828839f161b264414a595b666347fd55157c4e37b5f181f60c17943164d5695a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
Size

1017KB
MD5

135ecd9629aaf6ade5b24eabffc12913
SHA1

2c01092017f250cbf10de1f127ded183558e8ae7
SHA256

828839f161b264414a595b666347fd55157c4e37b5f181f60c17943164d5695a
SHA512

76d79704513d830e2421e15931559fb1ed198e257f0d28037ce5d9cc5a7712d3e016fa28f3c3c78f8478a8c529177710f15d99b258525fdc04b20ec48dab136c
SSDEEP

12288:d2lWRPhhA9PRWg9b6JvY67VMBNO/aXpXI22+VufvdIOKek1h4TA8bXQJYe:d2lmh4R36J17W8CX32+KJNA80T

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1364	alg.exe
1632	elevation_service.exe
372	elevation_service.exe
1672	maintenanceservice.exe
3228	OSE.EXE
3200	DiagnosticsHub.StandardCollector.Service.exe
2108	fxssvc.exe
220	msdtc.exe
2928	PerceptionSimulationService.exe
4012	perfhost.exe
4136	locator.exe
1668	SensorDataService.exe
3172	snmptrap.exe
4740	spectrum.exe
2316	ssh-agent.exe
2412	TieringEngineService.exe
896	AgentService.exe
1860	vds.exe
384	vssvc.exe
3740	wbengine.exe
3480	WmiApSrv.exe
336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exealg.exemsdtc.exe2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e92127a98beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000294bb332f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014f57d33f7adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d48f9a33f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d0df632f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d5bc32f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000399ac132f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d5bc32f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
1632	elevation_service.exe
1632	elevation_service.exe
1632	elevation_service.exe
1632	elevation_service.exe
1632	elevation_service.exe
1632	elevation_service.exe
1632	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	880	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeDebugPrivilege	1364	alg.exe
Token: SeTakeOwnershipPrivilege	1632	elevation_service.exe
Token: SeAuditPrivilege	2108	fxssvc.exe
Token: SeRestorePrivilege	2412	TieringEngineService.exe
Token: SeManageVolumePrivilege	2412	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	896	AgentService.exe
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe
Token: SeBackupPrivilege	3740	wbengine.exe
Token: SeRestorePrivilege	3740	wbengine.exe
Token: SeSecurityPrivilege	3740	wbengine.exe
Token: 33	336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	336	SearchIndexer.exe
Token: SeDebugPrivilege	1632	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe

pid	process
880	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
880	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
880	2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 336 wrote to memory of 3100	336	SearchIndexer.exe	SearchProtocolHost.exe
PID 336 wrote to memory of 3100	336	SearchIndexer.exe	SearchProtocolHost.exe
PID 336 wrote to memory of 3208	336	SearchIndexer.exe	SearchFilterHost.exe
PID 336 wrote to memory of 3208	336	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_135ecd9629aaf6ade5b24eabffc12913_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:220

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3100

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
64f99e0b599e4481dd227d26f8128509

SHA1
d73892a6a8fc7774b1f2ef399e630a251f0470b9

SHA256
1ed1edc59106cd994bc40eb29a8d912bf18d24a8fe14188353b4533824d63d1b

SHA512
3960e8accab88fbecc85f16228c58e7d4070817b33ecaa3da32daac0b45fb9acc6a06c2ff1ad9cf0b8c7f7f1381d34c01ac1454d3a78964a868f4e0d7c17935e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
4f9614a5c15ea635953fb61a59c318ca

SHA1
460042d9e6b8cae88ebae8c56c63b977b48e6031

SHA256
609dc24d5b52e42457afb992e3d0653868ad0d9ee05c6a0c3455c7c09fb82f47

SHA512
be119cea48e6175c0757ac9dc75b14dbd63c723b67dc0a77cfb9c867b80032a0c90265e3511c870304c30a4544c7829435baf8572252c1f34c87c454f54708d7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
a965ec16b00ed560ed442f3efb96d14a

SHA1
c3f1a790c283e92ce864d17f6dd5333da343a42a

SHA256
fa02e1492f062f9dccc82c92c6642ac119b2298d1db2a5d8d76e776c45e0cc6c

SHA512
63d3907d93963ed3e2565fd72dfce1ff542fdaa286f3748210986d9f2ab47f877ad6e084b197ecfd8bad108acbc9f46f36f27b60a7b79271a7f10bc0cce16124

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4a48d448e2e92a14164ddecdc87f4488

SHA1
0e1db68dc932f7cad298e1558a267bfd88a4ff4c

SHA256
fffad67eb508fd9efe7ea3387c2fc992caf8c6bf8c519e188894b2c4cca7704e

SHA512
55b13cc0251b157589d7d2f377df00f96be37244dea2cd55faab8766348f1fd1f8c1691ae3aa0d24934dd218c797181c252e0736d83daae40216ad0437a5287f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
11a2f64a8884fb1e928fbf29d44a3513

SHA1
264cadfa11bb4927a00f9f356d901f132bf4f350

SHA256
5e742862b556a7b90666422f4b3eb39e2416c13d77f2acbeba15aae561ee0b42

SHA512
017235be893019680645dd5dbd2d72116ae03caeeaeb094540e4f893a124f3e122f257ebb0249b5f78de27c5e75c9629919e4a8e71603978450b7e804f6e4da7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8ff4770a16bccde9636fc79e36980231

SHA1
f079fe78179602d0ab4cbd46373c1c1224e7b7c5

SHA256
803005f0b1156408ea5be82f41e2e6a997e9b7333dc579fe73c5ea38ca768549

SHA512
5a5abbc84a106da437ec5839547e0d592d77a6c9ce78f83c89d1d27bf4e3c72d87631f2dba5dc1ea4e4cc1c48b9c41befa935785644f3590003411d6eb183ea7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
622c348d7fb8c0503bf93b76ce1b67c6

SHA1
172b40551938596db4c236fbe3b10e2309bc264f

SHA256
1f7159a0a557def4fc03c27d19657c30cb9b127e30e53ccc1a85c01b138c59eb

SHA512
eb9b12d531c61f305d3d254fbe52a43e91871afc17c703430301e0c5c6e2414bbf14b35ec57a99416c33e5a203e5852cfe2dab1d9a000eca5abd60bf3d69a875

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
44f567b03c8ce7f7e48995e9020a10e9

SHA1
12d231d796644228f2153cdd86ff2ca0042c52fa

SHA256
ced9de2182002c9d6d42c0bef073ba85667a3f4ff881054d2ccfbb93d71d36b0

SHA512
f628eaeccfcfdcc348e15b6682980e048748dbba2cfe94bf468f611443a2d5072156b00a38ea812201c632301f696e79d88447ba28014bae6300bf5b11848592

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
58e4a694c28e595a6120362c10c13390

SHA1
bce0facb4626d3847bd47e0894896597dd57524f

SHA256
faabe3674c3e25b4542cf1df119f20169db3059f0c13db0131c00fc5cda442f0

SHA512
45e23b8d0e945672cd55925065b6a2691036de8c3346e444088238a1f8490ffa1a256970848e06ed89b3b1314c52ffe0038e46c486effbc1802463fb5815e7d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
34bcd4b61f37bd8572ea7592cab89a68

SHA1
8f2fbf8692af47a5e4ab4f315a363d79dfb156ec

SHA256
6009af65654fb4fe8dc4b7e91fc891cf88dffdbd73974c874cef405e77087dd5

SHA512
1ed6abeabd4afa8c1a19fadb724bb8b295a27d0aefbee636f1aaaf0bb2bb8b9f7ab4fdcdf66db480f1980892c68847bbf6b31db69d441b9641fb2423d64d1ab4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5097c63858d885c8f432b21351cc7ff3

SHA1
6d409e06297be369a7277899ea8fd85459cbce81

SHA256
d06d8ddd80ae8a9c783939112a4f7144f38031a0e9e1e55433515ca8566c4da2

SHA512
81f2b75ce8cfe5bd21e5d1c78c568183fe4a10ab7fd7adee63a88aa1169a921291f2d6e33abcc99e7aff353296da8e3ff84b6713d54855738ca09e8606c52974

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
542b5d8cf4a01d4ab8dffb0dabefcb56

SHA1
545415f5dc793150f44de74812f7b128f865477e

SHA256
4758aad8e3d0bf17df3837680e000b6d303c0c441f4d511604106f15aa2a3eac

SHA512
a609155e00d5a1dfe24a2930f2cc17b2efff789dc4f9d01f8defa19adf37bea38d36b808c319e84ce3524582ee7fc6a7635a9c31fdcd2a6ddaa14c448ed475b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
6f626f9acdb8b1cf6387a045cca1db86

SHA1
48601aada4d25404f667aa2f17a2e63a230f4d03

SHA256
9214b9d1c37f5870822e4dcd9b021dc707c7f332570cf9c71b0b1389feb0b300

SHA512
3a0564a60a6798b9ba335213a81244520b3a2babc07dc30976d7850f0bdda8a825ca56c617d6492252b75a4318fa591d8fbf8541389f570156dbeb3250043802

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
37d50ff4958668f334970f544c31d07a

SHA1
39226b2cd4b0fa88dc1f3c929d1b572fb02cf218

SHA256
0bc411e734c44d966643cb753bd3c8e3f058fa5384b52830f0ac5112d1be8990

SHA512
e74295434d6cf09861f4b80298b2632840044b1016dabaa8fb6781b056f8fd95538f2bcc01f1b02332ef17c485fad4c2cbe5014470cd0f6925ebeec8987e3c90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2b0435cbf36a474cb86ce48b9076eecb

SHA1
fccb6c93d0a7b15853bcc462fe8fb1cac42e5ed0

SHA256
986f2194c54cd9fb968e03d90764632933fa5a03e21d11bdb7247c95bed908cb

SHA512
b91ae6dce5012dba1fc281a2a34e4f77711ed21ea9c362b29ced614c8afbab10718d9591945c8ccb4d719ee281cc8f8c0b52a64e541ad0208d02721c856ac677

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
64b3840511bc2f4675484419e6f0b7c0

SHA1
fb6f94bc330cb04ea5a9c5957157e4999cc1f99a

SHA256
1e0ef2d053c83d466af10824ab85a2c93dbf55a1e834c5d1dda8223d461d69b2

SHA512
c84ebbf5d73fdd86d69f0c702040a335112c824aa43ec6cff5ee59f7c9a933ae911ce55fbe28123b16c863f4a43bbb2037463366f2cee9e97916867ce505e3ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
a5b4986a99b86ca007581907a897ab27

SHA1
6d3318a8b7f555b1bed023540c8b623cf84705ee

SHA256
d35ef25f9bb9f9347434a7acfacff60bddfb84811f621578094bff899adcf1bd

SHA512
c682afe64d65cc81619911fc4c9e9c8155f6648d4cbb449e27474a18c59aac721bd58ff99f70a8d5bf043f9967002dfad837e3863c906f6f1a7c6ec55bccf79c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
84017a088db716d9f096cd84e374f2d1

SHA1
acaa67a55a48d2201652b0b658ba9e9c2f6f53e8

SHA256
c8bd15f3fea045df3c0035713e46d77a1677927fe9ca0e35b2a6bcdcc31e48c3

SHA512
4ca81a4bea907d32fe659daa76059f0fc2cef5529f42efbc11970c328ba96f66c2c168503ea13c05da76eebc5197a2dc29ac5cf578e9b59b560541753c4e223f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ac0840ae8286e63ea2fefafd3ed40871

SHA1
da701475347db01ea0e0c34fc1b629b532cb99a9

SHA256
73f9791c16bfd94c6efd014110dd2ce9b6305ce822da24265f69590f82b56a95

SHA512
d03c0dddc14b5964f3b939cc3ac55ba45f120426e525eb363f020dcc2bccea38bbea453044ee3db5423f3f21ca93e66ce0b73d1d5f5b692cfec38b5117ce89f0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
9287ae8e4981e7c4ea733946b7c7d253

SHA1
00d48dd48fb0ade8e9c0ae2dccabde4b850ba76c

SHA256
1c0483809c7ebbc47b3a964d535f85c82d7d820c1cb81e4e4e9a56935b82de1f

SHA512
560a714cfd23ddcf8eab72431566e1eef48020b8aa7bbc26d8add1f70e2394d2eed9d06e4fae87511f32ece14a0dec8993a1225f2688e8d46bc96f574f23b414

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
23ba0ff9fcc35b1387407a3740dcdf6c

SHA1
df4888f7b43570f2bac85e73d2f223df3f381a18

SHA256
81e540f32a8ea9367372bdb6e56332f188d1e61ce11ff845337478d943e4bf07

SHA512
74ea06ac98484ee35695b775e117c78db077ddb4b1cfcf6c34fc4033675103d5d72d819d249575343bea6a8170ac6763a110eadf138773c2b1c92f99702d5792

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
4548913936301056a2092a6882b197bf

SHA1
4dc93b02db11516989eee25db811cdbea977851b

SHA256
da3d9f40cc9f2cc4ab925ad8f9ca748836bd0d287ecf7c9445a396944b8709a2

SHA512
eaec20f71c0e5a4a768266bb8eced84b1c9bb90623ea5e72b14cc180246ef8bf0fc1a74c859923d293ddb142e561c4c3cefb15c46a57c902ed39a341601e7243

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
34c44eb9b9545aa6935b9b28f15b9c54

SHA1
dff2e6eaae8fecfc397ea352322c6419b95ed8c2

SHA256
126234f8e18b86adb6b7e519f252adb8f94948b2deb789a398ca07c18020a133

SHA512
36b38f3de004f907f1634c82fce3f75054fa8fd53cdd1682b74d95dabb49e115d0f616e7b40c2e8f76061787f595fb04d2997bdbeb5e1f338a041fadd6947ccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
4a2e2fd3ecdce77ac0e97d2a09dad7c2

SHA1
c91e23e1779d4dfaf70956810f50cd73886cbfdc

SHA256
262a03023060df0fafca23e52e38280bccc3214d9569443c1397368050c87684

SHA512
e7a7bd8db4584445eba0e9b94e61d06f6f64025a8dc2965bdce83c639194ae64ba64e34928baa99ac8309cbe19bddf34555fde551c02ee80e416b761e605d29c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
f561a94044aa7a32aad42dee0050ef9e

SHA1
edcd0cbf283b6637932d68b0e9b601b75398dae1

SHA256
cb2d43f94b561a029a0526f9771350066fc7aafec3017007df07619d611c510b

SHA512
b720a20f591280665e108f513961ce622ef5ad1acc04c79cd56bb7ed97851ac6bfcb4f4b5b44a61d7f54c170a6fea6dd32cfb8e1d641bf055fec1e29d1baa963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
902b9c88cbdd16131b105090578e9575

SHA1
9e905ef27ecb2743b159c89f8a6486e4802cb925

SHA256
e284aebcd3ba0abfb878c60cec544bd8958bbaf7f752881b9bdecb1023e24fa7

SHA512
2a58fb7ca57926527d2e525bf7fd5b03401499145116c2a7d470b3a1cdf12fb4968f8a623729ca0491443e00ed627d81c47c6397980401fcb7347de9eba6d7b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
cb5e01720d67f4d8300aebc1b7568fec

SHA1
fae940e3c4aa9b0fc1646492df7f94fb04e2bc94

SHA256
77182fa9bece498d4d34bacb3bd0e169893478a4929ee62ec7b29540308400ec

SHA512
988088a8038fbb00325e8b593ead005dd56fbb29d22898bac1f560a96a60db0143729c6b95372970a851316393dee5a57a0a7dfa30173e5ae3990eed3e1473b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c843c6a81e8ac972ece1d6feb5603a47

SHA1
19bcb3d6ec4b5d9a1911a9c4604ef4f31802652f

SHA256
6b0d012800c9a4091b5939b1f0d53aa7eb848c024cc36d83231118bdf816715e

SHA512
1d3392f94cd70403e76bbd83e8719363e47bf67998979cbd43acff272ee6c90966dd3fb82b3377b9f1d20b30af3475b6c68f3a457bd90eff72ab360b79d9f667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
abe2cde526a7589264f59a8bcea448d2

SHA1
40f6f56600a50f6dcdde3b7f8addb30c3ce5aadb

SHA256
1456616c9859283c6a3ad6e20a4ffab6001b8ea24db2de3595e27db479fe55fd

SHA512
1a49cdc2462efa0fafb6c4d9df0b77380d54fcd0fcedd53fb1fe9aa8863fcf43cdf8ca95ba8d89f0ef26ff42624bdba17d6718c8254cfb5586e974a225b7d97f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
d3cb16f49241334307975731f9a4922b

SHA1
43001ddedb708cfce36943741a438472886cf1c3

SHA256
e9ff29b6f73cc1797a28ea59c280c33490ae30974b904125eca1cd0797419e20

SHA512
d13c6106cda4d41deb09063082d4451668626a3cb45dabcd4d8e00ed45abed5941a6c801e3f8b41d532ec869f19ddcd1853ca881218e521e74855bcf9245dc93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
fe4e46f823cd5bfecc63ae0bcc07dec9

SHA1
d38290463cf57532de277d42e803b63c1d6709fb

SHA256
dae793443be9fa08eb83ee5e9edbe10194cb713b0bb11dda65e69b3c6f708a1a

SHA512
67ef9280e5e2607a939a3891ee01a6e2c9a057ccbc9d7dade210b81ab738eae105509001d2dc1c1c9b0b4efd7cc7189c489fb5c1e1a7fb24c443896ad0797aff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
1c3d2f9d28b481339f27410091ac78d6

SHA1
46f76a4e4ea588982ef63fc8c48bddd92a26a84a

SHA256
427c120e852c5ca3f3de1357e7fd5637d60e2651b2f025755aca198150ac372b

SHA512
dc7a5a6348dd8f7117173acf2939a0912405a645d95f52943d8586b5bf9ebdc23ed5069056062a683474810cca0c084409f9a4b76c377b69bb1dcc53f9ea5cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
e411a66cba8413ed86ffeaf2d1888b6c

SHA1
9c881f3665026e20f3615377f7171ad782bf4f61

SHA256
c60dc322c967ed9a054a1eafd761e692dfc6a3015f254b8f8c75447fef72a729

SHA512
5404fa095b86462c197e8dd7c1aefe2352ab78a488adcfdd76eae0f66832b453307b6c59d1b465b37240917bfc54352a2bb20d80cf35c7b43640581cfff59dc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
13b257d249940aeedca6e1e2d66e7064

SHA1
3906b2bf884641cc82e11f2b14453228657505be

SHA256
fee9f30b2428af11a4786f8bc2db07c90e8398dee2a5279768b4403aeb21b993

SHA512
31677a7cfbfd7859e5c8f9d4bb2a0197d424d44bfa1499514211f0ff72e44a81fb5d98f2b876e1d5de0dcd6c060e9f92446f05e03659c853d53811c3ef84f8d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
417d933248aabaecd1763598ac47c62b

SHA1
4a45c34a8dd69be96388aabf82d8b5fce43f5d7d

SHA256
608b3e1c7d5a205ca87144d4426ed3b4d80254a75006cf29335875b363b8eab0

SHA512
0af180cd7aaa67afd3825fca5eb2dfbf09bf775fd46d62fcd6ee6f17e552b4b4b180b96797790a9a8f53256dcd06ea93efe8dbe6a23358a0e56464fa237e10c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
cba5445f893b13f12c353d4fa9b7a699

SHA1
96a8f9d32285b95d6dc85280ad6064c8364ab05d

SHA256
ad6b58eb0d61741763d29065bcdfd9b281192536d2afabe95be995b9f96a18ea

SHA512
4ae49322e23c1b874460d413410f959ca4734f9a065be2fe18964df9a8f2f4a23e60b543dad7567bb8f26ab8ca14627c115e11fab1fd1023fea4c50f46a210f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
3367cf40bca5c93e2cb2a078605583d1

SHA1
a9bc446791c36bfa8a5775f3f2ab1614f741c280

SHA256
fe15646e5ad468dfef9b3f51c77a0e3ffae769afebd3ab744f09fb2c0a57eaaf

SHA512
9c15c59f8392c86c95b5a8d61c031c4d574a16cad0399b3805c7d9886002b17b707e6878aac90ceaeb01baa32ffb0db70d4875edf72d002e0a927ae6e5d54c46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
a2921b864ceabce9f710d87fe6035379

SHA1
2d1757443c8d7d727c1f68f925132186ed919951

SHA256
a5f8061843970f621684909443f647fa8d06f9206cc06a94d6226937d5663e36

SHA512
5845c2269615bad61dff4f1820dec57251aa069688b781a11b6cf7529fa4ef0a6e5f8ddad5c972a0e54652e0ac48932302baed0fec94e5897bd0b094440e3b7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
480d514b8ec1154e3766cef52c543c1a

SHA1
0a028dc335d2399fd495862d27805529afc3127a

SHA256
d757da89db4a89781a870fea9c5763e3ab2d185a6cde95e6980dd7e26db0da64

SHA512
d5d9b381811a17f2c99a3fe6435e7c687cfd6210e21df5319345d1ed6dffa0153f7e488a0bc3f90b98b3f0d1140852064457cd9afe2195da3eeaf64de8bb8b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
8ed2d2dbe21e0e293f9c762aa0e9051f

SHA1
8022f5e0b0767f631d334caf869b85898efd4f62

SHA256
1f809729308b6220f0091932529401d833289bb88b44a086f8d765230c9ba2a7

SHA512
2645e1a0b5858981035bd8d2d8c0455c31fcce66a8d76b3efa5692a98f1cc81e5f8d177acbf09409f980a1e20d55bdee667245a8f508fead7f8cb0323c3b1dfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
c389bc24c22caf6cff0ada8166f3ad9c

SHA1
0405f169518815e64c63bb841053f58305a875b1

SHA256
7a120a786529ee801cc6c016282820befcf902c3eb9c23f942fcb9148da7dbae

SHA512
234f55f0baefe59d094951011e44079bd19097b969fad2f3dabb0e73d40572765fe8eb77faa4fd1b9ba388246cb5ac393a06454e9a6c89d30a141d5b4455795e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
250e323d44895ebe92dd29dba1eb64a0

SHA1
db16e6607a1a10fb06d6dffa1282dbca29696be7

SHA256
8709398c8e4378697e56ce9c8fa0d08f4a9ac9c274152cb6e492a17337110daf

SHA512
9e242ab319ae558a95724480bb93f237834829bcdb84f391aed346b9c3a1ef0d861b19970a54773762947cbf3961d195574544574ec897cda517d1a3c856b69a

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
86d5e4dcc27fcf54187595fcbf0f927b

SHA1
ec068bb636da16f7bd013579d1f02e86ff439b9e

SHA256
9fbc6e54348bbaef80cc2f27f8d0bf549d4dc5fdba742ea5510a0186675b9974

SHA512
7287b4e326083f9fe77830856dbccb04544179983dd4198624a25565de5e80622bd86fbbb1f9d6e7d08fbe228dfb9cbccad2bacbbb2e983a85c94c2918014c62

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
76928f696c977a700ab96e4eb5c1a5f6

SHA1
a5717652ae0943a0b9ac33451652907fa09454e4

SHA256
062c90ae6a7fafc1601056628a8c183e4e296c76e520ba0b68fd7fb36eeccb40

SHA512
6bbe6cd47daf9312d89ccf57e06a8d1eff22925a05c353624434a054ea1f288f54da037c534fb834dee39b0844a864e0dd25bac8ae6b110533152b0b9a2cb766

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
394199ea73e8b7b9a8c26489489f4702

SHA1
c23d8a031ae503a2ab2ac7d9ea9eeccf1f7497bb

SHA256
14f131dd6ef2f35277d4ccaa8e211859c61a41910edfc6eb6215119d5fbedeb1

SHA512
fb8c593d1394dc4e2cb5dc13884f99a6062bfea47690112c86c5d7eafdf7ac88159234534c5a9d8b86376955ce9fe1c24d8a3990c5f1937e8dd026f8ec748779

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cc7b4b332b859c013196dcf3b71d78dd

SHA1
c7b54a7bf09826a2920f8cfee2a5e65b61136be2

SHA256
5be676bfc2940e72080f89bbcc705ac13688cc7ecab51bab412ee834af7bf9db

SHA512
e48bc7995e776d6e63d7235a8d5072831c43e29d65e0eec848f918a9c07416b94ba6566b2476943fd84f0b498571e483549c555dd7c673a0c0cf7d5db9ce023f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
960a98f6e49d7ae489d804996b57a62d

SHA1
20a7d21f7553a52ff9ff18ac1b37820bd13cf664

SHA256
b74eedead56ce3d63070793323e15a284c0a69a935d220648962a85f15a4f54b

SHA512
3debe8f996cbb01eaf4a6befc080d0ba55d45a0126dbb77499fb8ba8418dad129a562c886d500f1c836b123b50c225722434f82e685a95784ee5adf9242cdc60

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d051d3d337ee40f2d00f1ca65198a17f

SHA1
6df33b1663d10a9fac328d76d7c3643ab927078d

SHA256
ef3c606337778b8a0354ec7a3c0332d84968bf5d65383a3aa5db628b9c7e5003

SHA512
9ff591a82c492367d6155716c4574bbd15eac32b5a21191b1a3d4d55935c12931b9a526b1efedbd0e074fa730a894e79322ea8702ae5e6e4d4c9c72ec7a3eae5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
1acc3ea97838c277fd52ca170a941cf2

SHA1
e8d227abd256e37d3ef5590c5595773c3c06407f

SHA256
c31f65338d710ad0fda09ac6878f25dd4269370020ed223c6421cc5ac24ea0b6

SHA512
48f18541b6db0f211c947816a431c1f01d4116eb0496159b7d4969a8cda57215855d4933cc8e691f24325a8c94213bada76c7c301f6996f9785903e197669909

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1e1a010acb82f300ee0200621f5fa84b

SHA1
78e22b2907458de63922cf810cc525e17e3734d2

SHA256
ccf9d1fb21508ddd501e0f5f8e34b099e7d3ebbc7697d31ac70f89059edc500a

SHA512
617753c072f40b41a0a1f5215c916618f8407531b66e8b1038bc6542b167266ba3c26c10f682d46fb6871e2bb0375ae49de59039cd3cd093cc050e3b4a57c1b1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
871e6f1f31e67a7d241090078c030374

SHA1
f4f5e47ad9dfbe15095e6d313740448aa5152111

SHA256
f15a5ed1bf45b68d45a66ddd01edfbc42ae12d902df0545687622d4c1ec66d3c

SHA512
94ec082a550ae23b897ae0b5caae94ce232aba2b29f89772f3a902f4930fbf984ed8dbd033d647e325408a35ae4fa770284ed466cae7911a57958b023361db88

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
80bed5456937e9cb772aad6382036383

SHA1
b82ea17136e92176001d8153af7b2e5aef5e8e6b

SHA256
43ef12e1bc68e74a16351f6d592f949e793277198a1356c68e06ac4844d9bdbd

SHA512
f2905b3b07172b87eae1b475d34132e3421d9d37f422038a0fa4c16040e9368aa31eceb420ad3182868d1e5894f1c1b1ccb3e50ca77fe157dc6d7e998a2ab422

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4c0b5aaca8fff438fda4da3c4ff985d6

SHA1
6eb11a49bf416545d09d9f436faabef07d449e62

SHA256
13154a76230827a10e05ee38b0322ec6d81838795c2a06043e861b605fca0c59

SHA512
ffa609918ebebb13a14db43bed8045fc32cda353ac0a9fc193dbd9f7f3ef5db0799ab930406cde7b912e2712fd53dd24e40f346b712005d778beac08b523292d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ad216a4586676b7ef9eed1d760d08399

SHA1
25ba4dbe33a7226fd4e8d9ea78339a7aa3c066ad

SHA256
d4f730a28f8ed7348b3c988d0ad5e0ed24c0659e7bb276097f7ebaf86a983a8e

SHA512
8df611280d651f387276c5b20050658715046d233cdc85f1fbf486c99d6bbea3239ed1dfef7e5627516502676c7155810a8a14ab2c757399a07246ae057987ad

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f60a5b7d324f3b1ad5e2f0e5e14d1d9c

SHA1
4844f0c8effb13c195388bd7fad0ce3cc9554efe

SHA256
3cc6d2b7235cc300a3f646ae44b6975a43932a49a6c5b62ece35a1f6d7f9803a

SHA512
96952f101952f3c641e0c374f2e14c6e2ad64b4c779983b12d8b2a5ecd018a9f0053bdbc24eb1003692b4fd323c2e684f2dd5c5fcdbe1f408c05aa9e3e61d3c2

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
83efd74d2f2954999d546951b1af6182

SHA1
d9caf61e80d8203ef8089981954dd775cdd83460

SHA256
6dd7450e2d1e9a00eea7466b884bd33cf9bab892fd7e90a2ca0a4d4f741b51e1

SHA512
c17a055c382c435e6b4c2788520752e3de9da0a04787a0a961997d0dd8e20a709aebacd0aff2009e3be82dd4e56902db2981039dbbac88fa78c0a5d2961039bc

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
599b6f74de71ac4c928a2fc8a0389a1a

SHA1
4bddbf9cda3354995bf077211f7c6beb77c1c2b5

SHA256
98120e838f345de29499c0d55fccc7b9039b479153e6e1aa23e4838f82db7c58

SHA512
a93b8a45456bdd7090f702e97a4eb654cad4700d9d28dc8a6a1ad12b36bf0185367d274e4aa0a69cba4ffdc69f91cd923d1d6c66bd8b5fb30ae5977809e01e88

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
972bc2832ea5c18cb15a95a693206fda

SHA1
d34272caf60d2b1e6759dc69870bd0e800e442b8

SHA256
8b9171e3dbbb4c88886d5130164e44eecd808be8d7c1a81217dede41f110a381

SHA512
0be0a0b3f66d9975a46858a2d946d7f21ee05a49657552959ade96b35c68e40c8683a1dd93712e296c08f3a09df718752e29b1736609c3686ef3f8f86bbbfdf7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
bf9d2e15b4b94c9d9d37766f4078d740

SHA1
bf4ae775fc010310fed521d384eeea8c6503e5b6

SHA256
ff10cbdc8640fff34b945d991ac6b8a01f285f9d667d5f8258bd4ec70e60af4c

SHA512
c6d572fee14a4ecb04a2919fbc939637020bd20f0c0fa5b4854f976310b889f68aa94178f980d5b7893ec07859b97ee704574b331a826f17674669383e7c2e60

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
505a4abae57b9fd047888801535c305e

SHA1
210c24b9a87f6c95fe49d144efe4002e4d200341

SHA256
d31f5be7d61eb4a3806c99915b581a661e16763175ecf852b0ecac4f9836e579

SHA512
b22bcf9064dbce90677f47e749345a9de814d094b4ce60d6c2287437429d5ad251ac82c0f1eba4b30b033432163cd00c61e52ed0e0ff7787ebee688f30aa913b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3e7ec6d769568f496a5d8d1e045180bf

SHA1
27dc9136a736c7570a5b4e19ee5dc08f2643dc77

SHA256
4463a7ff8cbfcb499470ce956b850f3816508e3f77ec3f380651109e98b6ec87

SHA512
e6712a2eff80a8c06cf7ea486078e375e73ba0dfebeb6cdf94ae35421d4f4545cd657712b7d5aa0aec0127164c6a2842641bc11bd56ff976696dfd19487933b4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2f06dcd9c680e74247c30c32c45afa2e

SHA1
9c46eab5d9fd39c38086f36b8d21cf7b2a79f069

SHA256
d7735293c24d0a8a32a45f5c49bd3bce0d072c60a647fa8eae7fce7776779639

SHA512
ec9f42f572727144fe507d3a46bfa9d2d5dbe2f310f4ae48c9da7f95ca6dc6a011c79e0ad1c633acf163e8a3156bd8d1ff8976177abc05cd935db192c182cf3a

Download Submit
memory/220-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/220-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/336-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/336-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/372-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/372-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/372-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/372-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/384-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/384-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-26-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/880-1-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/880-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/880-8-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/896-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/896-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1364-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1364-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1364-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1364-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1632-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1632-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1632-38-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1632-29-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1668-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-639-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1672-59-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1672-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1672-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1672-63-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1672-53-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1860-644-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1860-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2108-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2108-255-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2108-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2316-640-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2316-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2412-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2412-641-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2928-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2928-281-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3172-523-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3172-336-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3200-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3200-243-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3200-249-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3228-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3228-74-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3228-68-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3228-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3480-647-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3480-424-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3740-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3740-646-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4012-411-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4012-295-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4136-423-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4136-305-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4740-636-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4740-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download