7c7365ba42f88bf97e045d9be860f310ef2338fae82302247f8c45bf68f0af17

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
Size

1.6MB
MD5

456782074d25056f975ff97f0957d1a4
SHA1

fe8832918fc5fe147be5a53c00c9c8fd595e3d84
SHA256

7c7365ba42f88bf97e045d9be860f310ef2338fae82302247f8c45bf68f0af17
SHA512

a30cc71cd1d8d1a8e064ff38b0f58b34a3a4deb5c9702616c86540e869162c6113be598f58ef2a67309ca12c05da2b7fb10de389460c5cb40307485107dbffd2
SSDEEP

24576:i2lmh4R87ozX0j52pMkuLoiSJVlIL29mhNq6:i2Mh4R570jIpM3kiSBM29mhNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2584	alg.exe
2844	elevation_service.exe
3908	elevation_service.exe
1412	maintenanceservice.exe
4156	OSE.EXE
3400	DiagnosticsHub.StandardCollector.Service.exe
2912	fxssvc.exe
1104	msdtc.exe
5108	PerceptionSimulationService.exe
5076	perfhost.exe
440	locator.exe
1336	SensorDataService.exe
3836	snmptrap.exe
960	spectrum.exe
436	ssh-agent.exe
2560	TieringEngineService.exe
3116	AgentService.exe
432	vds.exe
1428	vssvc.exe
592	wbengine.exe
2060	WmiApSrv.exe
4844	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exe2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8f9e061085ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093e08b588b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b06a76588b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d855a1588b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095cab6588b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022a2ce588b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa8dda588b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000821160598b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000464b7a598b99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3992	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
Token: SeDebugPrivilege	2584	alg.exe
Token: SeDebugPrivilege	2584	alg.exe
Token: SeDebugPrivilege	2584	alg.exe
Token: SeTakeOwnershipPrivilege	2844	elevation_service.exe
Token: SeAuditPrivilege	2912	fxssvc.exe
Token: SeRestorePrivilege	2560	TieringEngineService.exe
Token: SeManageVolumePrivilege	2560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3116	AgentService.exe
Token: SeBackupPrivilege	1428	vssvc.exe
Token: SeRestorePrivilege	1428	vssvc.exe
Token: SeAuditPrivilege	1428	vssvc.exe
Token: SeBackupPrivilege	592	wbengine.exe
Token: SeRestorePrivilege	592	wbengine.exe
Token: SeSecurityPrivilege	592	wbengine.exe
Token: 33	4844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeDebugPrivilege	2844	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe

pid	process
3992	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
3992	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
3992	2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4844 wrote to memory of 804	4844	SearchIndexer.exe	SearchProtocolHost.exe
PID 4844 wrote to memory of 804	4844	SearchIndexer.exe	SearchProtocolHost.exe
PID 4844 wrote to memory of 3844	4844	SearchIndexer.exe	SearchFilterHost.exe
PID 4844 wrote to memory of 3844	4844	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_456782074d25056f975ff97f0957d1a4_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1412

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1336

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:804

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c6d025e1b14a7cfd24d66c89154e01c3

SHA1
cacaa7b669758b527e49506581ba1d859c6e2ac5

SHA256
13eda35b9453c268824d4d1da40bf58337a4bcd1654bb775a467d80791d69705

SHA512
5114b93fd0d77dc593d0a5648f582c2d64f9d6c145e65fbe820b960e676cbdad3971f01d01b4307402c6fdbe2a5fc2f01a9803bc48bd0d01c1971aece9ea12aa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
fe38d26de729be9a33ec1b223101cac1

SHA1
cfdc0a39b4e11941df1324f224a0d39bcc6004f9

SHA256
88b271e61896e5551d60cb04377023e6dd436ef3c1be6433595c3b1ab78909b0

SHA512
a64a5820406900eaa1464b2fd7d7ad449362df82d72ea0cd36bf65abf839e55e4ca2204560c2dcc830f21d2e38148d9c315cf5be7b4bc1ad4a8fb26d70123e4c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
d965f89468ee31b6056c00863c582ae3

SHA1
780177ec8a9e4bbe72ef0f6b628f7a815848c2cf

SHA256
21e4d4f8b77c8df154239ca908a7c08e6b027217790cd8e3ac6d1f3ba61d447c

SHA512
ca245e1d8038f4b559edd9ec1a6735164822ee1c4e8e6f13db43f7867cf967994f953928c93d0ed1d0c748b8d08730f3ed5739b984512128b66b642f21943f28

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
945b3f90737168b8bee6a51b3a46b39c

SHA1
ab93d6c06b0f11890330842d4634ae6b0123a29a

SHA256
c683c5b088b63da265dbe079f343e85027aca88e2b56b31a6bccd443859ff9c1

SHA512
b54f13fc88aee0255587b6a78606ae2a81d742ba684acfb4e1c183558988f8725517375921913bb6e780ee265ecc45cc5a01011c789bd1d14b532de986a81a28

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d9d80f3ca639527359774eb6bbde3166

SHA1
3e056882348d1dfd79cab1bd5cf7770f52ec42e5

SHA256
bfeed872d0f6f9320be5436428135d4cdc3da43bde82a8dc3828e10c7de898e7

SHA512
1bdf0dacdac6eac3283087bc322acb2662887760ee236d93fa911cacbfe390cd7aac718f0ea995fe68b97c526f13fd53deb1a7488de043520f5a4e6da614f378

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
6fc6a579f673e86fcaf3b3266dff33cf

SHA1
a5e2dc8dd8f85aef2da2a07808e682b76ebac5d5

SHA256
51f1a8ada304e4c05351c5e7dd2286a5f2be3ff97d7f1c51420f3a7cef460222

SHA512
27fcf168bfdcbbeed6366e6b7c1de631f17a5e69a0ae9829bc26376ffa9fd5d508b5148502e748cfb42498af18a81d2faee9e9e6fe802ea305a82ca72800f726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
a98b544cd6d233c759f99501b215c7c4

SHA1
1f4543711e2ddb7c9a25218a93e03d359b284862

SHA256
cf1a0b6eabbc1ae97f92f65bf28bd757c82550cf71bdf3123b4af4376d831e8e

SHA512
3d11143dffd7ebd214dafdb31b1f1dce6ce3d6a575612b3b89a4b671bd7862c2841ecaec648a8b20afd8ebfb5e8c1b502f575eadc095cc87c0573b533df04722

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
2cbe080b540152693f40af7f7f3c6039

SHA1
dae6f98b29b3fc52810d2c47c1e4a87e222d26b8

SHA256
5b6564ba7ef4e2f30fc1fca538ce508bd51950def1fa50b6edbdfbbc0724e672

SHA512
70f38b640f1cf0e176d364f527ef0bf35bc5882d5e44e8a0b99db7b79c27a49edf8f8cd297bef36b4822003d9967912c6147b0237a4f72e15ca1548dbf276dc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
60b204b0189b3bd95f571108ca7b9b1f

SHA1
38563eba5cd7fe89771fdde8dcaeab2b903b2f0c

SHA256
2c04827448b143fa5455f2bd216c498ef4c205f504a7081af2c7943d8912b27e

SHA512
b8741ca1a03689f143faf7d37354151f21c7db3e51768403ccce263519fbe692f1bb8770465b0f7b1f7c67d1ffd6ab72138f861bbaf9b72fc2ada3b2575583ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f22d3b2b963d9fb54278901c5c9b8fc3

SHA1
9cb2fd308112772ef0a9d60b465654d16e9d6819

SHA256
67629835a0fda28452911f175a3b7adbc52eba9d1396a5ebea0202b1175068eb

SHA512
de5a4fe87234cba4ae8d316bfe922ca0fd7cf9304e27f128d52082e8611d7afa5b5176e612a87804a9341124adccc8ed5fd8210c4b6cd89185dcada92b069f10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
89044f161a902cdddac8d110812d8f17

SHA1
a0c209fc45a1742b6d9569b72c1a1025a4af64ae

SHA256
bcef55bfcceb24ff33312f461e7b5cef8779f52fa1e968ce6b862126cc47a658

SHA512
b1460dbb5521feb4718df6793e23c14e25ce3a2bb5da58a72ded12cdca24d032b65d11b0627d4f0275c2a5be4bca493543ad6d4fb6cab5399323060efef2d837

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
af33bae9933bd8de2f0c1510d44aad0d

SHA1
17399596f90506492ce72f743dd2a0943b28758e

SHA256
858ea43750e58a9551cf89c60a2cb157088abd52542c970cf62b73fd0dacdacf

SHA512
bf3ce53335564ef94fc4ad01b36d845e01a5f9b98a6b1fcb01eca73550a4e3ac3de1f29b8a09a70d81f31ae73cfb69e709572205d28143bd3fec6948922d37dd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
954a80cef707d74ad14bab0e7ca8c9ee

SHA1
de6f14e78c6cd30a96de5b80ed146a9f723c5871

SHA256
12986d7a2312629f32dd9f8724093d601bdfd27d54cfb05f60c6c94467dba611

SHA512
946982934060cfe2534da0ce246154be6784bd3e1f7323bd2ee9ea5d54053054bf48c7c4afef44822819b51e0a67cb25489067e770426299d1432b5617e23432

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
b3cfa1e74f0e58311a44b829bef379de

SHA1
eae384c1b5147e82f20e1b35e7b2519adc094ea0

SHA256
68a421952d0cfe89326adae440478c789392cdccea3a891604205be8125abc6b

SHA512
37fddb54cd1b8bcfb9fcb917c0882dc800a62141c43352a090e962d53123bcf66a9114500fa7b7cf9720243db64b27f55dcb8887d05457aa6e6fafc575eca86c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
17f5451cefb5d40adccbc0d5afd29d04

SHA1
bd409d5769397aca2a2a503551bf43166c3d858c

SHA256
8802157f11875eacb0f9760c09e3fa5d3941bb0713f3e9b36d25c55137a232e0

SHA512
d524e652ab6d40fcf6736418a0120563087c3c3aeaca8d000aa7034feceb6f621923599a359732049b039e3224fab78517396bf93c9c6b7f39923cf274952b88

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
a328ab39bfe5b4c3b4bd57a71c32e89b

SHA1
0ca2a876f401d1cfbfbf6328846754152f59bb9b

SHA256
6d11de18738917c9b35396c513d5de1f8ac7ace5df4bda8e84b8db302faf8bed

SHA512
5916e8b8e57524cec459e2beead377989aaac7e05a5512978217ba86b017c56897b016ca821d589cde3d6e9da16f4dc6668e15ebea6655cfafa0317e570d116a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
99dcf8ea87034f65e965f34123522fc7

SHA1
2c475db161dc3de49a4e1d8fc5243aa487714048

SHA256
002fd7dfdd92e4de7e2947d7ceab2214fff8b30c4cbb2e6142e5758a0987ac6d

SHA512
3cfee04aef4cb66df3751e6fdcc15c4797073e6f8ee74ac857f692f802566dc75af4b156f16041167536ff11fbf1626637775a8450eec2b68b6ec8c0cfb0db76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
4e1cf9301684295cbdea495e6fd8e8d9

SHA1
4337b84a67d0c1587ac9ecb1051e03bdf853bfd8

SHA256
b1e9b2c393237cd115d614629c51acceb24ac4d5808a5c96e80a182815c31b93

SHA512
2aaf7cc87da57dead1c41405af94238da8c059ad5b472310c12e2b240388e81dbae6da814e764bc9101aa982d1fe956099de2758a5248ae6ba3c801c141af708

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
acb9a2f529c3ab71b3b8875b87c3d391

SHA1
316491969c56be6b03720e81ddf583e77744220d

SHA256
0284a0c0bf7d0fe998239be061891ca9297f20fed01120c7cba07b6fa8156fc5

SHA512
01d5ba04e831cccaf675b6dfa29f4a76ed93ff38cd6fc7d9579f56b42bf4d80bee9d2be8dc2e7e4cb7d5fa223cd4c6b3e0720e12af8b7d36a9c2e546202555ab

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
94c9ec19fd00df5453b7aa7e10c11396

SHA1
b774fd29f53c8ca4a85ccf5f45465dc06ad535cd

SHA256
425073df8d02fff7da83d7b8a9ba20ba9fd6bc30491b5ec08a604a5bd8c04fa5

SHA512
4fd81457ae2425110c0d6fa51e1992343a39b915f241ddd112b1c8287527db34926b991478f58efa1a662cefbe07e96f077a07f4ca7a2af2143def0f094170fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
194311d775e2a0b744abc1ec82abe1dd

SHA1
1aec884d1404f9fdc005baff051d03a33af07b9f

SHA256
fe792821dee4ff2b5fd7ff3c527f1048f10849229956bc2d64c92db6eacd6ab3

SHA512
e3f81d15feb587d7c1e62d47ad4935cd05807379b2294bc79f0822b3eb13539d474365b5edfaf4ef75a83a6c63d06f744cd26f20515cdce8e13b097aa5d16a4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
7d9857554636c8ae07c8d63d5e43a3ac

SHA1
322c8b407488b69afebbef61f38889a6c75c2d92

SHA256
5b2fbd7df822f19fb917528a56c72244bc92d8d3bb2de067b6a1fe630ebe544c

SHA512
c0b39a0d35219635129c4f9098d39a1d73a836532431bc2132f63752c14ec1a05f609a5fa2058ff85d0712e8084f04723ec742b6c4c10d5cd28d1817b2889f1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
a0ad66d1c9b1bb42645a520dce4816a4

SHA1
ad405f1992a14ca54b8ca18d7d16bb7de35cbeb5

SHA256
17f6e5e9592b09192127443f7aa13e42709a95003f0cfff27eb119cb5690e643

SHA512
5d77ad1782b13818f97841493a0359d8551b4a5185792b20d5ebddcbe411663ff1529876dc1cf2d427244af088a7a41a6e93bf521aad2df9c3730131e89e6e04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
53d97237b842267dca0cc8e72d6cd789

SHA1
a1ac245bf7b9dec69d9b9e1c9ddba8b3d4121589

SHA256
f49e6ca76ff88f4f116b6b66a3db7e656ca14059579bf8991d39863e71085dff

SHA512
dc8cfa50fa378a6e216adaca7f85dc8fc0e8fcfc8c3505d27e0e05330a7a9072fb414bbf38a32fa9859a1d80c0db6ae7edcd9193e1fc7cba1e8af0bcaa3b6af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
e3ed030d3e118cda6edb7b96b70dbe81

SHA1
e97e8451d7f01908746ed0502632579a95e8d159

SHA256
dba39e5ee1d982cc582916ae1d2cef2d1d421352664c63fd5fc55835cfd5ffc2

SHA512
9408df1ea0d30aab1d69dec605ab43eb26637f4f705e111497adb90a7ac1ad7b21e95da47cabb05e47397c879799397ac287145c935abf81f1f9a1d45bbb9adf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
c226f42cfeed26029f3b6239231beaf6

SHA1
75ae939ba7c25865c13c165384bbd6935479b2c2

SHA256
3ad3ed98be9c1a903a8d59fd0c5635f8226dd00f643c367b57fa2e155b717d6d

SHA512
cc45eea26fbcb9c9f1af5fa239958e1624796cd56a1b6a37361fcf3af20d390542474487be3ad8dc158b7319a034976a507a2f7deb6469752a486526b3e72522

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
2cc820857b5830c2aba4f6a09ff5a4bc

SHA1
02e6b8fbfd889f0a1751e2a7f0f5411e6177b5c8

SHA256
0e638dc7e6f3e1c12eb4a4f8ffb66e84703ee3c2ad2bcdd3311539926845d8ab

SHA512
72936f29057ba4b678125d1e8e5cf1250dcb3fd1f4b7e6fe49bd7b5843f01c1979168b22f3c6ed4ed590ca36b7f77a0b480d8e746760fd2bea17342632b32e29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
e9e0aaf958f27abfe458ad98bc011c57

SHA1
0d3ff92a0c7895075e3f9e453e2defe49f48b2a9

SHA256
77cb92f16b16fa6967586d03c2bbb3b346edc60575a7025f1874b23751a86526

SHA512
803a8bd4f0662920192c1c9cc7065c85865e471d07cf297e7d3463b757dadecd452cb184da33b214699440119e0b390222c2036fcaeafcfb4bc2e410a944ee72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
a701b855db248f09efa0d178c579c880

SHA1
8cf942e3ecfbbc0cab6d47252ae32e441d777710

SHA256
2204d3c78c27e6e0ade85cefd64969eca16b96cd21b4e922633573141ca895b8

SHA512
de92eab72f93b5a10fa2db7637e93d6257bdd4443836389a891de34552d57f95e6868f1efd7acda2df107e872c3b1fea64a309dbb8f76836f0855a19cc84008a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
27a1eb27eca1deed28fe6340da796c95

SHA1
a29e039315be4460d940af0922b4fbeb3913f3b6

SHA256
702fe8460f0b2615a6846d4a280c629de4f440b64acaccfb29fdfa804256389b

SHA512
53265a097255ca26f40e7eb5e1785fda6be714a4dcbcf4ea15d447b91f020eff5be15089c0459bfc9460a7d8da362679f1d0e0132e6a42047653db6a0cc8005e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
d01b0779f89431f5d7bc8064078b06e2

SHA1
1979a2db941caad17c8816cc02f75d28bb6b15cb

SHA256
d658a6b42c4e2281c91605710c227b221025909a9c7adf988d8fedb2b9aaa467

SHA512
c3c89255a8b2b171c4c9e7776d968764930703c048a9d61608d77234f36b3a8452b27109b3483bb1b2e7e4e4f77dc0db0740e53c975a474d347c3090fb83f2b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
a67785447ed4ef61686f3c556013d2f3

SHA1
55fe9578e212c0568d865281655b858584884cea

SHA256
2a97fe3234082d8cc52d62457bfbb50e4a4fac0faa4a0e2ca13c1ee91d32ce5d

SHA512
3d1ef60b6199a7a5b15e0b2a283fb1b31dda5057d58d98ad4e7a613dfe3ef3ff3738b612bb65ec3b85a8edc59e5655c3e0640ba8164575f4491e01975a663736

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
a932b35858754ac8a006d02a07b9f7ff

SHA1
9f2b6fbd64fc2b8256276e103844cf372d3686db

SHA256
94452cd3b7af80ff6e44f7764c5f44bbeb189fedde31ccaec25cc7b44751604b

SHA512
e66808395271aa748fadc6d66c2c1ee7def753685ca71205e897162ce03bcf4c15376aa3a15b3f225c4a9909a3f2975757195960cde7887467db804047f2f4ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
c60537817a6aa24caa9271427cf2bb18

SHA1
8ad58d896cbb30a3b9b573676f272fcf8e967adf

SHA256
1026fcbf7d87b212b3e3ad7e36af8640b83f4714ce406cfab12ffbf10483fe36

SHA512
c5715bfc20da6e2b4ad20bed442dcb301d10d3d14e32ab63871f2b74fad8effd0f1458a5b1c4efd1be298d803d319a91f47096c517d9a6781fc6ef380775d9a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
18dd457fee839921e5b57f84fe4f045d

SHA1
5deb2e4ca26c9911df1f389c2b872506ad035fdb

SHA256
fec5b18009a8a84cdc4a0c768fddfa308deb59d83cf6a26d6ce68bb9bf662404

SHA512
8a7a40dbccfa1a4fed2cf81e081ff7235a028ca2920bfe56e24cc32d4a997192a8d5c1a358c243e8d7d353e8a135aad5480497fd624d31addb8c2cd38d4b1089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
38c17a4111169d8a17f96ea1f822b856

SHA1
64c383abd1f26a79252c5e8901ebe3a64148bb2d

SHA256
e3d25fb7a2e29c3daefe17cf7466a7b93764f84e13c2feba30a1c451bcb7cbd0

SHA512
7d8c146e74e862aa7b027a65c8652d4f329037938681a8c4275631ffbe10d22dc236630e7da8b624e7254286af2bc77a58b57fc25ca01465e502b5b0757c6374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
5bce456f3194b7597e043a8e0d158d45

SHA1
072befda75625285f3d64301d9dca60862babedb

SHA256
6bee8fabdbdc910671aad66ca675e2ee6ea01b6816c8cd5bee56fa2bc549cf64

SHA512
918e74ecb8e387b80267bc3c9ab7788172f7c6521c5c6c6902b9ee4d6f6ea34c5d33d980a008c06269dadbccd5c169e111b3044558770b43acf61deed3623fdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
045809125efb8849041a7497f0fb9dfb

SHA1
1e3208af3169902548a5b7f6cb367b0b8e3c0b0a

SHA256
c5d6171c1e5720712e0b5ea2416e66d45658f5d3d75a20dbc04c4b06b16c7816

SHA512
b2c86bb829878a06e0a814b6df582887b101b2e3327921b0cc2aced960f152ccf13212df8b3b7089b04a57c1267b1c6773849d6afed5d8443749da7325227de5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
7f63fa86fcd46030f626ef9f19393dfc

SHA1
64a1266dc127639957ba53205af777e9f9fb662f

SHA256
89ca8c56c4a41172cbe5d1e3eb0b6df98a5b11957c344ef5f708d6a4f7519fa0

SHA512
ff737e5962cdb7837dd93a67d0525a27800e2d6b4f2f7e3d9bb32b5ae60a41e61b26918242c19470ef6636ca93837f9c6b37686783c09858c9d51926d359bc72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
5abd724d3e089d273cc6cafb1dd6e61b

SHA1
99bd911f348d432cc2af2a8645369fa7d00cceb1

SHA256
7de39375e4e0916904098ea5cd5de50e27f07df29be27fff98c201135f1842de

SHA512
5ec9a9a23d69650ec89188c591ac416efba0faa021e14be9d6c946a7fa5d70fa968520a235434e51b12850d5312ac2384775db0c2c03630fe5f30dcdae6cd2cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
31f7cee74f9ed7997a3ef5b739994815

SHA1
5f63155ec64321fd5440d4a97ec392ccb0e8371c

SHA256
7452109230a340e2a3b7dcb5effd8d06c428776784ffebd22641d1f0fadc0ff3

SHA512
5402daead33dc11e3f11d085780d871e9efd77e3de37a3195cd4392cba643751ed9c7b4222479c7ee028c1a7645f320e7933bb466ca8afcb6b75fae95a10ca6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
a52f8b17f446915d2a17d2a0baa282c3

SHA1
6dfe65382cfc5c9e8f7452412f5ee8581e3b6c15

SHA256
55c2f83f610cc386b21cca95073fdc573949d10944015292b120fc9920a9e767

SHA512
4e06acda4cd22ba93010c936b6b59813328af437476048eba85d5b2cc071077aab04acc196ef486dae8d14dfa39a8f0c7609f59230e796cda72b3a4ad06fb6f6

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
5b1d7d20f2b2fd5b7622da4f136075d9

SHA1
88955bc1e86c3ca0a62913a63df195d2d6ef7fb9

SHA256
22048c59c24f8cf9e73e0707c26869a385fe8db387b0e9b0100988dcfffe4418

SHA512
693fda651fcf0cdff5ba99c1ddff812980d32d321c7c6779c76fc3cfff6afa01e2d9592998ff3b9b906d7fb961960227794a1b15a952d43b72363985fad449be

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
e3e1360c859653be08642947837d6189

SHA1
792e438e45479d581e4011e742880bc987656b35

SHA256
2e11d45ed1420081af94484b95bf46196765a895c52fba605029db236038ce81

SHA512
8ce585bac345e76fe927e77c8d9d4845f151fc11c3b3a59ce5a8e8278f640c2ac478915f8c0a9acf41a53b99daeb4d4748ffa00da93df87ff1a19b9c75e2f96d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
5c4ba5f4552eba946b967e43464ecd8b

SHA1
c6dd6ee9968e83042d1661be225f2b419c1abb74

SHA256
fa5d4cb6de79458b8c9773ef4542e4e0baf18393989a6082542ce238756ac896

SHA512
2829e7557854cef890dbffe51195268ae5e89e0d5905490e4c2a8832c5e31b96e3f521d060fc29fc0e442f330653d2a2e259f0482a7cd6f47247b9e0c0b0da05

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
69e96c762289c36d0ce5b928156a62c4

SHA1
77bd8357d60e57ed7cdbbbd50ca37d01adf3e0b1

SHA256
7521feb571610afe2e756a75a31caa7cca98c7aae533f60e87c5b8a1be3d943f

SHA512
7cd66969ad5ce4b6c80f2de4d2bf50a84cf4cc65beb3797a4a76fb88843225ab272ecce6cb66e10c3d7d50a2965b8e8193d0566d4fff19c9765874a45c4c5b7c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
33e11cd290b4b1137a67842f72fcf4ae

SHA1
d89f3d5b3d86fd59aa9dbb84fecf83fbd366e3c8

SHA256
d21ee69fce903df3918a81b1e548b1d59e9e32139d60ecef5685792ccad0b061

SHA512
cf885449c94a5881b1bfe39275416a9afb3a859ee9ac625e0027f10a5bee950ecc55f7597e4e205a6d363cd66c23bba1b89447519a6ea97aac2bf771c84eb2d7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
2204630c329d4be10fd1b1f47ab1e856

SHA1
58d036954f72c8b1eec8b9cf545862a877891b6a

SHA256
f962f3b4a0e7aa7fa007d3d26cfb7e7743d10cf203d62f0e60d8b2b5d4efc26f

SHA512
e1b7b35920509891ba786a25531efb072258508f81d2bd1b35a6cc948bbd97433f3c7407d2362a24cdba14f025d253afb31de99751cc4c8d0b5dd40d654844ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
5419907b12d6fc0cfcac1185691494a6

SHA1
c4cea4f70e27cf59dbd895373760e232b07414b2

SHA256
fe08e1d94a046dd529f9ea0d034fc15012cf5ac36bb321425fb95fb8e2a68d59

SHA512
1f2b2ecdd30be50f3d8c8bcd0563e646eeb77a8f5c2f937c4548c39642cdc4a9a73475f986f3e8f129868dc8782d8a192b6f656a73da3a14e237af3500efba28

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
a6749f4a0d2ab3742035d4f42ca4543d

SHA1
e33651c01f38d78a9bdc242d44fc7d8086ecd950

SHA256
dadd56f9e01cb28b09fa4df067fc036b6127cc4ca114425814078ab935498439

SHA512
3a8edfd499026360e17e1ec3835cb3afe5cd3135d64e8fcf91dee779052e2ba4c6bc62739e8b64915f8219fa722f412c9daa38fac8d8e470c25ce18498a8c9f7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7beb713b9fdbd3eec08e970cecb04807

SHA1
3cb3efcbbcdc411f4499c514850e27962b2b1c09

SHA256
446ac1e54a22aa0a7e5585783010935d39441038b1c8dd3eaebaab8a8817ae81

SHA512
08ef2a195598b56f08f39ebb0674c6fa5855a50b3504dd27915582c3da014bee67bfa1855ddd2f40ea4e4802a06895d34e14cf36aeb4ae67d5a0da3ffe243624

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
91f49976679837bf13bd9b532af2aa26

SHA1
d97b3c50e0a2ccffbbd9e91ccacad738e2a392c3

SHA256
8c616fca5efefcff6b713ba2bc7a7b422324be1262094819497a47d6441ed1b6

SHA512
2c36e60ed32fe08f70218aecf9187894cc891366a5ed4b8f8a7ccc54db9754eb10495f13d6c997ff335b3cb9fee657f61a278240a7941d29bc4de9c8b88b144d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
77942e9f10ca7aa6f0dcebb07668611e

SHA1
18d4e8a74730861242243490cc0a59bae289573e

SHA256
8dd5cd945cdf5763b690e9cb2e33700d3e45c5f8513264795128fcc2ace28212

SHA512
1afc112b20bd81de04fe62f0c7f0fce1e5ca69001e341a0caac604b75b6d2b06cb5361da0098f5afb3d12cec6bb63370602e4965c85f8a0a18f7fb57ea57944a

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
9c0ace35f02196de291a5e1c130de0af

SHA1
c604a447471f6fec9677cf38c50ff0fc07926b3a

SHA256
4f1b076408a67e2c18fd4373f8491c1bbf5fb403ba7c4e6df4ef15ca8aa7d737

SHA512
22faa14fa82f2beec8c6c2dd668c8a4dc19ff5c76cb6f353176f4bf7d7b707107ca090ee8aa014e313709cb814394aab3b93c0de296bc1472a570aa6a7b86217

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fb79daf82fd327ec7898fc5e50a7bc7d

SHA1
c130bc8d0fe60757e4123e6dd06206e49bef02d7

SHA256
ba65e672531c84280bd4f923b72f287d3e9d6c410e8d43305615267ce470621f

SHA512
26b64c5851cf741fca572ca014515cef4180b414ae6428e2990a944b707c7b60d2b53a7ab26a751a3725a035f3e05e3a218a7725dc3bf869800df6dc250d13cd

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
c45500d7bbcf9c17c80013a53d834c93

SHA1
c4fcf78996a7a29cfdf92e1adaaadbd775cebb3b

SHA256
1b13e302321bf1ba2bd68d9f172ea1d7d115fdb91429093aebbbbeb2b20838a4

SHA512
713ce52c9cb0e4fc0aaaace2a38c3f46fb57a826817a3c4975df9c5215b274cdd4a066197b24a2c4537e1d07b195782e96b8320115e0d4814a686be7a0b1fb15

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
b2b1cc6bb2a699a57930f696f811e291

SHA1
86646caed1500c0853e5e35c32de69ddcb0d024d

SHA256
d1b8f86126fad9ffc58916c33dccffd2bb882000a094427dcff1bfcb41ce73f8

SHA512
d5e897199a621a95321fdefd075f9e5cf409094279cd7198833ec5e57929f6eebb40a6481dedcaf2b9622865d4bf66afe0afe7ce844f35ab73a13c32f76fd9d3

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
68449a6f34df92b579da079732dd0e21

SHA1
b2ae8e37dce42979392daca93fbb0f284b90394c

SHA256
57e220e6608f9e0e0af2a7604ac36df209665a087c9b7af7ea280aa75f7f0b90

SHA512
8a78d4bb79153a0aafa16255f28f235e19ee33277fd3fe02512d73c8d1072f1282e9be184239a6efa2d51aa8fff37054c3ef9a56eeb456ea0f7e7d3ea55b6aef

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4c22b5d66631923dcb5b8526d1c6cfe3

SHA1
26a81302cf798745625830ce59a75a307e4b6836

SHA256
06c303c7b8135e3110fbdcc61cba744c98789e211fbf2fddd600c41568e25ba2

SHA512
3af0b2878a7aee7a05902f3814d789023c199bb0d4f8348b8b07f873094d5c7d4fd4d7a7870fef8d7b672fbdae58e30e6a5071797555e3095006166dc6ebafd9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
3feb79e110738d5605560cd54e1dcb97

SHA1
a196c35e25561c2677df846ecc1fcfa0fff332f3

SHA256
42109736146b24950a90fc5ae9f336b87e70ec889c2d84fbd4275e7418c64d0c

SHA512
dde843dfe9bd828d9cee31ff4fa4c036c9420882c02e7a3f8bde3c032a4310e886da92234c7fa82c3613ae1817b1fb0a078a962ea2eee8f00a2bd392ee910ff5

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
14eac9e0a134293a589a586d57a150f7

SHA1
6e44d31661bfe03d9eaac2ea9acddfc9ac5c5535

SHA256
8d9fcb88f8a99479cc9a83f60a06a2e3e9c36beeb0810ce115be743a435359a3

SHA512
d6fb079f8fb823a77edf37c078b273f70b1b145228fa25899a10e4de8af5e0bf618e0761d58167cb4855bdfc3f640e8273a23713e11d704382a760d6fed6f901

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
62c55cd8988e06e7d0da73c8266d00d8

SHA1
a5f8caa2740f2e82c17768117cef81f3ba167601

SHA256
22edc0782989cd2fc97c541e3f8d81c6c16f7700f42ac159370d6ee01087bf77

SHA512
a470139720166efe3e37ac46ca9baa04eac78c121c526d9d8110320b3273d107beca6e2001caee277bb312066a82f8441f955204e083b4174ca908608854f2f6

Download Submit
memory/432-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/432-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/436-350-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/436-586-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/440-306-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/440-417-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/592-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/592-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/960-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/960-585-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1104-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1104-269-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1336-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1336-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1336-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1412-59-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1412-53-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1412-67-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1412-63-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1412-61-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1428-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1428-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2060-418-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2060-595-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2560-587-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2560-364-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2584-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2584-20-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2584-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2584-234-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2844-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2844-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2844-29-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2844-38-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2912-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2912-255-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2912-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3116-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3400-355-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3400-249-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3400-251-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3400-243-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3836-321-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3836-533-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3908-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3908-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3908-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3908-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3992-26-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/3992-0-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/3992-2-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/3992-8-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/4156-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4156-239-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4156-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4156-76-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4844-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4844-596-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5076-296-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/5076-394-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/5108-287-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/5108-393-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download