cee7a7babf63fc909e03b57d5e230c89e1a9048a9230ecb06d78b062627ad6e1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 10:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
Size

1.9MB
MD5

4499f50d3017573e5ac3254ee1b1d128
SHA1

1de3ec652683706cad5d90e0397f105a85e4e16b
SHA256

cee7a7babf63fc909e03b57d5e230c89e1a9048a9230ecb06d78b062627ad6e1
SHA512

c22e9675db0dc7c6e46c79fa02734ad7a5b10e97ddb8690da7563adeb97662ff9fbb2b9fa05f805022ae3fde6192d7f244b8a460451fcfa0dc784d449c00c031
SSDEEP

24576:G2lmf4R88NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:G2Mf4R8gDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
448	alg.exe
2948	elevation_service.exe
3040	elevation_service.exe
4332	maintenanceservice.exe
3116	OSE.EXE
1980	DiagnosticsHub.StandardCollector.Service.exe
4276	fxssvc.exe
5060	msdtc.exe
4548	PerceptionSimulationService.exe
4448	perfhost.exe
3732	locator.exe
3584	SensorDataService.exe
3936	snmptrap.exe
2104	spectrum.exe
4248	ssh-agent.exe
1624	TieringEngineService.exe
2544	AgentService.exe
1788	vds.exe
2796	vssvc.exe
3276	wbengine.exe
1232	WmiApSrv.exe
2456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2070a387234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac69066732a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c38326632a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fc13b6632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db120c6632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009187216632a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8e8426632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b8d4b6732a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7a9a46632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078e49f6632a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3f8936632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bae476632a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1440	2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
Token: SeDebugPrivilege	448	alg.exe
Token: SeDebugPrivilege	448	alg.exe
Token: SeDebugPrivilege	448	alg.exe
Token: SeTakeOwnershipPrivilege	2948	elevation_service.exe
Token: SeAuditPrivilege	4276	fxssvc.exe
Token: SeRestorePrivilege	1624	TieringEngineService.exe
Token: SeManageVolumePrivilege	1624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2544	AgentService.exe
Token: SeBackupPrivilege	2796	vssvc.exe
Token: SeRestorePrivilege	2796	vssvc.exe
Token: SeAuditPrivilege	2796	vssvc.exe
Token: SeBackupPrivilege	3276	wbengine.exe
Token: SeRestorePrivilege	3276	wbengine.exe
Token: SeSecurityPrivilege	3276	wbengine.exe
Token: 33	2456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2456	SearchIndexer.exe
Token: SeDebugPrivilege	2948	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1440	2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
1440	2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
1440	2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1924	2456	SearchIndexer.exe	130
PID 2456 wrote to memory of 1924	2456	SearchIndexer.exe	130
PID 2456 wrote to memory of 1568	2456	SearchIndexer.exe	131
PID 2456 wrote to memory of 1568	2456	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-08_4499f50d3017573e5ac3254ee1b1d128_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5060

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e24e5b9e91bfaf39cd05e5630206225d

SHA1
3c0ef809e45601618e8eab19e60a81d00ef665b5

SHA256
13e571e856c4dd2cb2306f002d81b00c76374ae50216168c129e5b5c161cd46b

SHA512
efa45215fec35e06e65f986d2729a940e1beec250ec7ae57b44a9510534cf02d4caa50acf0f727c5338de335bf06a312e0ada448d464ec6ed262469e1e3c8bac

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
11d70ecb3b494f083914cf71ede82870

SHA1
d918405cdfe7ca91c233f7f0c4a6b6eaa5064268

SHA256
634d4c2ee0d3d1b9c1353b9c1295987621118ad657d91fcb06c417f80bbb577c

SHA512
755a5cd4e04524cce160cc5d53bb2e9ddd8132ed821d245a06e08f7fdcc7ba93ffae6bbec0441b315ac6779cf078e6fd1de17d8b5312bdb83611dca91a8170e7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
f195e24e7c0b17933abcd35d8bc8607a

SHA1
8551687d2ae23c90ccec2663087c263e9de97f3a

SHA256
7bd70d2e56db4a92b46684f3f7b8a8a1da9116d557f478b20e29e51097f8b0e3

SHA512
997ed9f315776dcdc45132a8b4037272d0f7bf36c4668197e79c6b5c80cdbdc83f7552dad7ddceb5888d2bc9194213a4afcf4b536dbd9bd179b3739df0b4b551

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
741009975ee602e26200c9bfb23e829d

SHA1
df790b3b4757646515816fc7860427c96a3121b2

SHA256
8cc1af9c856db309b736cfbfe31e3bf755619f213b54e7f95b92a73a60279746

SHA512
74f5ca971603d57ac784ffc865a32e787080cef0f09ff4c80ee844428b5f90970e4975d267d67afde36fc0bbf9f830abc1f13de49651ca12191d36e58108ab9a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d3165adb5b6716062d76766c69007484

SHA1
84a6889da986cd7b9426a99e0ec8afa9e8518d87

SHA256
9443869fce057b9c378334ee6753554da6eaeeec3a08150a8e94ff00115e6a2e

SHA512
2d8da82f23ed67c552bc1f6da44955224c4b60b5b040e4a8bfcb1b916c4096e7f22c4f8731661ab6d1e1424f75eeaecebd3ab26c343122c4587e509c1d2e42a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0ae8516e16ba7de22f6f3a03e319ff66

SHA1
1e27843855a05c997c125b55ad4577e25e72a6c4

SHA256
c96fd074b9cc30ac937243a189f9d664b3e1dcf16f2c254531748ea12c356d2c

SHA512
da3dbbd305f95a1b3781521d61a61f41c5e43c9fc6059a99dc3e727e7ffd2cb54de043ac2e23bad241ab5ec89840af30dc5e1ff7e13d4a2317f3a94f31d3e7f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7857f4346b225f7b35427d63343bbed2

SHA1
84c39c8f23d6a8a08483a154fef3a368f61c76a2

SHA256
a54b6e5dea458422f75c8aec45f3073186b15494184bcfa766b15427cc345889

SHA512
b822f708f774b8b7efcc401d9871314e895ca13f56a3d649566a00b9c8316b75dc7de738db457dd7acb913d260e0d9dc7c2acaa9bd9b963b342c49888fb4aff5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fe315c7bb60234b80dc19976ef2c1e85

SHA1
254e763b1f0490783409f70ff08f7ef07644f350

SHA256
eea763c671a28fc12477e1fc972bc8712a2f8e58b3688bd649c2b5b1330f6967

SHA512
9f6ceaea7225aa5838f4d97024ea4e836d739756633dc83495bcf3d255e3f30770c3f9d764a1ba1230eaf062c458ce409de812980336c68f9144b39456706fbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
501c249b4b69b219f58c591ae12b0c9a

SHA1
05787fdfb2040c953df8663ae6ca2e614162cc77

SHA256
ec49d11ee07b26a4bbc8278b2b6b4a6b8fc4e5d56cd227a579991e8d47efb00c

SHA512
c153bfcf5891d4e09d235485d297a5417f7339901bd232033503b67e8b8969faa93e3f08ffbdd265b7abe2b5abf47bc2693302a0fa990b27ad046f7cd13d95ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
186f7e011d6f977ddb437078b003bb20

SHA1
6ab8c74e17a7678898251f3000b4d455fb06c438

SHA256
740b581c346856cc91e14941cea18d76a2cdb0720bc47352bc5ad571a19a946b

SHA512
fdde766470e476bf614f7ffacf1d4be1d7ff482a738e8a38cdbc9f57c8a9837ceabc2a0242c30deb43e74374560b6f8928e415e3746e51ab614532878b9376a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ab18a0831a5d6241322eb097657721a2

SHA1
0e3e60e255e18062204761d9de31f778c5e62c5a

SHA256
63612b9c7625a9c79e6e42f195074501d2e0072ef69dabbf5605b38d5abac7d2

SHA512
2e33f05dae47c331e537126aadeeb3845d365fc5a0ecc9fc914e71580e09e79624a6d96caa02cbf495b7948cce7512b3965de9bf47a75cfe9e7c921c71f515a5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0b8bc534e135d5562c3c11291362d7f7

SHA1
97efabdfdc9c8d9a9e2f013862d3fb930f1da65d

SHA256
170e9b5411100f62494391135ab59ea438c8900a49b3fcb03e5421df7aa8e596

SHA512
158d0c3929f3d8b1b19dc4ec78cb5c8547c66583b0d53a528e1ff0504557da27ddeaa30a1d63e44be421566c0946f9e4e4dd27cd8380812273800c3e70e40b59

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8eada06b7d990031f159a973b2f7cabd

SHA1
2e05b32b354c271437ff9b7de95069edad707de7

SHA256
0d9ddbda936b8be186ed3253a5b4ee930c094a2b4b8c48c9e739c8f91f9975ce

SHA512
890afef43a464435c184937a490d09b2acf12c6439085012acd3dbad55d6f72cd0ca89521a67dc70157a0b5e26bc315866c647ad9d27a0706ae7c83e74290546

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d6248759d97cfac3d5f21ce1dcd22861

SHA1
6031adf3d572b375ed38a28d84371c5d5adf9561

SHA256
c4c8c28d76a29485da2ab19a58c431d5ccb836d5d65ac98f8dea9633c39b89f7

SHA512
163347cd8e03155e52603da42cbf80c764b6695b8b3276ef561a094d87fa1f395f05286154a3c2d5bd4e14a237ffb3070e215e7abf197bb99bb2c4b4d497eb9d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5ff2087b5837a29612b455a2c0f43a14

SHA1
cf3d3374bda18bb84c8ec9256242e382b4a3cb93

SHA256
8e06cf2083c9c5daab70829967070a80e23d6f2f388d9c777d497fe4478b7de6

SHA512
b6245024444ec70c95a19275dac3712597327bc9511df79c81989c118bdda313d7ad6b14ad55515e8215a690734f2acbd0f06d3dd90cd7813e100ff80ad3a64f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
48126d84ae63b5ddd351f4a64157c245

SHA1
707cd2b5ef5aeb7c26f6cd87b8a3a1db9e6068e0

SHA256
844eae2bfbf587e28e3ccb13827d60da5c145d6ee42adb69d05371958f762eef

SHA512
c04b9f86ace2682f4ac1f4c77f1f6c4b09e00b5e1d2de2638d0e7aede281792c1d9f5d67b6d771c12e08d1f8938a27ab7ad66ba9ac276e53eaa6f7fa8709ca54

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
68800c54aef250081927d07d76cf79d4

SHA1
e58136707a4eba61c46198594430feb97abd5532

SHA256
f0773694a2041d3600c54f079fafc9b589f974d90799ec572b022a92850d8f4c

SHA512
6518633f99152d6d2b79cf9eae8b39099aedbda910fd00e69c6c11ddab91224c336c68e3ca7a5ae773c164585c9d09306b1fd43a12846d5bd288152488883fe8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
8a9f616d8356693e4d2762b3878b8780

SHA1
bed9dba0ab41a4e86eccf1addbeac680756c4c36

SHA256
35c5c9fed9ff8e22301823ac12b2b160562e131db22bcd7ad392410ee5bab993

SHA512
63902f357cb6bac85b02aec4910d20c8ef2bf833db67ede14aa91455fdc09c7d35ad13254d258c4cc34a141599f91bcadbd917abd49127cd5f1f780272512e4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
73b082924adbe4eaeac606f6c1d6951c

SHA1
677a62438c8c1da68af94a99575ab4b02862475d

SHA256
98d363908d19087507acf3eb89bb62015d3b9c4138c2209e4d0d71564e9efb70

SHA512
29cf574bdaeb4263a800d433e301e79237ada0a0c9e41bb768a53d804bcc2aa7c11c5494a84a8ef24dd8809ae69adaa96478022a01d1a02839e56eb916b930a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
009bf4d8892148dbf5b479c801a402a8

SHA1
c79ca0b81bed79d043d6456dd591485bf75ed479

SHA256
28a5b1d4f0dc7afcb5d561cb6db019b380ed6484712eec2459079517180b82b2

SHA512
4ed9f038d784ec2c67748f6f472074a3b88ce2ff3d90950f8c85dd873fed56e764b157dc7afa3e0e69945befb4fab4a5f1ac156659d7a8c5bfae7fedb775b64c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
161bacdfd25f485178536ff08f3f2713

SHA1
5b77731d212e15919fd8176581252fb73b38c44b

SHA256
b1914a478444b688a09b0596ca3f653a7ae9a28c846db4b51e51269c77f1c131

SHA512
c4555a05cdd5de72632407ae84cef62bef60525569f558995dcef9feb74496e94f39cf9e62fbd84329fabb1d1fa2eb4e37804b5408e2dc086fe6e3f2f6cbb884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
282970e91b3ef65386562f0491dec25d

SHA1
99724616ce567bc44f282cb274b30df0b31fe61d

SHA256
695ce071125ff4522329aeb71e024e097c5ecf2ba7a858b88d8b301602dee6e6

SHA512
1d049d342a6f745ea3d5d3e192c38754750655b6c456953fde1fa2d5688fad9408d9b32924b49f2f545a9c4a7bd304356068ce85dceb55e0927d1072fd651045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b04ca3231063430ae426b3c90aee6b7a

SHA1
ae35a6865b62059cb2c0734fe0facff290ae1334

SHA256
b3ff897aae95689b2276e47673e2b2a57cf9dfec40f459a0f878ad490be535a5

SHA512
f5bd8d1f5ac17075a5ea62e0d928e81de2f5d48f077e23e3c777028cae18ec4e3afdd35211d4a0eaf289a0a079a9eeee14d91660de81fd3d639017420510ac9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
35028aa469639ca631b89da436fd10cb

SHA1
57291ed1fd6bcf30d89e4e8f421c39a47cb05aa3

SHA256
ea581c3974dfba80a714e279ff1447945b1300e069e741bf871e5224be0cf6c3

SHA512
0c4216dd4922136e5334c0974c5708a8a5852c41f1c08dcb108ca78753124cd64cce1bf316da899bc74a7180dd1f3c2de148da4183eb2375c8cbf972f5503338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
4f0e89503eae41a2b591df108ac47c58

SHA1
967f7683f84f51f2a0422bf45b8fc1372e74b2f1

SHA256
8f95964bbdbedd8870bd41c1c7c5ae4138a43e69947911e2b46c9c855c0d8ac8

SHA512
ffa3e718b18916a5ff06cb604d547db0b77680bd6ef4d3b17f7885e0bee100717debb2df0c7a0b88dd8175feac2394bc054f1e60936340c6fd51672582a16cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f34e6ad5aebc13a89aa76f4b44eea243

SHA1
ecf005fd4354ef28c0e3fa156c5fd4c1b9a29929

SHA256
767dc39795308871b625e38fd614a3ea5651452a5088c8496ad4df9c0d9810a6

SHA512
6e72c62f1d72911a5bf9f7ff63d96c368e066663756314a6083c3f0d269454b8886c0204f5b0489ddefe6f80e9e9f3ca1059dc6c15e4ef4dec4347cc18f20e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
2e5b702d0c669d4b6038782237a42296

SHA1
7717c1a7f5d51c2ac27add79a421ea91c2edd8e7

SHA256
66dccc4ef7fd1432cf681244f119f414536f15062869ee719be4ad70949e214c

SHA512
235cf5a02f28eb2d96800adf238617e0a896ca080ddda0dd50d4d6433831c3810498c132644c36643745903b4119250733b26ebda409f8c2f8bb17bee68d1da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
d56d06abcde6d63eed5e2825638b6d4b

SHA1
c2f87f804b2d8c4ec3df57aee56d5007b12ce148

SHA256
7cb257d9a80393f527aa194bce91efd36457d4d84b7332ae1acec798c2cae78c

SHA512
cd71fc0039efc1569666dc23549cce8640b7cef86089b4e0686ab992d4d65f6521efba597d7e758d62077958efe80cecc5ccc9cacae7eda884bfad60d40484a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b4f61974dca91e34c8339f7b7007a87d

SHA1
06a5d719c4d63e607bd21a35aaee8528f6c034a3

SHA256
63d7e6bb37104347c168f05884a9b317e087a1a5209c339321897d87f3b2ebd7

SHA512
069a689d346add325dec8075936a805316a637b0f402367f01c3fdf17fc99cabee36f931558017ae42d8d83c20b1fe810c2d36625f8fe79715318a5c42da693d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
10e2c6559c8b4b9d4c80266cd6d3ca83

SHA1
98909ecaa0fe5762ca65e02f952a831fae347317

SHA256
a7d87781ff3c8d9b726094521143d75c2d71b13e48d75a9fdeb0e2f30654fe15

SHA512
f65e648bf89f5f799065ae9c1b9ec8017758ccb942d2fb512e912efa4d3cd1268ddd8505cc6bb3fd26083f70f914572cf1cad44eb6e011e5bf17a40c7dd615cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3f6855068e0d71ce0b746ef1ca88cafd

SHA1
42b56395166fdc42152ac1612a71cad4a54376d0

SHA256
bc21a063a0dce74c89ddebe124d5635d7f72e5a8d570e1e75e34391cbd3893af

SHA512
61d3d8892f4761ae6a634ac51c707ebf5c30a050eee2b1a0f23876aecf84f0ac14890c5b59b8c340fc3388af0727650556845b56ceee733d8ec59bbc5dc6d43a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6651efff2f6e36b3ef471f635563b8e2

SHA1
23f172f655a41957142915f381dcae930e16b5d1

SHA256
58051e2b56a4931f5472d64cea9a932e94698e4ddac3e43003a4a5edac87b8b9

SHA512
c132551fe3a30f832a4eaf43a4be9d9027c59aaf3970752757e6f9e6a685b7242c2ff7cf5560216d79c42b906c4a530f6410374e00651917afd5f65907bece46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
38b32c94ed0642aabd39c65775033cb3

SHA1
eeadf0eceb1bfb6f0335e0ef656a445605a4d570

SHA256
67acdd9cfadfb0b5e42ecb9463f9e48e09a23ef8db2995cc4ab8c3d1e9c42048

SHA512
bd792e973570eafc1f3e72e80ae800ec1a8c59cf46ac4e6fadf1343a3e53e09877c1eca70eb2bf508dfb88ed875611a8844273a2173d0040281e786634aaa707

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
699e4e06191202ebe795329c1c068881

SHA1
54be364656649e645b7d69563738aa198cdacf25

SHA256
c3dd019990d33c22da1f5048cca7090e31ad93474b941069bf92f5acc9e13270

SHA512
7716321b9403123039da994005f7fae2bd9a01d46cc48568d99d1ad84c6f7735f5c6b3424585a4eec2d6098a5888888c4c9023e9201b96f18df127f48e480be7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
879f80900aecc4b6afefed49864f3ef9

SHA1
d9a32bab499e0886954b45a49313fd6b7f250c4a

SHA256
131ca4e335092956615382619cc781ff62739b0bc3912f61db492de18a33b4db

SHA512
c9e5d3effb70fac515a315243ee5d698b318d9e6e5a15cbbd01b9715e207405d90b112672fbb95aa913a93699b1c9a03654ecaf5aeb2746244b7ac9fca5aa918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
c2bae9905b4f836d798114021716d274

SHA1
0951c78623519e58df9846e3f09a23a2f35765e2

SHA256
522fab51bf089e63619ba7aa5a1f398dab2206b57ec83931f04ca3fdd1e812b7

SHA512
c585195f100a44758ded3019e1a18931c24061f75c6cdf3ac86a675259032eddf5c1439e7644ca48397f2f317825aae79c45a23ec840fa14d90461ffb57f8ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
4714969f58e2a986d1d9a45e23acecbc

SHA1
e58861b0960a31bf2d8a9b261d31e21856abdef9

SHA256
931af8e3f6fbb9174ba10e73ea8cc484ad013ada95650695862632bd04a77da5

SHA512
fd37af4f72338370c92e68bcf15084b3e987ecfb3cec5a7d63d65cc3bcd07085c417549089added28df436a82ac4ceca5d02310295580465874e24efe3c01e07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
a809d06e66ff92473f73bd25785fb1d6

SHA1
7224c4fda6cd350a4a5f5d2413282614f28aec08

SHA256
848c77b7734e2f64cd557fb7ab2a7dcb0992ea1cff3ee8d6b1b5b1682feee522

SHA512
787b3c649717408a36b05e03fc3d2aa2f5118baade81ffc2fe504d8d4f87f05640d8923191c2bf11294db282b16253e47ebc275d4d9369f35a1022a83817d054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
5eddf6b1027aa81654a42b1d50b5a7f9

SHA1
733a51d8065a49aab6565632b340d84d09e4cbe7

SHA256
9a836e07ea11046fcd149daa82468ac02ac145a4e68c46f81409d0f803eed155

SHA512
e655e6875629acadf6eeb43da5374e93a44c22367a502e3ee4c23bc49dc586491e88c54f8c7b7a3e7d64a8c3942fd8a0bcc70c4767bf4ee3e1802287ac35be3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
bf206aff1d795aa053a586ea92d55b2b

SHA1
2f478851bd8092ba652c44b9ad7585517c0997a4

SHA256
6c6b710f8002586c67b3a6003cadea8a33391cf97cf5786478edc4c0b3d2dfe6

SHA512
aa1533db8c9436c9da50d9b9803a4848d73b24454f5bfb7f348cba3f91162b6ad89de372ffc7e1c80189d2e72ebd9d8b4c5497e9ad31182a440e87f2d0650677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
d6b794372806c4acddd0753fe6dabaf6

SHA1
76b093e49f3c3a2b8c0a663311a78e65cab4660d

SHA256
20d5045cf063e0d7c64137a0bfd14d3c3a765413d10dc758ce10c297ea034d86

SHA512
d8ad4e2426933f60b2155d185862d29c573f26d8662b0171b9eb7bde79a9df44c9095b48ff480a75f49fa4dd9e531a496abe6323c5baf81839d832d360dd32dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
415667ce8c9fe534ca4156f9b461df3f

SHA1
1b4666f99cd07945f795bd113e0ff4cea71c218d

SHA256
cf1a7ab1a253dce6928cac95f244171921fd56471c1e21219c1088ba203b385b

SHA512
e24d591cfe96a7fff728c0c3f3afae0bee0071aa37277a94d3e763d6986078ca70e664b365cf929b1ab61d00fe49716afccf106a430de8b77af2ebaefdc2140b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
61200585db2a2567ee9ad16dbab3953d

SHA1
0fed91208cb66ec23978c49cdd1f8371dc4172cc

SHA256
8ee8b93e9fdad046104fb311cf2c4654ffca13ee41519d99e128ea0bea4ffe52

SHA512
6ca0d5b9890c1ede02160cc8aab1f693f1da49b885b4b298bf00548f6b8a5f5ab6ef453547e86d4e422e08c2162699b15ece26552673aa0ae30c13a9036034e0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
2b4d0ee6ffd2ca7a4acdb2712ca7b558

SHA1
858e5c7df5a9e1be962921b1b2c4248d441e2398

SHA256
bc24ebde2b83f50e6584aee3385302194ad44f174333bc7322d92e5eabd2e657

SHA512
4f999a5b346b92b29fe92dc4af0b147f4fc24354edf9768d22c8da3f6696e769604f09d22ac5b4545b60e14e3aaa41d167d2355b6e41ccc00e990a0512595229

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
12f19c44ee564089ac84a1b3931b12fa

SHA1
edf670f7ed05632d9ee54ad2819cfe6a42c9f097

SHA256
4ef0c7e7438e1a632b55109e13e478cbb000f7defe3a1c66df4bad1409cc685e

SHA512
0fe1c79df74b73085051bd3b166df91b476b185fcd936362a76379a798659bb3bef750f6fc49a5513481296d84b394ad624e7db7b35818112847c80e91c72b85

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c677e74a0b465d8532121d61ac235ec8

SHA1
84e1c6769be98aaa0a2e9ebdbce1bdcf394ea068

SHA256
c80c8c791a6fb76fc9697b8ae7801725947cb8f2b72b5021d0b68178b0c58c22

SHA512
6d60025af2d27c17ae92ce6c6eb84f35deec8143a80d7ac838323ab3a773997e70b39ce89c2a4fec82e417b783534b574bb6c00117513f2a1dc8d15740c01af4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
84667d63b92f7ae3df054d55c52574a6

SHA1
32e4e3511a35741e082e1a27cae31ae36fc9d165

SHA256
3539c30cf7b328cc9dab8cc70729b0c33205d3f8802e6d712af3189d4f34f264

SHA512
bfba98a49142370f3c76130bc3e3dda4cd84088ca875b01a9bc894b0c302e73a970cf5c7cc9f6fdaf745063ac2e9cf0020118b75b2c369d1a91d67542896872c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fd706a3cd5b427d41a785f03806673a8

SHA1
f7019c9b914f124da0b7a6f8542047102ed7f918

SHA256
a84ff02fa1e2a6f7510a88a4959d6a41604cdec6f28632beee62f6243db25063

SHA512
b3fb01609178124a185e2ee1d8bd2e52771d083987edcee48165796150d1c01101d82f4e88b5a6ed1907735130f16f32b15dbec0035463cd99454f03508d4d0a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b24ddc7f304a8d5290ae09011e9240eb

SHA1
007094162881f2d8ab1c14db48e478580769aa5e

SHA256
c7661ac677967355edb2a870952a2ee6176c788118db66c658c3f1ca56ab1104

SHA512
b8ca7294314e25a2d87c9a946c437457107b02ce33106f1e9ce87770b05d64d8b7508b23fc4457c292fed4bbffad3cac479a809eddf5c6629691dc4225a90446

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
aaad4833f4419990115907320b42e6d4

SHA1
cdb38de486e4c66ddff58d6eeba35a2eca42e632

SHA256
f987a4d156453df1051cbcf2360144972ccd387a00d6d4733fa49c3a6b906ef4

SHA512
8de5036de0a032f6750e7ed4f8dc6ff1b6bb7ebb8644454fe2212da9f627435d6dae612fe76b82b12ca6cb6af20ff1b78cda3a77e656b58ec7aaec3a9e105205

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
de540ed398893f82d1228bb569ffd932

SHA1
129c080b44263afc97ee969b56b1e785debf14c3

SHA256
a941b46c004b1463e121e96a9d840d7988ebfa42f6ff52387ff0e832f1b5e28f

SHA512
246a4c94ab71006f221af230a088e59ea50d85c565d2ad76ae1cf678d26d2a42ff9222385b05d74b4867892b51f14a7adbcde65fda2fc1fd5a1efab3e7c63fe5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d6808df6e9f94f6b74159246adf49f44

SHA1
91a1b650862320c49f5aa6585f8089d66827fc01

SHA256
f08aac07ba617db2279cfa6bd9f48155155615e485913767b1105f58ed270e64

SHA512
f56fec7d8a2ced0dd1c7c2fa7274230aae7b403a72c6e4770558b639952f0702d63c119dbe7cfc91ee9dadfa56d55a0f1e3cf7e7dadafe75c7a78d27ea37e412

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ad835528cae65a3e17a4bcf655b30966

SHA1
81c303193e4cee4f64025e15b74b4052b12b37c1

SHA256
3f17685ca672d2c5c016244f646cc4879527c6ab831a7fa39413a49bdacf00af

SHA512
84b5132869e8b691079e0cc5340de914f2487516e5aa793f01be4a7fe6e1b7f31d1b94e4e3fa108fef86452a5917f8eac39a96fede3fb4caeeb2ee291881b673

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
951f77e775d4e46fddf6642dab004842

SHA1
1ed9b477af5e218af1586772acf030efad0cf979

SHA256
3e52b6105c0640b401906ba0e8185edb7d122b550f66817abac4b05d09ca65ea

SHA512
b4cbb2b26d3ce7175b2fc00bb16d4a0d84f547450c53793ee1f25ddc1a4f0d158948c496737eca57c6379b6f86ddfb1505eab141f79084213b7e1c013130d07d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9a333bece9d6f56e73bcf4da3d125c96

SHA1
5cd819eccaf1eebdced6f61a08458d2ede9192e0

SHA256
da3eb66d8c590faa6de2513a827a87152ab196616663c815ba14b94e0d04b1e2

SHA512
6439efca68112a829b659f845af2f273d8115cb1abe2cb96ce1fc733ab1c70e274ca8596fd3f47db2ec71dbd85e877e6744eed265f5837b43efe832a2136c90a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b72b870b0be560edb7a6ff9e6f09c79

SHA1
ec781adb75fb914905e6c67e6efcb78a87d1ec86

SHA256
8e3a770a10a8f2b159213638dbc139a2e5a4931d1303f2e3153a4c307d41cafb

SHA512
402d323a8890b3685313e187246ab3bd0ce571cf0f195c937539ed212caa2cc7137ad60718bf745488d8da1f5d514649439e1b9b2866802289de7ad0b1c651d7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
df36c2cd2e9407789ecc17cbd02e2db3

SHA1
838f3714f46eb202bcf8686b42114c168eccdd9f

SHA256
976270f22e8431ddfc08e812fa698d28ed1b8c6d7dd614b599c4cfcedda20991

SHA512
dff9b3b9caafbd10f3c05db7a83edcdea9c4e7624595520d52beac0198d243111c0141ad64367d047df4f0b94f4ba46f671f924eca2e178addf071707a2319d8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
831bffc1105e6fc5cfc5e5fc2f3abfb6

SHA1
3d33f41450d8526ddf1e8e9c7ae6070bd361c2d0

SHA256
e61b01492a3bc338108762fd4fe6c51a1670d05cce18b67065ea38cd64be255d

SHA512
06fadd889115c7288350e762307eb2571eca99b3c25476d76a33cb18d6b44c8e976d6b69f63ee0969e5cb86340af36a386842d19beb9e5adbbc2366d0eb41e67

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fa987803fe93c49b38882a4498c88839

SHA1
f71b162aeeb925398bc1aa9ca7ee2285b9b7a1ae

SHA256
9bfb007909d93651e93f08824e0d2719d594e957ea08a59aa08316b2af084992

SHA512
3dfad6527e3b416cfbe60cbe68e86ff82c455613c2de12907ab26ced4b55df741f1e7a1d6bcf32faf29e9f5e86fe44852c68541af4f34241840df779e63f855a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c527c97ad268c21f8f3c8f948f14ffa8

SHA1
267c48939103501825dd08343f997bbf7b214bff

SHA256
3bc0df454c59c53d29a0123254f6d4a33c80272472e56d839968f5d7a16a2ca6

SHA512
905c850da04d8a08e77b50313d8152edf64f41f0c00b77eefbd1ee92dd4f4d7245f595ec6ea47aa6c3fb0805dee7fda87da907a2201d70d809d4f2b7bd7cd133

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9b42b2eb54b780ed915f35858878e500

SHA1
d41738c5cb74c11b3ba981802e0ec2b2252bba95

SHA256
85b88e9ac5b3e9d67679374dbc39049bc1388f91e407e7d8b87b4f23ce2a205e

SHA512
09190a5b1149aaa66b0e934b64f812bdc18159d7ac084891f8cb536a66deadc534c282d21b76fd84d830052de4b3c4db7b5a8b8c06d757b8d67d60e9885bb6d1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3cab8438e310c755405449ffe1ee710d

SHA1
22c246299db83e2034a77160bb6633d84d8dbd90

SHA256
ba372c1a8ea7abf5143775c779420d499151283039219855c844e74e4381aa78

SHA512
7120342c604eee8ec6739d35eb28b15ad3c211fe7dd432734558c9e992a294a43eb6b5a5f3e78a6130dfb722ab7eee4562e5f68a3f9c66e6596155e83ae509c7

Download Submit
memory/448-234-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/448-21-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/448-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/448-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/448-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/448-233-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1232-426-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1232-682-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1440-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1440-6-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/1440-25-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1440-9-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/1440-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/1624-364-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1624-676-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1788-679-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1788-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1980-254-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1980-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1980-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2104-658-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2104-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2456-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2456-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2544-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2544-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2796-680-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2948-238-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2948-34-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2948-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2948-28-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2948-48-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/2948-235-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/3040-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3040-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-59-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3040-49-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/3040-239-0x00007FF9B81D0000-0x00007FF9B83C5000-memory.dmp

Filesize
2.0MB

Download
memory/3116-69-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3116-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3116-63-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3276-681-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3584-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3584-561-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3584-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3732-307-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3732-425-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3936-338-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3936-526-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4248-675-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4248-352-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4276-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4276-257-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4276-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4332-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4332-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4332-60-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4332-74-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4332-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4448-297-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4448-413-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4548-294-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4548-401-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5060-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5060-389-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download