ca0929bfdd2e09d8a33df3e5b81e2dc85ed79b96d67822610013927b5a5b5112

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
Size

1.9MB
MD5

982e2d80678e1fdd05c1eb1abc36b647
SHA1

2c2359c1dfee74d74ee98ff9d869b076b7a69763
SHA256

ca0929bfdd2e09d8a33df3e5b81e2dc85ed79b96d67822610013927b5a5b5112
SHA512

2a7f3c4d65d5d6cd0c99e80bfd9d9ce158956864b8666c87763c0700adfd63c75e6fb9dc02a8cab489812211298e6635bf61f263b0d9cda7acc613e609d7b265
SSDEEP

12288:v2lWRPfhA9PRWg9vmqmFrfBCgiw4bivhqGoj85sVPL5qw+DmQ:v2lmf4RKqMrfUgYbkhqfj8uqwp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1884	alg.exe
3744	elevation_service.exe
1164	elevation_service.exe
3728	maintenanceservice.exe
2640	OSE.EXE
3308	DiagnosticsHub.StandardCollector.Service.exe
4172	fxssvc.exe
3164	msdtc.exe
4844	PerceptionSimulationService.exe
4748	perfhost.exe
756	locator.exe
4168	SensorDataService.exe
4308	snmptrap.exe
2984	spectrum.exe
2676	ssh-agent.exe
4144	TieringEngineService.exe
1960	AgentService.exe
4504	vds.exe
1832	vssvc.exe
4984	wbengine.exe
4156	WmiApSrv.exe
3260	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

alg.exeelevation_service.exemsdtc.exe2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5bdfd3f2ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5be67759f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009efa62759f99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d93bd759f99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c3423779f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab5b2a779f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ce0ea759f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecd17a759f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f5bf759f99da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3744	elevation_service.exe
3744	elevation_service.exe
3744	elevation_service.exe
3744	elevation_service.exe
3744	elevation_service.exe
3744	elevation_service.exe
3744	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3796	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeTakeOwnershipPrivilege	3744	elevation_service.exe
Token: SeAuditPrivilege	4172	fxssvc.exe
Token: SeRestorePrivilege	4144	TieringEngineService.exe
Token: SeManageVolumePrivilege	4144	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1960	AgentService.exe
Token: SeBackupPrivilege	1832	vssvc.exe
Token: SeRestorePrivilege	1832	vssvc.exe
Token: SeAuditPrivilege	1832	vssvc.exe
Token: SeBackupPrivilege	4984	wbengine.exe
Token: SeRestorePrivilege	4984	wbengine.exe
Token: SeSecurityPrivilege	4984	wbengine.exe
Token: 33	3260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3260	SearchIndexer.exe
Token: SeDebugPrivilege	3744	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe

pid	process
3796	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
3796	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
3796	2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3260 wrote to memory of 3648	3260	SearchIndexer.exe	SearchProtocolHost.exe
PID 3260 wrote to memory of 3648	3260	SearchIndexer.exe	SearchProtocolHost.exe
PID 3260 wrote to memory of 2760	3260	SearchIndexer.exe	SearchFilterHost.exe
PID 3260 wrote to memory of 2760	3260	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_982e2d80678e1fdd05c1eb1abc36b647_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1164

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3728

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4376

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3648

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7b82e64ed02dfdeff9479849a259c170

SHA1
1497dd58c3fa8998f12f5a768b71860f1b4ae2bc

SHA256
79e54b611a4925fb976b678ce5c1181d98133d97ae1c24b15cfea9b3aca4c536

SHA512
b3679e47ffb9187c177c58efaf0ed2598c7b595dcf9e7a5c680d484334a16cd12478f9bbb75525afd8ed0c57823af8db9de013a441e2a6ecb55b88c309ea24bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
573472b4777e6e83ba731bd4c8f6eba9

SHA1
a5d19e19ffb3ddf8d3e1d480f10cf0e3a199188c

SHA256
a95e320d278eef7fbbcafc352d98175515a449d060236363eb626194c0d09399

SHA512
3727f1b71bb7a550ccb11cd5ef35ee3e26c092ea705b97de0d44da59f1d3008885aa182ee06fd8bd042b3669b0b48f6e244491b00c1a470735b170a12749e91f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
800a9c9d1fcd487766d152055e8965d8

SHA1
62cced20b06388f4650107dc61bffe4de430da0f

SHA256
69e22176605c24872807ac56e6ad2ee102e28ba5c7657372acc2c923c4af786b

SHA512
c44e2afede3b9213a5e77e7173c54a3bb3ee1c142c8053a0232c2c4ecb1957f5054d29920139bcd2b45ea748df59834aefa9161d06845db1b4b3e612319193fb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
c9773f108e19b7b3030bfa8eeaf059a4

SHA1
0962b376676110d2cd9516235965731bece58359

SHA256
971d4bb51a61ecc29469b22898d06f100954ef40480351fedf534decffadba15

SHA512
2a8ce46ec80456e0ef29f8025e0d6af1e5fc04c8a15c5457e51b94b602c83cc2bcefcd774333e60ebabc97f464c8d277256fb3f6881582afb58ba890ea764235

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4f35b4b67e474d2e8318afa1f6715d0c

SHA1
1a18630b9b6901d117aace47a3d4afd8968433aa

SHA256
0a7d2f46f6f5882a8b95ab02e73265eeeb4aafcccd6a9dbf959668dd1bbc9918

SHA512
1d58be75789105e6c937285f8c7363af5be44d32c576a8fb5c3e4628fbf7a625a65e0af2d24d46437873714424b10804a7f87074dec1a520952c3877adfc2cbf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
332a77a44628fb0d484648f4415a9f2e

SHA1
eedbc23b9b502ec51b23b5e3bb97437338d104c8

SHA256
df6608f2b912f613d690895f48db8e39d73f752f09fce4bc260561fd9a36b792

SHA512
50eba44f8996e1c46a850be55cc1055c39c5983e66ec578913c2d9126a6255338effca1773633d8c60e74d1d6d4b183e47f5f348bbcd962ec6e580ab443dcc8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
38e2d49a100720585d118bd88931480d

SHA1
d8fe0dfe01cf84c41d950aef7b1d8a7b1408c03e

SHA256
b995480aa71cf2d7b26988125c0470facc1839a97bbe4502378d523d61018dc0

SHA512
9d64a0eb99ee19ea8e8224bccbe0bc1598ef3c80380ad429e989c3a5d3717db7caf7f1806366a247b86bf366c43fa746555a351a9b94767ecaf1f52665ce62b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0f6d3a706733143fc202ecb68bd2a6e4

SHA1
5844c824e3ecfb29975b4a80f46dccda5d712167

SHA256
de7daa8576cbd44902e3cd28a64fbb3501bed3cc509d075c94882cf0d1a9920d

SHA512
c67124e86e7c639ffda7dfda3a814915ffa72086c727ff04dbddf32507acf18084c2672d6433e799324c1c5e441dd37962f7a4efb99d071178fbdb05ab04874d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
6d352fc36d21c35df71a90ff7d9eee42

SHA1
54054f0e932e71cb04a6c4609bf510ba82801628

SHA256
96615281dc6323398274ef3ddf724744fec12d95543f82f32bfbb7d38bf2cc8d

SHA512
89e226ec6886a01267dcc2c5fa9cce3e046e753c9801ca660df5cb8692092da712e852b1c40aed8203cda8de2001ba8eb9d01dd2bd28200804d3025df2914195

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
da0883af69418b4f8651af3a93305902

SHA1
6c1112bfc83a1d2a2a3b67216435daeca1fd6711

SHA256
936e657c82fef95b9d8397eea8198f7b8c4578be605de9f7087f57fd0cb21508

SHA512
db5bd0b4c95842a54a0ee4395bbdccff64ded0c75e310ac4ad6e919a36971da41dbc594adb137c9e77de6b6073760a71beb8fa124d6e2deb361f19040d7c843d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
78adaa7f71a98ed5797c5820ec17cfef

SHA1
bbc9580ddb539983339ffda6c09703f8f4969afb

SHA256
2d7edb4b22b4273b3172b49cd1cbcdb7c1abad2f39c2ceeeb669d1cb5a359922

SHA512
0aa4bf5b39ae5607058b30e5615bf308114db52abaab41f950d393757e56c0cb905f8c90b229fac200fc62b6eebe21140a6540ed87e70868fc87ab53c964344b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
501c47f75940d0f1bc91822023e0aad3

SHA1
12941bef9fd9678b84102f03a4f73b3a99d42da2

SHA256
00f129d9d418b3691a7d393be1d50f7a1b8877093ed3853b6277d96bdd3d9275

SHA512
c3df652e7a00657ebb8f86230d32155f83b5de69adb178359d9ebddc02cf88b9f5c66e957809ffba66c194695e1ceca9004ca8f34928e3592c318db09e6468c2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
e46adaf035617a20af691cf5e64feeca

SHA1
dcf0715611b89fcf228b2c6cf17bb5b318957191

SHA256
1823796fd9c3ccb3ddac9552e90e11987a39500d76e9d10ff28d62474001f4a1

SHA512
b686561f182e180dbc9382704b05fc86c32a71e7f15b0450275633fdbb51f18ec6208ee0fc2a8267313755785be8b0ad80f46040397a7c26d01536825ac6c6a1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
8e5719c0bbb02d2f8138f867f95748ec

SHA1
1f40fc58e8ae951421b461d6c5a362a1f7129095

SHA256
6b4040915cea1e9231dd92f5fae81ca40f0571563ccd776a3f9f15f16a58c9b4

SHA512
c029bad4278942b23656d32a2aca65318e1833ab21bc9cf13297f66a156551ddfd644da0f4a22eb6424c25d103f3dedc5fa4b6d74c991f0147560ea5bcf5db49

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
7893f8c95a5387c008f662b2af5d1ee0

SHA1
1807b32f6c1d41192f711ec3bd3771212281b550

SHA256
71792178d6645ee70597a3cbd4d1fe45a9461bfee8c9f2e0d9d1f5dd535adee1

SHA512
b64e1dd1c5eee09a3f294aff507cb0c4a6e8e1e0f99fad0bfd0bed5c54a53879ebd85f4ca5b6000e269a0f8d9edbac3a9c09da6d24a38e85ec00385c27bc8a40

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
d14d96553d27de648ae16c46be935f75

SHA1
d5a1eaba76e81128109628348ad90f92731afd42

SHA256
e988cee20918147945e858a7b393dcb57f1e6ae4e98e21a8d5c07ade7b3251e4

SHA512
d75d793a6208726ee6fd33aa60d68d920f5c1e949f0efec8f5de999d56e0786c12d9349e92d07cab7720f56f75eb7d8e17e38b4b85f3e65320e3adb403664ca2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
8bec69edd76c8de5f3feee3d24018ad1

SHA1
41878e02fec03a9d77177bd0423f38967c0f2bd7

SHA256
6bb924d8451cc5d7b0e2fb25f78e721dad73275b3dbbdcdb996bbfcd4c422ff2

SHA512
5602f4c1527983b759172f40690aba48a5d00b26f121e43284aefd5d1185d5a1fefb8c4a5f980173ebf06088530de3e1814086d53a5fac81c1196bdbd7be789e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
07fd003fea449aaff535aa58c7f7cebc

SHA1
8553db4a0843a0a70f64ce652df7d725ea815ed1

SHA256
85dc440ccba5398d71e96bb043c633cc1bcf80c780599c7f3a27634e72b0fffe

SHA512
beed1185d292c99a1baa253bf2d6c12ef6bf8cd650430f1a6fe404d91d381cfed8c24a425cd278543b5f54e098ac2fb4a4adb4141e08d4e7491e3286f99dcffa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
9265deedce8cbaac88145f3f5decf070

SHA1
f67a3b219bf0d5ff58faca4447d7e74d51667074

SHA256
16b78d30367b93b4e87a7a48f5d69a1d31af62a3dc8e0388873b30e418ad40cf

SHA512
284e33811a0a52a79b4a18dad12df8541152ff9a350c004badf0b6aa0e79a818631bb1340cf656928b7e882faa56c39186532991f92a6234d2c707c454846a8c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
488fb29b267caf1d09e34672690926f7

SHA1
8f0e71173ad4693e1d5039b3be916452e9132350

SHA256
7007b7d3cafaca5fea818424505ec8f65df0a6aeb442e8b3cc96ea9c93617209

SHA512
89231f2625f15e62c9d9614e35cf9396e85ac990189b5c63b13a613809cd699b8f2ffa2629ea672d98f69d06bd843d3fe086245d5e09c77f36a8b61854e49e6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
cfa227248f9b79cb7f9356176346972e

SHA1
990744196e853a5deddf2c895099e2d9f43fc234

SHA256
7f2c004478cffaef39628bcab4faa506c703dd44615a29da62467a9d8ab055d1

SHA512
a7f27e7f3067bc73e5c3cc749c61de45dc5c5eb784aad544863580679a3c3e5c572ddd80fe91cf16b5d0e720bb0792b38f7e2f8e6c87cd7aa5259855467221a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
d3296d659acb1f832fe984ccbab40d2a

SHA1
10a33273136b70c7a4d9ee13b1099165c04bd6eb

SHA256
1496f9f38e739aab679b2e7aaf3eb79b3691be838c8029a8e5d7f9a9b693d49c

SHA512
d72ec4b9b91c8a253c8a7c2e58c7727c400821021d08437641744585213a6df6589766aedde00fc9321ad52ff3ddcdc80e8a3ad4d940308fd5b61d716413eb0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
e07db2d17e66afd53330e53784e0090f

SHA1
8cedfd67e88494e1478f5995458e917c8ec3cee4

SHA256
a8deef1e27c45e51e7c0aa74a0ce46bad653268778cd4f17938a32706b0bfe9d

SHA512
56a56233c6ab8a7e82ba912ed208afaf2938b7685562f7d15f25f60426f8a266228d303020b8ce018807392548d453ce0f4f779e9a6bed44d3152071f61a1062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
51c523421a394fa5a7910352a5cd2c3a

SHA1
4db693d3f97a49f50f4a2aa42ec80833ec066d4c

SHA256
223c8ad04a48b6b1ecc720759e4af6f6b3a5bbb1ba7b5899eadb431b79a3e0d7

SHA512
7939041feb05fc2a833001c29554339fdb72c0c2eb36e5608d91b7dba7b088c6aa399e5d1e2deb89643284ac2b42978af77de50881f9cbbc0bdd9043caa67a7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
717f243a53d218dfaa7745e1239ef039

SHA1
ff10652318238a5fd6bfd42f59802b943681ff37

SHA256
09f353e0f4df649d4cccc6486c3eea0dcd9e02da6aa3cf717515176ef6e9a524

SHA512
38fab47709df7b7cd1b7f8610713635444d72bc50a5caffccd53c5007374537e9764d84392c310a77b0b59a409f79a8bb41d892dd8c94f52138cfd8654a21715

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
941a51b0484c0fa822bffc110a99406f

SHA1
ebd4f3ae7a201b9d9799bd5c8cae8ee61f3dcdc4

SHA256
01de08aa23591a2280c0596e1acc673c9aa0b80513be6fe1da4ae40d5518c8e8

SHA512
e07b6bd9ad9f07120f93055b1894ea30f75868e3e5cd37bc3aaab1d4d629355dced5d121150d1ac40da2333bb8ea9583209947660247dfcf811cdb97bdf30165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
630cf4c7c0bc9e9ac10cbfb1f3032354

SHA1
a3f73837f373e875055375a5c19ca2188bf2eb62

SHA256
d89a056800974267255465f07b3bdfa56d6f351508cfe7fd691eac4d23c0050c

SHA512
c298a03cb957e72527377e6c2c909a37dda47ae8cb922cc9e0ebcdea4b376165990bc7bbec0baca2592061ca84dc70892ea32c139484a12a0fd828677c072b2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
b1f8dfd75d90452136d75735765c5eab

SHA1
6efa9a1609976b9eb796f487d9676602f597380a

SHA256
89c2166335438a10e389b71b3a2114bc7beb571af243f705db7b4fbe0219532e

SHA512
23b2a2421e4b59955a24d05ed8b91e5632e37ea6e6552e3c6940eb8b9556f9bac35599a3413f767424061819204852031c844f25d9d0995e2c83d92eb3ba322c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
9acdf1df9121fa5b73bcf85d3998d8d5

SHA1
dd31563e33ff38859a1f242a375d7a4f85d492f4

SHA256
0a5ad0ec8b59b6e4be568d89c98d2d9adf21c82d9c1fb1d172015cf7c0ba4bd6

SHA512
4383eeb5a3edbdbd509b982a30716d408c62c87997d57421b919c0ee8398b6ab5da34571993efc29f0243b2f2d203bf40172db9fa60883ac93bb0d15c310b190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
a8131029a091b63ccfe47900a388c345

SHA1
40f889192850efacfbc772399e44773f50052d60

SHA256
dad00001314209751cf19c4619e2650f517655f0b28219b2287e3291a4fca0d7

SHA512
7300382a86071094399e39a6b60b598481e62813a04e11f5e3ca8ebc70011795959988c7534b1c0928c9265f1e16c7eb664bfa363113487eb0c330a8b1b58149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
5b17687d016540919d38a907553d5379

SHA1
6ac0745757300ffb005811aa372562d5dcfaecf8

SHA256
d2adb4901d31272c19aaa20c57e9b29ff9a3794aece0729bd7fe52e9d4243722

SHA512
cbe08c3d26a73a52255887445e2364f31ed8a3186f1fc472f6ccf4515ad92cd0799babc783030a5d9496b12e108148a0c33b8f151a41de7cca760cb470f777a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
405c17d01f1f5983cd5db6e78afab52a

SHA1
9e34c0016b250cba61c62db37b56df96b20d9f1e

SHA256
4adb70f67163f805ba094603edaf4d42ae3f9928f03a03ce466b9bdc9a3e8a67

SHA512
3f320b58c93fe3f2cdb65e459cd9413fc50de83706ed93412c8de0c47b1dc56bdc218bd15f1c9176a068d8003d4c7967df59b3ff5729a4d686daa3a89c4218b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
8c8ac14bc51558304ae6f1e6ef4efcfd

SHA1
aa1f8787d32a1ac564da95b48662e921af4a112f

SHA256
649cc7eea0d442a066a7ddf9f519db45861acac965b5fe53b1a132844d88019c

SHA512
ab50b08a854f8cdf8b0f1c08f4bcb5ab932ec4bf50af5c3958f775d8a8e8ca71b6df82e55f63ae04dc1961678e7fa6cc8de1010759d77d56c7fd52f0417e11f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
08bcc4d31e594bd9c609793377ca8d66

SHA1
8729d3e17a3439a5ff6cab75a6de615f0d5aa7a6

SHA256
52eec2e34bc4fbbd3688560ee735721df73f0227769dcdc1541a9ee1dedd067d

SHA512
fc60ca420575663b9c29ffcbb3f3148404359708a4d4965e6eed40dae77b41e7f391ea295ed9c58b5182015944e6cc697af508eacd296d53dd6df7c44ef80627

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
8851168306b245e0b16eedc6c56eeca2

SHA1
7a6e0a832f03ef44d0cd9a322343751775a6aab9

SHA256
97eab5ce09d0a8af7586dd52e2c48476ddb96585e30cf7879ed4acd69be454e0

SHA512
d0cd80b6cb6e944a76326a8fbd1e6bf3f926f1508ceba88d95e655514785da4c0456fecf1ce2a7ef4ab924f860754af35a099331128f1a3de85cbbbc7ca93e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
edc831f512a42030b5e501e0cb4a3fce

SHA1
70dcd10b55df4d9cfd76f93f551c4405584d171d

SHA256
32c9cba2ea81875566f62030d8e905c047ac168beb5f65ed437f6d1651c54e5a

SHA512
46547a1b20421ea5338b3f6caf7c1c6cc1bf32d4fb1dfc10fdcabfa4575133d5738720a8727140716e18b8c5e4e1b51bae587ece4a671824c9a3612d6cb2201f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
6b143d0f3b4eea9dc362e7ca71da19e0

SHA1
7e4ee7a4e99c327564ba3e80b5b35e7b35e40fcf

SHA256
028b7d80b9aa51e3ee6bf0dd218bc1325b92262d821832a3de24799e1ac5ad4c

SHA512
d817ac533b7947c3be1177eaa4fdf284e00fb5a8aa65b4a9a39ed8b86d4f1cc738b9e457a94301cf1695aba2af039741570458f606f1fcbf750869fc72c0486f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.4MB

MD5
95efd8b39d0bc113951f48c898121eb1

SHA1
a23bbbc8014fd87863f637d305fa621439583320

SHA256
33c06d9d3cbd617e702c7c0dbe3854539885d049d9216e5c4f620abf018114cb

SHA512
2f3f3fb3d07fab2fc9e5252121676a8f17442064cd9d6094a92586b7049e16b594eb59bfc9506c389dbad50937ff5fbd7ccb30ca6437509b7697f3bdca2e80f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.4MB

MD5
cafe916b08c13f6e7c14d751d3afc372

SHA1
36da053e21802e1a9ea916ae0e9989f9a82a2e94

SHA256
860759c498a8dabd9f9567ca3140f71dbd65e46952e11b4a217320728ef41e29

SHA512
5f4d630afd61425fabef3bac52e4b816aebb0134c784d0072871f2d8b066e79ed2586dd7b0006fd53c2f0666112cbe0e23b169fe8439a4c0fe75fcce244b5ac6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.4MB

MD5
6cf9c4133670d60375dab042058ebf9f

SHA1
b40a85d3156a8215578b12706fb20f9556b98eca

SHA256
fdb16b6430aad754510f522199707f06854a5141cfa7d4e692154e3693ce31e3

SHA512
31c5b1c7a769ec3802c250d39383184ce07e76077f5ec6ee4afeb99b9cf57288a4636064e5e3ccaf11c4a1333b62a24b820d8678c654e0772168040eef2718ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.4MB

MD5
843e0ca6f20877a231edb0d32b16a53c

SHA1
ed300a2089d8b0d65c99b4cc75d6af53b2797457

SHA256
bab2d14f17e29268ad50bba90bb9a48a6d8c73fbe009e81484263b6a0d861f00

SHA512
306fc3aee09646b9ce4eccfaabbc4b219c44a16af1331bcae61854e66f7735e010e864f2a40c6c40276f68d3f756f4cd8469a146c27d62140091cd86c743797d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
e2c1f0e3bc35e300fd6a8c1bd00cf42d

SHA1
98b68e99d268a78114555df3174d73629eaeaf54

SHA256
b2c8c54d6ff493a24e1fe94b8844b8e72bf484654bc499ff3b3441e2df3dd47e

SHA512
05836f8674e912cafb411cfe6192a72911f2b3532cb55c335c9962aeef39a596def92ebfa38a4f914e8b2298b74740e3b14a9d4d34f6f350288d969a0f2d8d7d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
14117f11c57a59992d9a7e2a014b0eac

SHA1
89362085c593af4ea50959d3d0f18611aa8680dd

SHA256
3a89f505047fed5b0f0fdd75542d3846d6f6701040272c1b4b8a917582cbb3ae

SHA512
465a2e4a2543cd04fb2b91bf69d5fc7945e283433b21edcff29bf0d7d1f1e15439dbf2f756687ca0e94efdc99daaae9d794f755908f4f15b3cef8df4d3a48d1c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d17447657b2f9ffa82a0848a95584d51

SHA1
76d3d6ec2847c28a8db13a1f9d94baded473e27d

SHA256
70a60c6a1381487d1c843452124074909bb5164700eee8099b21774e19c8bc2a

SHA512
7d38f11ca670506f06088d39f15e64d0f423038a7822584badd0b651f741881dfa47c86f7d7843d22b10c3229032acb076a5b44b98569d87a523357bdc221776

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
a3463ce4eac0606cd6c5895fe54f4f27

SHA1
b2a89ac2bfe34c8f21f50247796ebb7738385f3c

SHA256
8113e6817d7af0d19b9820e9d9995a28b852131cb83e60aad5ded8cd3419bca7

SHA512
76ed8783b706a502080e41893a54bccaee659cb92a1f1a864e52f8bd6e5ab7e91eafacc5d190a2cdf9766beed5a5b205052e29aee97aab81aaa037f5e0e0a918

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b79e8f78fbc0903a4bc3f0c36fb2e8d6

SHA1
72f587c04d64fae8ae5d44326f899566efc27744

SHA256
e9d16e9d336574c8d5157c0edf6d3c439dced4d746fa462aa605297fcbdf3f88

SHA512
a4999bd3f8540b50381c79ce970c3bab71a5d58b155bc298e29e7668c365c1b73a8397cb44f08aae35f88985a4e24a6823d43327334967f57051b117bfd6a23e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
c6b2c014b7bb57f3eed0dc4a7123598c

SHA1
4f9270aac047384b94c113345c339d2d580a778b

SHA256
e21bfb7f371635bbd167aa145fab2d6ccd7d2cdf85e6355ea7de78b3615fcf87

SHA512
3d9484632109332dc4b4f42d64714853b1c6e19f3f8aeb440bff8f452a91be41e3d86894d252f5415944f31bb829f5cb769cf55d7a6377dc202e2c825424e93e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
95dce16c5a10b443c5ca4c434c49d64c

SHA1
d510bf1e45ffd96340fdafa15f27b6b4b519dea3

SHA256
3d8a661bc4194611ca259c016f74b4d19a1216e8555a4e31e8ddfaf075dc5195

SHA512
138f9e849135be6058c4014bc345ffc64c613e3269e84e66e26ebbd36693a0e4acf6a3649631a6b40cc90c46d1d9705351ff72d7285611b8dbf966bcc0936b43

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
8f159ad0c7e6231c9630eb452a62a98f

SHA1
7f001a831907ae6700fba7e70bd9cf74fa92763a

SHA256
1fd7199b988a3b5f3561feaa0070c86a691cc776662bd3b9cfa1793277fe5517

SHA512
e7e0346243a430afe1bc53d6902b449ed17ea30c16ec2a45027bb800f053c640e0a051fc07f0a5454a2fc0a85f4635096c160d4c4b4764d2fa9bec2f80fd1b1f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ec987b6dc9720ba8a954e696f419f29e

SHA1
74a94d3e7c484324f5ca95411a09fea367f43e75

SHA256
99d45d8c445dd3e09a82f5d214aae5ccd2fe0f8637d7a81654db6ee45ef681b4

SHA512
f84f6cc4a49ce9fc17b9b8d60bf45b66ee40f5c07d453b6694e481e884d24ce2120b30ca25b95996f4e92708c77dd965d0541af16c9226b5fb710868068163b1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
619bc4d716e7fcd85a1c2285abbca8b9

SHA1
970e8d4f21ba2bbf3fb8287fd747517e627df419

SHA256
c6b36d4b0389fd9cb8096c30ad8e29678259fc468cd6250fb2b8c9963df53869

SHA512
767f2ef14facf4f88a49048cf45a7e87a824b039197c245b15e0a14d371c96486610622bde0ae057488d39e8bef9cac1d423c36fdfdffa2868272e807f97422e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bf6c2a4259cbdb7d3007dda459e387b2

SHA1
0e8ac95eee64015d4b55ceeffd4ba219b2138388

SHA256
f7c093e0f9bd4f483b6ec28d657c2230b25b316a9cbbc809dcf470ae0c094112

SHA512
12ea953ff59aa201dd3abc9229f5934935925d72dbd618cf40f4335ea447f68c843d52762c5eaaba42f8ee1f36eae03ceeab9a9cb700796dcb975e045a5373e7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
7abfcb81bb0d6687348ec170751542f1

SHA1
30516596a40a6e70bb78613156fe6881a70accb3

SHA256
8e83bb9a63e327035b74f236f0f9a8e712e0eeee47dc0f20abb550e9d343bd26

SHA512
698a42d7636443178387b5d9c373c6e8db9a6331e2e0331b56767033c63d25b6b4262a3492db57e4ebc200fa575608101300bcf68be87c029668405c6dd03665

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
63285881dc5c110cfad8977dba474542

SHA1
9d8a1378ae5273534f49b030092a1afbdb8b0e3f

SHA256
f34acd0dc44161e0894ca2eb45cee114f53266012e85d978e4b254bc4e4d927a

SHA512
d41397af5eb4a9a436958c4539eb0ee415d85e34df94aa98c646c157f6cd313ba7a1d1b7d8c734b26d5191caa99d68a55f2b0ba40c704b3bf63ac4207a81bd4b

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6d528d57e9f7d9ac9e5f6ac4e5fef3ca

SHA1
881fd4a01465d481c76e85943027197131027630

SHA256
7b28556f4de69347c8ff20e7ed7a9c4f0d7250c55cabb7e15dd9b6bb1d882bcc

SHA512
a0f15e764ccfbe8b0ec8bd0389fc0d66aa9bb73e21c0ff9599161d723cd94b459148bd6b04c4da57168b3e37e057042f90c4c6de927f58d756f619a1c7d518a6

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
fb20c8c0530dc836858bfb483ae3bda5

SHA1
26341b7992b1e4690318c4251437cf161a9d99fa

SHA256
942da63dcaacae331d065b5c7c24b3062aeef1e3605cb9696e4aa6e2c00c29a8

SHA512
3f55fb1e8c03ec04c037c40b08c8849ac9128ac591336b4e45a9244335c4b193ad30ade38f62813dce12f58702c781ea64fef194711a6247097a72558ae9dea7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
47628cfa859622f0b7c5b49d03d474e0

SHA1
6b2b4d96a3578cc0f3f7873af6a8d0db68312f85

SHA256
5a7f44c391cc91caef77e8fa789280304c615302b666718966ce6b8cba0231cc

SHA512
c8c94d5b62cf357c306fb57deb0ecf3ed3153ab677f606c3771cd180b95eddeefd08d21d4071ded3979267dc8855cbc27db410edbc757b9e78342dfdfc405b0f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
1d10271c9f1703f8fcf88746930ac42e

SHA1
afed2d93ca30afb7bb4c5478a64d71034cb8bf3f

SHA256
6e353a344407ffefc80bd8674ed7c1837dc8a4eae7d288a4bbfeea5b37e5d324

SHA512
dd17c1ebdfedb63b4b42c60f83cfdcec15cd7bf0dd6a36ab94fe89fdc7b028b0e8ef78504723f99cacc61a823b670dcafe43c63ef45170c693dbe590bc949b05

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
0def4a08512d625782dde64c9df7dd32

SHA1
e7638981bd91fe390f169be4beb73879d6064794

SHA256
10e8fabb88984480f7016c9716e296bd9bb26e99fde96201521a279537d65e20

SHA512
7420b1cfacba7417436ced1fd211523e5cc83c372c7de5a4c51c46f27428985ac40936c3a178b03a4794e28f967f295fe62bb645f8aef4912a4f09d9e5b6d5b1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5c470b119fbc55e9ab513cf0ad5bbb35

SHA1
e30b31d6618e09a329aae593f20bf022d6b8df0d

SHA256
59632055f3d30c456d68673483482cbf44f20732f9ba0bf97c1e3b89d0083494

SHA512
afe993b1527d94636a3312ccf8e6af978333c925d1df1e7f143ef6526272844e7319c85561dc491d957ff24e1c8b92395bf2a867b8b6f92203e180bf63c017bb

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
71b0e4098ce616868eb57508b321f4b1

SHA1
880b6d43ca43e0c702343aea3f88f344820c97ce

SHA256
56db5fd0f56b73c91cbbcb3a803fc1d9232cab931fee6562de358a5bab7838cc

SHA512
b8437fc5c9b232e44eb59e9ce9f2a6d110af094bb1018e1babc7f879eb4bfd41fe0642e48c76cf6e7de8804690746f928fc3f17db9cc1e218a0caac13eaa7f39

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
655KB

MD5
f379262ce0a361d3b7a64a3480989597

SHA1
6abb28ea9e7cb5f638554b94f98dc0803a615dce

SHA256
3598a64827d9eb2e37a6074c7ec3c678533a40ddbd274501efa15079061e7743

SHA512
80d585a8ec7180974b4eec394658a31ae874b83a8f005eb6f5a5b43ab176bb324bb0e30f631544af1c0d93370768bb5fc20157a7259ab2a03760aa2b55361231

Download Submit
memory/756-305-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/756-424-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1164-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1164-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1164-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1164-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1832-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1832-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1884-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1884-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1884-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1884-235-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1960-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1960-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2640-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2640-77-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2640-69-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2676-351-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2676-638-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2984-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2984-589-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3164-388-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3164-266-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3260-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3260-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3308-250-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3308-244-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3308-243-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3308-362-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3728-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-63-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3728-67-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3744-238-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3744-37-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3744-31-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3744-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3796-2-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/3796-8-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/3796-29-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/3796-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/4144-363-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4144-639-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4156-425-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4156-647-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4168-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4168-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4168-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-255-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4172-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4172-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4308-336-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4308-521-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4504-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4748-412-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4748-295-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4844-400-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4844-281-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4984-419-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download