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1972	SearchIndexer.exe
Token: SeDebugPrivilege	1548	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe

pid	process
1500	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
1500	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
1500	2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1972 wrote to memory of 3852	1972	SearchIndexer.exe	SearchProtocolHost.exe
PID 1972 wrote to memory of 3852	1972	SearchIndexer.exe	SearchProtocolHost.exe
PID 1972 wrote to memory of 2632	1972	SearchIndexer.exe	SearchFilterHost.exe
PID 1972 wrote to memory of 2632	1972	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_100e91c4ab2cee3f4cfd8039b09687dc_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1808

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3852

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c42b16505d011fd79d720f5e953a81f9

SHA1
9be68f892fbfa012ca54f316e5865f51d40d020c

SHA256
b4fbc243374e365236f796ab6c0b7ee7489a10c93206b90b92a27f10696153aa

SHA512
16c432eb568fc352f8177451eacb9ab01b2610bd526cde23cf780d46ec7e432f61738c633b312e3f2d36bd854ab560ed18b4422d0f67443af4ee25458499f521

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
b0300b380319db2576acb08e90f4e97c

SHA1
9055f9128ef1c89dd7951dea3b10a6929aee03a3

SHA256
91c09990b214b38c02a945347ea5993090e13916a78f6361d897c671f43bef3d

SHA512
23aafcaed2b9d0604635a1271362f2b8fe943808ac7167e508d36c85052490322c93762afb36e5c2ea2aa01b15ddb70363659f58f7757f916d8ed9f7cbf31b97

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
7385d31ece5cf55237b85f508539017f

SHA1
9cd9875ec05fc6ef4af1af6b748d2a128741a182

SHA256
f9c72ffafb398cc68ec9ccfedd2507a6ab804eb5e2a91901f59ea7c0c47b4492

SHA512
a57ff74555e4e42444b989bd25108e5a8cf6ce3837415c1d884cc02c530bf07a43e230168168886f50c4cdce370163aee65f4b9991e86f098bf1d75a21ba1d6a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
89635b90f83483992407a24efd237eff

SHA1
635a5dffb1e583ba122b7a12a9bff888bd5bd5eb

SHA256
d5800c057e2e5a2441e87dddc54e00adbd54894a0330bbdcf41dfbc19a62b370

SHA512
c8647c76ca619fc2d324444e55033f22bf0c389c0a2a0ff02f5057d09fd795c3146639e6f0e6c04b88a7ee5bd8dba933c710d9a8298ece76be7a24a116045671

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c3be9045288b3d8d1cd058c2ba95ed3f

SHA1
3a36f7df77fa6798c933585c37e289a55d820621

SHA256
a66d7b11b7f925a668a0f7df23969be358807340fec827bc18d0f4b917c0ae33

SHA512
bfe707c2eca8e319f982c274b2958f139bb551715157e20aa736b6ce33aeb0e680442c686a6384abcd5842dc1599a74c7d2689ddade3bcaff160d6c65c47bfc3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
d1fa46f9f33885ab6c7d3bde8076055f

SHA1
bfcd6998168267c38abd9c5a01fcf239cf942287

SHA256
980d7388463a9d8691f2cbd5ff8d14ae76b0941f80109bdf4c9db952ef95f671

SHA512
3dbc4f182d227b3dfc1f440e09e0b79e9afc55551c73060547a1bb3b1ce3a385c2001bfec0b4bfc40abf36df419392ca63fcf281d4bf5f61c5e2e16d94f36e9c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
5efbde22f319f159f5817ac11369dab0

SHA1
1c739164411edb36b85e2db0f418a3f8b1faed36

SHA256
1a2aea71e7ea002a27f9883406a723e8e06f5faf05bb33bc1b066ab11d27954f

SHA512
ddff207ad644cf1744c209f46b24315b30ccea0efe9a43e60a3b993249960cae3a4efbc7adbb175fdd8437f5718989645d2019b49e627c20bfe3b7f8e8491667

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
3da0f253f357a2ce1f540cf187c3a3c1

SHA1
f664274acc4be90b20d326073438f37760ee7ebf

SHA256
914ef71c8d6cfaee7cb30913fb7fe46aadae34e1cd81fb18ff1e907b170c6a05

SHA512
6a144a8deac137d81a50f1283d425ac975912d3c955d2b9092c3df2201b2b6fec8744bff27a9d79d071f76646bc44cf88cfe3b1d2b55be3b0193160a5588629b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
613c6947086ab221fd2a2a8ba1debee8

SHA1
d29ae220a98db4864ae084f7395477353d738679

SHA256
6d7f88098b48b6b0db7c3e7325782b0097389553f7c94ecf3b6b2d39be7573c4

SHA512
2679305bc786012ea23eb8fe651857d61171394cb00a07c7aabf88aed26de336f42ec46bea804872b4d83aafc96c28e838029870fc14eac51af8d620261b3b1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8f4fe163d44e7ce9b430df058d826ca0

SHA1
2afdebe88060604f08439258aad34fff6310627e

SHA256
9ca7400496105c45fdfcbcd2b359aaa087b94df8e7177024df82453036c73c3d

SHA512
74576df0fae62d2f57ea944a4db5135be95b048e9f9bf0320adf16407f797a96ae9d446df7023b18f620bbbf5458e27f179e7f742b54db4382450087324210bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f465e94887a489bb688af07e6892af32

SHA1
acff4ac6426728235efd271ea525829a34ec1c55

SHA256
3cca3a6dc1fa2ac2b6c5191ba6e50dabc9f4c28e9d271c47c6012dfeefcdc184

SHA512
7e8356d7521e370bd57dfb3095edbeb4d7d5bb68b40c9cfc82c763125343b61e8707da71deb6693215b5b397c2d4827a5ce2b0dcfdf66dca34fc50d2760ec46f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b6bb36fc8e4f71c38e58a1e855d42a47

SHA1
5d4e4d872b1c5086b7e98a5870bcc9b39b6b7154

SHA256
2c1e372a9c277aa77b98edb12f1f6858660a9c722c6e2edd3a4a4ad7d7c339b0

SHA512
39c20f0d15d5d6ddbd9defeb2e0de2c4574053e8edcfff3075c844b05d242697b99f882445b2a738425b7bf8237bb8b75f7240dd7a80d78559c02ff5eafb08bd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
67bd179012e787ef64764bed8c3ec73e

SHA1
b81796f0082705e85489da891b136ffefdd46e93

SHA256
5bfa19cd26825ca90a4c32407e847018c19bc2888f9f5c62f2c558158655f5c6

SHA512
688615d066ced3f59390732245a0b8e74a8607e8ec203fa0621491cd98594b788bb88ce5cf4adc924479336ec0b27f56e8d5d2664d89891b953d15d572a702e3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
aa674dbcdfdbe00c4f86089a5590610c

SHA1
3c19f7ef0c829ba182237070dfcd8d342a7f3495

SHA256
c3b5e7e536715735612250b6fa0373983fc54d71a1f7a1303db47f513ff597d6

SHA512
002a41a5b2eb36ee5d8d5bc26e2f991a02201d506d6fbe85675305a21c416deef123b0d1b4f4158f9cc0213c07caac33187b6d6d9b4b11a5df6009c25e95f185

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
de12f02eb291ca73acb4a23a2d6b9f8c

SHA1
647bcdd8473d8e164f7d9cea77c78ad1ebdf7b96

SHA256
6a5cdfd720b59aacfd1d75738b6a6dab6c0cf88a36e55808e887092c01331021

SHA512
1cb496ec9321ac3d982c27f4f4f3569f1769ffe8c09bf2ca2d683ae9960e9c31d9577a780251c8eccc69a5480e3254bb8a11793750a98fe4d7fefa5bfa7650c9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
497a838012fc92ea75155512210754fb

SHA1
66b133e07c70dd37df343bf4fa856f14b1d41777

SHA256
8604a8ff4e37e8dcd47d80293a87ea9efeb68a2ca6f9f999387bb410803800a0

SHA512
2efb8421bb364b1aeaffe6c812dc600823620cf5c0bda0a91af302634a5f100dda72557f60657d36a2846a12be0f39ae1e18ca6824cde9ddde30a181957eb5ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
e1de40a62684d439aa060e2c28870f50

SHA1
cd11a5c555dae1ed83c90551bd8319b1304de6e4

SHA256
b76df0b2854f9d6b99730be63114d433787e74b8cf8e43251cc3a48178c61514

SHA512
b273a98a3a202871c108a99eeb7e2c86f9b50d5ae04aeec406a6960b431ba439d268d8517e34ceac9cc458706afd8ec5f7ccdd462daf17950466f2d8d3005d1a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
4a52cf4a3ce9ddb1ea62a03f7e511367

SHA1
7449522bb247ddff14452e969e9c122ea9d80151

SHA256
9d62be13ddd5bb9e07d249b88bb9fd5e1f31d7be2ef079a32c39db3b8c7b6972

SHA512
57d12d1679db875cc4ef5087f43c452b0dfd98229c5a12359873ecf06f79f74cde0d34b50fd8040597f4cca73234b2291eae2d6f717db20decf5c848da18da01

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
4f642615a7dd1e0b49688468dd1da8c0

SHA1
4c6a2f1ff826f48a0e24a08404e393f0d0378e3e

SHA256
b6dd3526db9d2b0c5ab21fd36e7b2037b327ca28fa496ae0dd213046b0cdbc22

SHA512
525be1efbb1519538b0d9be6952df59d5c07104c9f3ce3d0abe43f1a2295b256ff96604754dbb4854999d4525515adfcdaf085eea0e2873f45fcb11f123a9548

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
bb84a6a0b77de5fa8ed0a1750fd7eefc

SHA1
eb9055ae28a52337bdf1ccadf12a079f4610f538

SHA256
cc7067d72703956cb9b241bb4b0c6ef75f0c2f32e2a59ade157ebace86783ed5

SHA512
625e2f69ed575df06635f75af5d63767598bbeb37e730e099b46161e71f47a8a7a042ee0983f8d9af4ca30b7674b6b50f20d18bf0bd61148da17d23b587fd233

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8ebe38df06e1a2c840912a6c33539c06

SHA1
5ba7d2d7bd075f182d568cc2d8a69886ee0074b3

SHA256
bc656b2afa0c31341b8ee8d8276e40746ddd0aef30f495877953a5a2f0421c58

SHA512
92a79b44856c79f5b5bcd858bf198b773f0b1b296ac7049c8b162700e99e217edbcbd249eed2e7600d66488cba084222adfb65c46f0b3ba5665368748ccdaeff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
3f281878244b47cb74bbe9cca4ccc684

SHA1
69bb26eb4574342a515aa045b68c46d3d2492be2

SHA256
e30923d0a66419f3193a43a7c2102c4c311aa8e51db543e161d036e3698f0c4c

SHA512
f8ad25f8462e76dc2d1ddb0c9b8d84e19e62b031c97d1973fda2df3afeddec300bdf3f695aa2462ea82df59975f25b8a37300e53b7df117a3ecfde3d656e25a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
0298198673ec070c0eae0b6981f4bed3

SHA1
d255fc4754ba2349ca2bf7f4b569482800ecde90

SHA256
795f4d64787b1c0d8589abf7f4989680012220c3fc16fb6a551f7311ef931aac

SHA512
9e3d998bd0ce5680fc6c55afe8f1ca5be5b4cb8f6800502108993c3c0481b4a2969b08e4b3cdc9109502efe3b2e87d7e8650e0aee1f57c5ef29528023aea53c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c51f80581a4f40699df5f1981c17daaf

SHA1
ee943d43fefa0eb8156e458c617ba05ed1c2395d

SHA256
bbb3bfc8d0c27d9d7fece106d5ad4a707186517c3a5afaa9ad52b05bd1714cc5

SHA512
ce6d0583071334f987b26738f346d9e9d2eeae6468573034faaa79a33459b6c08a7b08094be797375d4ed27c62ff27a2d53b3e3137ab7c47212a46464406fdda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
10c6ae75b0687e8f0f23dcffcbe42b83

SHA1
43c6c88d32b3c81a57655bb3b13fc387764f070b

SHA256
b7f499440048e4a981fde63eaedc41e1f4a1e118645dc53617937fd327abdcdb

SHA512
3a0f175c51da3c0b6c5c4c0aea8ab8d7a13d89141aa99ee6fea36cf3b554ce49a52f7cc19c52a06ad9e8e538b850984b570e98e33ed024bf26e9e75f5741320d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
5c24b69f0a74cdbdd7c4c65c0b219798

SHA1
121dc434a2201f7f373df0837b607c1146ed8cf7

SHA256
33c5d4496078200f81f51ca0e42ab9b8ba41f7fd50ce48d1a27b6f70ef206626

SHA512
49205adb7dca612fb72772e5bc44c4666f8ae86fc4f003ff2854e4d8c747f8b6ec09434521a1b29315951193816bdd5284d8f1e43cf0a110331ae5c174847a07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ee38806de6d2572451ccedfa354738f5

SHA1
124864c2a42769b705e4c9c6b13702edb5224781

SHA256
a8266d975d659d91df8a54e8e41c89a6f9f6a2be306c4ffd18598249e0a24f3b

SHA512
46d2288ed02f8dc91c097a7a5e188e892b4350c414c24dd0b37df39e7225dfcb07790497c2134abd2e2d12f95368734568b7d9c42092dfaa15dd6c881c221f53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9cbe53d19fe83f5e953af8de69c0adbe

SHA1
f16a0fe9f969241442840a1396058090dafa130f

SHA256
21ac5dde2ad24348b35c0a626344c04fd2a7b63bd84677101a46280bd909eb95

SHA512
cc3528477600232739aea496165eb57bfbac09e75124d8a5e4f48d3bb9beacccae111860eec0e790cf517857c0fb7910c3081b482faa8a041861e355af4ccfcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
d5e3d9a40ef5fb08b8188f70bd46ca83

SHA1
b0564505cf017d8e42afff00245c67ae7a4e33a7

SHA256
af17ef1e19e39fdd528e460182305bf9994c1fabf5e071d7d54a671c76da879f

SHA512
2e13b8461b6bbeae2cd5fc172dbee0773bcf9669e7864b05e6f0ac0e8288bb9f7ddba1faea715dc726f1948e5eb2197eff391d561d7519503ab741bd157b40c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
da2aee63bb87a46f1422b4fd958588ec

SHA1
8dda8069f41901139a11e132468e0d3f01db818e

SHA256
0bbdd26f0f752308d1f3ec798bf43c59065c01f448b58d794cb25f3fcd7806c2

SHA512
af533cbd7d3bd445390cc22ec724d8a1cf2b4a9909150b65eeaaf4981f83fe5046bb15f30cf52878926f701d19b3e132a9b050f6d76dcebf99b2be3cade2b507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
118ec5e118e92b0e584c2d4de62e4f16

SHA1
d784dfd7a56ce7a2135ee1522a31440942f2def3

SHA256
3f8221a170d19eae1f44a37d1e8e1965219f3a43ed6802fe0d62bc4f67cf3ca8

SHA512
8ef301759e5de6c0ab6f027c0415629c2ce36eec1a457a5bef28fdc545b9394fe5c8380018ed0bd91ceaad38810a5d6ecefa4fe0826817c56c84054da76639e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
beb3450c5b50cf05d573b7c392f54002

SHA1
03417993ec81c0742ecf8adf17ee88c08a5ec09d

SHA256
4874d1f1050b9e16002c0ed96234fa522e3287023c5334e658cbcc3a4453c682

SHA512
4feef13b289f62c0c8dbe5769242e2bd4915ef3b259fd4faf13f29cc899072fcc58a8b0883ee48e0d088eeb73258858be8c836b0a21b0dec2639ad11328c199e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
9a5812350514be4908f3e9d85a02b912

SHA1
7765ae54a098234e707ff7ae65948497be7c5883

SHA256
859228fd75cb7ac5093e83c1e50e87bf837a18c620895b9f3c78ba3f67d63e34

SHA512
2f12e000efac2dbf7eb910c42637084cd8f0ab4f1067a6ae8b1bac869af4918b99064bc4b6a66fc461b82cc7c11a5ed115d9cb2e45f5174a564fe91a193c370b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
de91e9a8d887160177c7a3c470e38a49

SHA1
470613fb99751bc87ba12fd9a347f73eb8ddba9a

SHA256
9e99465162593f9175c4702a626b4ce563807680bfd25ed3ed42aa68939dc201

SHA512
24d0934f655df631d5c66ec206d967e0c0b123f1321880e2ddf5704153fbeef85931a284655eab906efc46c72de82e9e18b7ced679ca466010181a016608a649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
23345b9ff2d2c8e3009c4e6059b2a2a5

SHA1
1594b0cd59f3b894773c367df4e31af7af1c1fc0

SHA256
996ced3af07806dbf6d17b61c696e1677df229d219849dbc27bef4649f216771

SHA512
38e6dfb8457cf3d7fb969d82eb6302b182fa404be1ec2d8e368c4b07823ef7c40408f7dc2a5f172b00765ede907d9433207ef0bf4a9e499e100e5fc4f35cb6cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
86cdd46a5c205ff96176456abd906e71

SHA1
13b4ce8dcf32b8f63def27b8841c4e18394d392f

SHA256
1be666569c2f611d135332e74872d7cf258fc4009fb1fad13fe353f958f056a6

SHA512
6fb9bda60f81347f7be86b3083f356e81e1c80de1393c0c0cae2f3b6ef0314e95146595e6d5867487a02ea2b74f58bf3083f819ad9dc36001ccc74c58e114719

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
3341b91ea5efceee0fa13a7351d8d4f0

SHA1
f7ab73038f3f21fb5e91d173e89930a3e1e08955

SHA256
8e3494cf7a40711be98dd0dfe7f2de59c6114991fcea122aaa5760e20b03db71

SHA512
33b6cedf445533376304341d28608b94a7a74604b734c75e928e10791ec95213d6488947eb208607966eb78abfbb9186a53cea3bf45641989b00029b19d567f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
7bba88c36b8449be651e97ac7ac11824

SHA1
955a71d45e87a48c9fec40c6e0c332cc76cead2c

SHA256
fbd2af1b283290a9bf41cf06563302db0f375c2198b1e24940a3467383e39a57

SHA512
1fd0c51d658146b63863e0ee78bf091c25126f6fdd3d44f3072841df3ab163d3a5390fab238fcb9cf4c5d392b48df25a345e006c18f5eba2305c3ba98c7e9e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
bc0a49e356358de7b3df3c1d091bf2be

SHA1
50bf2139f605fcebf070dadc664b88b87dc29a32

SHA256
b3f53f7ff74423ea35797cb4bf87d9e081948e8e5aaf3a3be52bd2fd2ac5b038

SHA512
5686d55029cad4ba18e6669a6fbedbbf8237eb2d9b07b8620f10f430997d08570a738203a1b144822765628f22ef02920236a01e523bde5d9612d240a082a8c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
6054f5abc6b91f79f3511ed834fb8120

SHA1
35cf6842c58ea55599c831409b2dcfe1227617bf

SHA256
70df01779bc732799caf9fd89b2e7ee21e1e87b421569f59e357be095a5e8aa4

SHA512
dfeecce7db9a2a1ed6b32118f1847c36d6401445c9e2529fdd19e2c8e583873bd76c511b82a7a12f6788b86814c69bf2e1043d5076aa095350f6b8bf431b903c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
40a419a31ab3b331f1303402328f92a3

SHA1
25e43efbb8a6095bdced886b4a5575ddb4896089

SHA256
01e98ffda9665ea66a1c35ef9747b6e9dc0bccff120c3d589949b03b35b77767

SHA512
2ed84909310fc5a12add8eb422136bfeb02e3225493c01b9b11909719d64112260d28248c70c81209a9de9da611b6d00c62b2143c62f0bfec4cace3ed0491b1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
3ecff89ce1044b87baa64eb6f79dba67

SHA1
143390e3a59fe3eb3cf0a9ccce008b4600abc3f9

SHA256
a05ac4263a85cfe99dafa6c2243fdc7733a955a4eac767228f5c5431fb00b825

SHA512
873439dd2e0becb2ace2ca9fde50723349b5527112c577f6966f7b741297da049c9edf83ffedfade8749930dc151e4efd8d90f31125a3a0ad5a8ed982f74d148

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
20d3297c1df4b36de30039d2941a5d4d

SHA1
ab28c986963a0607570673f46ad34f91bf7aa4cc

SHA256
77605131a0b20099ba35782b496730d15130fd40efacd841173def397ce93c81

SHA512
b46d267c7c1cd8960b52914d4774a0cb13faa0474099dde457343634981bcae9e3511bce02705cbe4f70194318bfee73944e4c6801fc5b0284503dc3aa570f31

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
cfe949fc4dda7386ac9bf89d15ecd32a

SHA1
c2db37295a62f64d3294a345f7a0b00d7ea0dc16

SHA256
f21c97eba358388b64b55bf68faa54474a2ee5e1b314f9b6020ca387a154f29d

SHA512
e807f2c69be8ad9213df0392c2a1d7d5596e1676992e866c58640578b4bd46ae381f466d399f12cb1b472bec6311246f8bdca9b864c7d54ff645fd313328f602

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
83a9c96092487703de06aef9672f5bf0

SHA1
5d2b329e0635cf72545f5693fcc18ea6081286ed

SHA256
6ebfcc5179088b1b54ae57289a94293e5e83b6fab8caf508150d1da6fa05ce99

SHA512
30bd1ff620fd069ed34c33d17a6606e674057c7744c41e6e3dfb30bca56726b2ea2274acd79dc09debfe913cf35001b2e8f5224278815d1629841b574dee7463

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
9c8f5b72716f6a15bc4889fff9e624d2

SHA1
9ca27b64eb5fe6a25c1f7df9088b19e057e985ef

SHA256
b45f2ca5da7185110b800853d2bc9ade918fbbc1f91fa67724fe3c65316aab36

SHA512
4e5544e8fbe100efb629141771420397b9d6487dc5ff53a51628c6f2480309d635d238449c69d7c29f56ff1e17e26571d22f936048eb98e6d2f3a5a937d516ae

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
2e9755167e79fb307e89d9cebda1c6db

SHA1
08e1fcded2e0652828a73699c95d46ffde3046bc

SHA256
086d3c168863b783f0aff74a14b403d2ece126b7a81db39505af9b243080018b

SHA512
e72fd733c18357ad2aac01154befd5f047dc9c0b920c3f64c5f97a25daaf5a3e0e444376898c99183762211e7cf88effa1220fd518346e5c9b2c32be94e08131

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
ce2fc830b22f4ee7228323b5aa5f6f8f

SHA1
78ba399e5edb84d621fbf58c64dab5aa1efebbe2

SHA256
5f992dc227ee954ee65207a814cea8ccce28582befa5364afbc6e53188512760

SHA512
d73161cf4122fe4500b41db70deb8b651ef49fc9777a8b7553402901c4e4b987a169d55b4ca6d0b520ceba2e3ee243967020cd6d1b00439a0626d628e1ee7772

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
71952a9cf8a7a0ef255f41f0f3eae2a0

SHA1
f7e4bca574e72c5b13abd6ee87c5b5dfa832f618

SHA256
f45fb90381b1025a8b7d82968261b253581d29d72f1d194bc320dc918ab1fc61

SHA512
2cc1f6e2397673f37625fe3a906e291eeb598a1dd975ca8dc88459e87b1e9f982305359051603d23ba0aba4a211444939f561f7b8ca258024146adfa508db4ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
a0de385e0c77af3a0bd8a07561a2a102

SHA1
6d736994d13754d123384d659fe71ba5875132aa

SHA256
ff953181e9bda6469ec2f2ef6e854603e8650c8b801245287174e9e94319fedc

SHA512
2f1142767c3b2d8d683f5a65ae1cb9f32cfd9b74689aaf319c2ecd9ba459ca9d6b5cc1c08f933701e2eb970f0eb31c0e561c3a5489eb64354b3819bc61a9e833

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
65c6fc3c5cd822db6f22424def5c2e1b

SHA1
c40ea3fca90a187f808df322c1233e6fe523c36f

SHA256
ae0d1ec2891ba593e4c17db648015dc89648fc98941fc5901c8d032f7275d9f4

SHA512
e7a9042f72a2b9471392a7f7c501c6d559d36c7c6c3aa006cf2c942da86e049ed176f6e711368a6b6b9bbcc9309a3b0fd7a6ca112343a59bd3a00bb887d8f224

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bb6f385389dcf361561ac39f98e8706b

SHA1
1bbb4beacaf484b8a904aacbe028cf9bb634d0ad

SHA256
9611bdd1718fe1ab6c0809302520a9a51d1248d3c67a31325da5cfcaad657014

SHA512
f5d4d6373f08066b13fc440bbc6a3114652a17a66e3c81eba1882ae24b9f97d456d0264b33e8e4bc2797f488703f3644556e83cbd542a2ef73227c0867a1f549

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
0d43074aae8e4deca078edab9a4fc99b

SHA1
2b2d209ba590f5546fec6d3e9b1fa4954906b630

SHA256
f37c476f1446698806114082faa982faaf5417b081871b42f11adbb472bc3e6f

SHA512
8cab000788d5721a5b03d8cfa7f2c321b794b6d426d7838fc15c7c61aa6c9cee512f6145a46c1736973173f6f30ee09011cb6684514a896ff2fc2c12376ec0f9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2265d39f5fbc6846841cae953b4207b8

SHA1
508d5d55d84600e6fa37e7b1ab68842abc0aa936

SHA256
ff32d808f9530fe14481083e25d63e793fff23d35617da0ebe56bd7d4507d156

SHA512
b39496014b6c56553ec65e3ec9948980e1ada17183ebb5145e267a4e3076d2876e33ac04cf4e1e9774d792bb45431d333dba0943d570ae90596ad86ab3e1f7b4

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f0348f3ca7bd0b3a9b0712b88c3d7ed2

SHA1
9693728146e55e3fa4e075060ef3c3666449e22d

SHA256
43c73163b6b1ed2144660b3aa86b3298feac6575540ee46be1a4619a8ab0a8a9

SHA512
b0381aa8282df9885b82192a31b51e1338ae33391c9cf47cec990fadc27563ecb9e8ada8ebeb6ef200f9a0cb02bb57a3825d3cc0daca5a43d22b4a7b3349f7d7

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
0ddee90dd4cca1758c4ed03b616bfd44

SHA1
9b4366c8484d8ef31798a81d390849cd8ad714a2

SHA256
7a76186142f52963c455509b5e324380ec8dfc29c7c9351fd42ec1aeddc30c96

SHA512
add3238fa3803095d44b5bb05ecb9b720a221fb7036231f84552c67bceb939eb0d51a665737bd6106c0408933693d8e52d968140b591309d6728fd7eddfd0332

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
77dacf482839b9a6154a848f068da24f

SHA1
620c2d6a9c0360c5dab66f174bf3fb8957130d85

SHA256
7f21c90816621ebddb86aa49d18957d1773a22168b9750128b708c1d1caf13e9

SHA512
08af01837c39a752698c879d3d414f6063ac282190ddfae4b7ea47ed7bec3bc5c28515a946a124a392815ce2387e66942ee6a408dd8b8d296d68de5600ddfc16

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
97436d6434df6cc1be1edbff76bc0ce4

SHA1
054c728f52ca2be3c2d0f092023014b202937d27

SHA256
73ce8b5d1a157c0da4f71ce24824d23c68509d48b798ddc3467c318f8ffd3790

SHA512
9b2af8579383852203d56c7f54d8372777d2ac9177a61851aa40d3171652983da546b6e99e5210a24bf2b508181b0e72db8d2d06b9043a946e6eb5a89900a84a

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0def8893a4d4c8390341c0572ca98a59

SHA1
d084db05ff9163d12422dd6850d54d795558460f

SHA256
a17e02bdad854cc0ed76bd51885888755d03fd5b0617314208b61a94e707cfdd

SHA512
a8fb56245584306d3dbd4ce9c2c542a10b3415ea9b7ebd9363351628d9bcb856ce0dcdaaf794f671d284a3bc508abdcdfabb2100dff9b575cc517ef412dd3172

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
1e9f3628c97bfff516abf9e2c69745ec

SHA1
259894769ecf7592d0d072f13ec206f80a78da93

SHA256
90bc3d95ce79a36bbc4f4ef06d3b84263df7ccad6fc1952fb5ff47f17bf17d40

SHA512
4bf802f36a1266d7d4216ad6235f5e8c7aa6d3f902f0c87dcd7573a7febd17eb1f8d31274389192a63e9a8053d374f8ae48d0739f312886af8700d562be6f013

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
aeecbc6ed459003f0408428224c3eab3

SHA1
f7478c9f08919ec0e9c76289bb6f6ce4355f3e4c

SHA256
2d2074eba4453cd8565cc92746c8cecd69b936a97c53daf509be07afbba1cbc2

SHA512
efc95ac946239ab6fc384d0b2b1a450527b0745b1f578fc5602716b9a228861744c7590e010cb42d3d2774ef82627afca682f822de674d7e5cab01754943a943

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ae4a27d2bb3ecc4b371bc1dc18df5187

SHA1
175272bd27e21c81ec6033ba377a8ba2e10b9419

SHA256
fc8702c83807866b89008ed0e8fb5975c2e1cb8d80c9faa65b873e5144c45409

SHA512
db09dbb4c65cc829d105c2a4919e73535edc82466e9e0e0a92e34ba86399970d2e52940caef8f6e6205e2226911aa7333ddad95370595e870ce5ba64429d93da

Download Submit
memory/8-21-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/8-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/8-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/8-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/208-516-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/208-320-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/608-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/608-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/608-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/884-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1156-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1156-606-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1500-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/1500-8-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/1500-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1500-26-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1548-29-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1548-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1548-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1548-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1808-62-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1808-52-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1808-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1808-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1808-58-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1868-249-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1868-354-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1868-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1868-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1972-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1972-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2200-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2200-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2288-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2288-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2508-67-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2508-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2508-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2508-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3000-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3000-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3000-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3000-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3044-601-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3044-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3296-597-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3296-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-380-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3752-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3916-417-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3916-610-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4344-608-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4344-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4388-355-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4388-602-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4860-416-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4860-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5044-404-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5044-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5112-392-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5112-283-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download