9a960ddb94eaaedcfc8c2ede5120f0a33f156f191edeb0949d488087d04bd397

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
Size

1017KB
MD5

183e5a6e8c72e80ce48a672889fecb2d
SHA1

46f12df43a681360ee7fd7f0f3e3bf8b491aa55b
SHA256

9a960ddb94eaaedcfc8c2ede5120f0a33f156f191edeb0949d488087d04bd397
SHA512

b36c58e6bdba8d0c9b5ae2c7f1559284795e7926b9ca67bbbfa36dbff1d66b51034e071e644dc5d5e18fb88aa0003d9f25850aeec8c2332a36f5b460c3fab342
SSDEEP

24576:l2lmh4RV8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:l2Mh4RVgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2128	alg.exe
4104	elevation_service.exe
4648	elevation_service.exe
4652	maintenanceservice.exe
4044	OSE.EXE
2260	DiagnosticsHub.StandardCollector.Service.exe
2520	fxssvc.exe
1184	msdtc.exe
1792	PerceptionSimulationService.exe
1356	perfhost.exe
4124	locator.exe
1632	SensorDataService.exe
3732	snmptrap.exe
5080	spectrum.exe
2880	ssh-agent.exe
4968	TieringEngineService.exe
2400	AgentService.exe
3436	vds.exe
3536	vssvc.exe
1564	wbengine.exe
4572	WmiApSrv.exe
1316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f9669e18e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080545542f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f34b341f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016395641f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059915042f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f8e6f42f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6c70241f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f38dc940f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4104	elevation_service.exe
4104	elevation_service.exe
4104	elevation_service.exe
4104	elevation_service.exe
4104	elevation_service.exe
4104	elevation_service.exe
4104	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1528	2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeTakeOwnershipPrivilege	4104	elevation_service.exe
Token: SeAuditPrivilege	2520	fxssvc.exe
Token: SeRestorePrivilege	4968	TieringEngineService.exe
Token: SeManageVolumePrivilege	4968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2400	AgentService.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe
Token: SeBackupPrivilege	1564	wbengine.exe
Token: SeRestorePrivilege	1564	wbengine.exe
Token: SeSecurityPrivilege	1564	wbengine.exe
Token: 33	1316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1316	SearchIndexer.exe
Token: SeDebugPrivilege	4104	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe

pid	process
1528	2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
1528	2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
1528	2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1316 wrote to memory of 2348	1316	SearchIndexer.exe	SearchProtocolHost.exe
PID 1316 wrote to memory of 2348	1316	SearchIndexer.exe	SearchProtocolHost.exe
PID 1316 wrote to memory of 1736	1316	SearchIndexer.exe	SearchFilterHost.exe
PID 1316 wrote to memory of 1736	1316	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_183e5a6e8c72e80ce48a672889fecb2d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4060

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2348

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7d684b75004e27cf9c3a395e848128e0

SHA1
902525368cc074872f215db0fd3df78eb7dcc61a

SHA256
14fc8fedd3a2fea17cce408097eef60078c352eabf21c5d67e5769ca2134e73c

SHA512
9e5b513b02b1ceec97c726e0d28f78c6885256ff8724435ed62b9aef4ffea2dc41791c7a4bc23dca12ff46115da1f9cd6f24de0eaf5d0218b0ee819b2b5fd864

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
5cb14310a86ebd3799d152461634f92d

SHA1
5eba16b1f388220c3e7c4606134e9b5198a0dc01

SHA256
d411d472f1db61ea5c68b085ff6e04b918f1c4b6e11e8c99e6cf7df5256e2b51

SHA512
d15239d0392767a47812b5b305edf881cb65af6d3770d765c016a18c575662fe36fe408ddd7f1dfe30dd914294f8c51ceedb588cf2859be15ac823443ae2534b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
f382cbdcdc85d9c91218499d014c550d

SHA1
520ad90b1e80bfd1f4a4c49d1950c863fff950d6

SHA256
fb4bd72b43cb259dd6676008113a6bc830c4bcebd2d085b8431f2027b9fe4618

SHA512
ef97d8f8da0b77e7084eaa380d49a67129b725389ef7868b8f065acfd0be14c79fb013913f71c253b619c25031232da96f9ed75e360af70ae4d88b8e6c48e4c9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7f18accc6d7520ce7bc072ba49e37c48

SHA1
873314ae9f303143e25363a50d78591c29e2475d

SHA256
69675435c5bcd07ded09ccfb7ee115bfadce68b70d0550b2716f38350d307973

SHA512
eab270ce2d7b8cc059cc72534e79bed985ffe20b5c07e74277f22b571ea293d2e864878686f38b03417b456f6419b01ff5b17f8765a7a39e3f53d8cb4d2e2f4a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6dc18afc0ae9d56eb0afaa8a51702c24

SHA1
233495c52f89dc87cd4a4e1fc247d8cf6ca639e8

SHA256
fabe0fb85320db529cbd457377bbdc2fa2fdea00c4279ba99c6ee5c5ba17287b

SHA512
1c126bdf9b3692497bb3922b4d5335afaaddf37555a310e8d69292e4ac5a59bd811501be89955cd931162a3c0c38d66e69a981dedb8107c722f3452a8db945b5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
25e0f81149fd20bc410de14469a7d7c2

SHA1
fa392a231d76508898cc371681224e8119d1d44b

SHA256
9ba47440763cfa5c0145804e0ebb6057378f2351e14d8580ab2ea0631a861ed6

SHA512
401da8cf99b2d88284d1ab6ebd52364fdb4b6b54be3e5b3a1065aa8a18b5b1c1cad60dcbab2b75f8fad270dc77482ba2c3460a3c4deccdf57b62d1c966f3db48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
1b8aeaedae732f6760d4b0cf1464c884

SHA1
3fd91c7a15a27c5c5d8733b5ec9bca07e5591b32

SHA256
6895ad6a2ac71ddd57df558f21aff66d51b4c3d2bd7089f0554b8a5fbc3fa850

SHA512
148f87165c42b848d85286b075b8363bda48a26a8b68b39591cb4e1ab1a49815ffa6550f31ad08ee87c405f389d1487ca3684b692f06bb93b9d85143c9908338

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6303a55d1545731487c69d733f34a66b

SHA1
02661954eb6806254852673b4566b1e3376c083d

SHA256
2ef9cf0c36287bd3ecdced0f2ea991635542516dc83b624f72015303269cf6bc

SHA512
f40ae09c18320b1be00220ba728293d3b03c4a7c85c8137c97bc5eba233a0b5fd08d05111c001d572a4ba2c93ff3890461bf17d48dd41224608c573bc1d363a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d130e2a5b13f319be7d5db85a3cd3c81

SHA1
5dd217a75d85e745e64493acdfceb972ebb0124b

SHA256
9c6a155dcdd6564be0e398ff0b96e67a3fc3ceb8194e750318d1046fb9a754fe

SHA512
d93423867225f7344acc55982a26bac05dbcf0d75b232e229bcb346e4aefc25b7ac6a6a7752b2fa879275f7628648f0fc652b7face0157fb3669b2186678afc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
24848a47fde178b3b80e3f18ce59e837

SHA1
734d9a0a33995a1f48fded36f19df2bfdb004489

SHA256
d0c3605f86a78d2983bb503b7634af70eb3bc19e8b2a3cc53616f9166e59964e

SHA512
f5a52b367bbc90c6bac325b6ff8a1bab4e33b3d7215bebb98ba5e9ee29368ede3b9ce0297ea19a7a24537584b3065d628d1175791dbb7f31b56572c09ff9a00f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a7b4e15c83a3e3b7d76d11322cf96f69

SHA1
ed66e94b401ce0563dad234f0eb0aa8abc02e7ed

SHA256
1c78b203473a7d0f898d8619d59d8b1e291cdb0a6fe8c17c580b85c78e9011e7

SHA512
b97a8018de61c565ad7f42e2c4fe9df292c8bf826240a6bf87c8a8b883f269930d10cce96b2bbb748724c79543363fe3542cdbebaace758e08b0a6d6f941fc70

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
1c0a5a21582a9a0551ca23c993caaf17

SHA1
505582a43a936cf7d70693beaac570b91a25bfdc

SHA256
1c4353a6ce2c1ed2c6907245a3c95a25b64fc4a8d44c23111b90b359e1a13b8d

SHA512
76b83bc4a61f66a4687bec3db2d888f68c10096e517e55f2f0e8dc0e5a4da7b3ae419fa006118c8c6534919640a5283f80208f741935658e17622c5c5cd966d3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3f29337a7e892e3a725dd49f441d6121

SHA1
c8580ea2550413f7f286a64719cdf3fe0875824b

SHA256
aa5985de781e41ce4b5dc2cff360e39d73d216c3cc0ca13802e0cca94d1ae72c

SHA512
5509ab9d3a16b08153aa47417824f7e4c88b41b548a25923810ed242b12b5df63dde02d6fea7660abd14e518d8b6395dda875a162d1628c4ed8d81c6bf2bd105

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
0a7f86c488aeda91ce0d5f7280d314e0

SHA1
4324a51d968a37c8b36042d4d8da43b460576d09

SHA256
ea039432ddd416f2caa142b6cee74cedb79c7df0989fb4a60cf2841b1e8600f7

SHA512
fe6108fdb9c27c15ca2b81335052d77604489726f352bfce959e968c8cfe63cdad041e25f36b64847ae2e270a8f7825af893b12e71f095daf645b567f1f14294

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
6c4d332a2303dbf4a761c79ee44b02d5

SHA1
c52b4358c8cc8fcf35ce7540990d021d211aee12

SHA256
a83e5d0e3ca98829d8d2c5ce221b7a271cd405952bfa36df32f206f628046c76

SHA512
2584174f83655a15f18702364b2186f0f74cc98ca55356c50f255dcd370909fa19ced66a09ed58fb00a73ce36f92ae7723f1923edf827645efba3370a2a947c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
171d3087581574e61ae79371c5db0418

SHA1
303e6df21156249b674cdb16a5e07348cc711a37

SHA256
3b7285c30608ea055ef11e5b772f6b6c6b854955832a4ddbe3a32235015a0497

SHA512
f88f0b0577d1886a67e5f903c5c2785dce83abefe60ee55ed822709e6d2698b0d035267cf9e99ead4e700a035ef32ea077436d3f0c99172de71a6879fa1f1f7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
468f787bc73a8978b87e5f1caac08f46

SHA1
9870bad215e70bbb1bc67ae79652dfa94cdd14bc

SHA256
5eab9a2f1dfb70331af2990b27fc69d3b2ddaa6a45053e127d5ec1f1b10677ef

SHA512
6b42c037d8a7f6965b726366ce10d2aee96a6425b21ea64c348e33c447a37691064105a140ac588a0db6e811fa7f40c8d8bd9d43e3f329ad1c80fa55fa7f0882

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
50f11195c5b88384ffbc269d7fbcba91

SHA1
ab61ab9eee1d6ed18abdee0021ad3981de368ed2

SHA256
a34371b8c525954e34263fca3e0a9e99df70d055047a1b415cf5ad2bcc686c4f

SHA512
43d227fc248e12b020877a2a6f6fb6e80cc154a656ddb7c75dba3a0565d25c675739177d7b6aeaafaf143f375770cc50cbc2b0b8a3043743d3494b04649e52f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d6c93ddd8fe56404d1a97f516ebe03cc

SHA1
8bd5c15080147834af958f14c11e1cc28f4d12f1

SHA256
d3cd4c08e3afa1980727484a47815291477dd64d6c8ae5a58cf44be39486d7d5

SHA512
45f8f775573aa9d7f7563761d66e4518209450ccd2fb04f5b048a716ea87d78986818515cdfd7b6e7aef007efbad08aec156e48670518c1d2155ae71aa496ec7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
195f83194686cecbeba131c28e1f0bc3

SHA1
9a5b83aced11efa7f29e47bd4868efe83473d17b

SHA256
a883efec12cf1dd0eee768200ff9612569469a3703f44ac750aa7413fef9151c

SHA512
79207824470c5c9b882d8d22045ca4286930312d3d35ff8ff68abebec734f433b6f37dccc8f025bf6aedd8b7803d4c39eda4eb35e8e5f55a10d4f154c8419923

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
118eb6e708772890f0b3e4c7c710b687

SHA1
29c551f87f5a3b1dfae5787f6fddd556dee0d54a

SHA256
a998abc53d19d1bb9697d24d3fbd6ab0beac0f813fd11926ac79ebe799e3c165

SHA512
3509abf565bb5e8ce77acc345802a27daee9a042fbde66ac3a6b36605b70fa7bb0bb2ca7c419bc38e5ca95b9b1670bbfe2951cf8ada1b31cacf89961acf1eea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
5f35075403e21f1ff048910069592ef0

SHA1
5b23176ca1fb41593c4ceb25ca7690f52a331e63

SHA256
1293332958b6a845fb0114453db9f2237e55e33596641eeabd8767c12ecf1072

SHA512
8d4794ffba5d4251e96567384768ae9134452b61a03182af505c26332d1c11e32bd2bdb9d52ae02659d078f878c60c6ca9538a4ad79c5b5a6843479e4b6c1e9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
bd8f0bc66e14026d8fbfbab3e76d3a4d

SHA1
4d99f6d024dd9f144944e1ea0f19f1f5299b6f5e

SHA256
dfc58296cf655d02ba495ba02faea6e90aaf51702a821a93f714ee9c26fa81c9

SHA512
7d7fa281e41caa3f6e31e15ddd1b294f3666d6366aae773f70ed5712e0a9369d5695fad49f903f567836e40676543fa815a83d18c160d816d5053904b025c6f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
faf076d2aeb35ac098596d762de49bdf

SHA1
03c4f840f464be6cd28537b65f0651d54df6ab0c

SHA256
f1ceef67dac6e2111dc327c6b7b3ff53cfe5907ad161aa9d58984d6ccc434cd6

SHA512
d643f3cca471a0204c26311cff30a9e2d4ce69926be411baad544d4e85cab104be5b9ea2bf8a0a022e65f1a4aa52707c51f5abc616fc92829eee73a5fa42c606

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
c39bfcbddb92c7d9015ab9b7c317e395

SHA1
ffa84c239dfc96ff03929bf74493c9b7fbf70125

SHA256
69d0fdb95eba6533b07c56abe59b88ad09d3c9c06d4a5511f0aa629489faa9a8

SHA512
94de9d9a5911d9bbed6aed2d34be50993a69fdc65bda7c1f4b6b61f531016996642cbf82c1859a1425b3e39b557e645d2d27faf3c2383df1163fc7b609a1d745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
271b066eec70345860f905b1b68b4b32

SHA1
2c4b079bd3c321ef3dd6f2827ca45352664b2395

SHA256
9ddd59e10128614e51dfd061afeec9ca668da8d6a809ed89524a60ad4bf4b8e9

SHA512
780feeb30df259d099c51eecbed06471e3cefe2b5695e1c69f2207a92d1414ae71e7c499f3ef9bcb8f60614b88128d6522b1ed22a2c13ce5220b1bbe5c13ea5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
f620aba25f8f3dc3993006832e740c3b

SHA1
c9f10e91891f9819c17262b235fb3aeaa89022d7

SHA256
716fe443f37f8002e3f4f615cdb0122fe4c6d307c44fa47b0ec134c12ecefda5

SHA512
16c0b2673d293fbc1e2195c80f7cfa2bce24a3879348d52a7071ef4d4fe8276ed60fae53aa44b2aaffcee8f44acb6796c66dd3fce5e99781d0ebbb3781a5e0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
9d8157388fb745be79b6290ea258ecec

SHA1
b72dd1a4495708ef2a7bb080fa1ea6a70e7fcb0f

SHA256
7cd92ac76b360d1fc9a256274bfddbf8feec728217d4b40e92340ff679d4c4a9

SHA512
547652d9b2307bf02737eb0b90f7bae1e8c78543e40ad2d6520627d0ea1939d499efc4533537e3e986a8047e707ddb2d29a4bf9100d6587ea2dd99b992d700b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
945a909a8b28ca94586cec1df3c0f9e5

SHA1
5009d320d4e0963619501f1250ffdb870fa02dca

SHA256
8bfe142fa6f538a2f5628d9282c93ee67eb21eb6d93c4567d549e0c6bb6b16d6

SHA512
aa3c1b14da3bc18d1471dcb878cc5b47fbe8d2254be2fc4d31de22009f56091c44878c383b68bbc2ee6c02acc0ba02eeb2ecfd0640ace2504759b56f4feb03e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
da30977238f6fda0da2bc1fe5b01907d

SHA1
884c16da50f2dcb1b9be549910c5175b65f96a9d

SHA256
e960ddab62879430e701db04fb84198d696c63b066fae017a63fc6bc7a26feb8

SHA512
9b130cb474a0b0da85b12b9b0961af74f1fbe5b22ca051b669694260e3ad664e19318495729a53449b9b7577d14ef00542b5509748f286eb2d1882fb683395f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
0aaae2c72203fa631ef6f6938775e7ef

SHA1
668aa84c399c995ffc6453b255a4ad5d0e567b45

SHA256
ac80171e8f1dd23150b3743fd21df02af751a3b8fc9f048d813ac1b88b47104e

SHA512
25ce8a67640c962d9f717bcb4d21dfc4771320438dea62252329a039c0dfb1f615ddd823196837cfbdb01185c3b8581088060a87f51d8e2f39f66e28f87bc7a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
7af86a0138418593a752b173986795c9

SHA1
3a9158d447848e22f262d5139ce16fb222b7f181

SHA256
11d4394c2e70823db5b3d5e85c2606ba86c6aca7eb42d47b857fc1f70afe2875

SHA512
e8f0db39015920156e9b09734eb769ede0b7f18077f82f36c673bbee69ad6049b39a5004bb554c3006aa63414eff81ed5ecee8f35819c0fcff1c91c7c4726c34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
e4f9a28e41a4b38d6a4a86db16e1acd8

SHA1
0efadd59764ed9c04a86d54e7b6a572aa2c75691

SHA256
2da08806320829648631b9589cb8e867740bec49f7ef567cc0a910a11324e1fe

SHA512
2bfb77dbfeed365dbdd9555ee36a3ad9b0645c6da4e6dd85b7279e6530c07f339467d138841f011933561338a692b1d518b86b84c27695c6f5fd4e27676112ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
676aa779e03f194db3f81e255b102a09

SHA1
911ced1ba799405a70dfdd09bb0a02d44b76776b

SHA256
01d31a289acc794422a8ebbb9b295c0d5476677683751abe90e58a747826103a

SHA512
75e67193df8efb3a333f069c79501c8229ee70ad5f7d56359f5e0bdddb890e6ffe326278f8e5d6d2e73b73df86a178e97072a7e14b1ed4de31954e8fc9943049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
6249759ff1d6b1caf53c3bb09e1ac990

SHA1
13a71839b41c227673fdbf591a30e07f08c093e4

SHA256
fe737fb1fa48197277b4764b1177a1383ebb10a3e642aab04f062de6d4377315

SHA512
bcbb7e3105a91e56c7dcd5f376074f85ec9460651a9c6c29274b4bcc40b9ca21684257180786133d08075e4a61b546f833bbed6ff054740b08506b2534e9dee1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
a5103aecb60863e3192e00f5c6c87077

SHA1
6b3ab29691e337b8b2f3b753e7c6044f6c3aa1ea

SHA256
8cfb0e088b5b9646c596b07fa7ec030e11488b5352e3d269699b44c8ec31d31b

SHA512
942dba9a511193a9781f6b9d5b535b0a023058f1f9986c088bda3d61700405b5827ffd2eb3bfd18d929a9256465caf7adad8b1917b15f4968193d1af60db04fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
a44c1205339b60eb23e979bed8334ce7

SHA1
0cf9923b3780aef3cffce2535c8abf5d86c3f0c5

SHA256
98be99b790655acc90714f28cb48c43f68ab40b9e5b9898f2c3da5f27ee51725

SHA512
3c836e85d751cbc5760f74ec3c19abb7af148f86a9e2507d18f846702c10714b46eeab75e4247abbcc234b58bd75f88604a49bdbaf30050ffbd769fdfb2dcecf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
dd343e2a53b81946339d20373ccd8d5b

SHA1
2a8f810823aa9ed2f32fd943ae8a53aca84bf055

SHA256
9ae2950dde6d24c3cd58c84c32adcec6e6e62ae4fd1ede0eecca04b98d101ab2

SHA512
da0705c11e73951f003b39c0a1339b29b37f55338c067518ac3f66beb8eac821289829bf61e62d00b7aac0e521c805ff27a66be1df5577aa3a728887b4d99091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
a9a38919cf5621b8bf81f8a668e39fbc

SHA1
dcae9558c1ed50981f568dc2620aa487173ff625

SHA256
11663bc71a9f769b76da22bba71ac7913ce1abbe9fc37ee6dc510cebe4819c4b

SHA512
827d2f963aa621ed552b8b92654cee32d61675e68ab7242381b7e69e791658138efa8efd29989a4c90a031ba16cf88f316af474e724907b28939a9e43c97376a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
d7c4ffe277f4ce1b78a6d68b8489efef

SHA1
cc7e61cd6c8bffdfe3b5bd69a85fecef2e9abe50

SHA256
1bf133de97abb7622c5dd96e3e8f42753260388897716f8022b771de4d4dd417

SHA512
cd37fa6a6a63498e9a1bdb3a969daca301d434767449140dc77ab5aa8cbb359761b551c2b466a9b5b461c829c59f406878dc1cb9efca8012c6f9c29db545cde1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
6b4f71c507444285516c760386ed5a98

SHA1
7d63fad8171989335dce4346424b7c5dd48ab102

SHA256
fdab63f510973221277aa82ae13bf4b088187d3b9d11327ddd9811d96597ed32

SHA512
150f5b74fe713594f2be28bce697aa5c1ba4d91400ccc28ff71cb97758c090468bc14c33c80a8ceb7855c1c313ab924cf52de619005bc70c9126a88b6625180e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
b3e115fbd0c2da9d6d352853fb3e142b

SHA1
55bae993f2bd94a2cdd92a4a4a7ea44007b82e98

SHA256
5523c04ac93b8e0eea97261952539399deaf0dd8dc3d28fff6df9fee9667b7e4

SHA512
00e613464dfeba7cae338fa8ef291c881681fe9ae9b0d291e154f9e6d4ab0519ba0d873b08c561e8b55fbb0135db21d3b53b8cc723eb54812d5f1ed025211653

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
2d153ae002b4a2cb3ca1f62f57be86ab

SHA1
ffbb09244091436098605392e05f104fd48e64dc

SHA256
32c47d5478c40edee6164363a48d604dce0d587de6fcc63aa9482a7843b9d9bf

SHA512
78e32442ef2fe29abd155c7da4b0b6143a15926a06fc41d8a4eed2f92468f3bba40ddce73af61544606fefbae0f10febcc0b26a560545ab63c1db39d9a87333b

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a90189df397412980e8f655b6b80317d

SHA1
0b61c9c8cd02d0a33656d0d4692dc071d699f883

SHA256
62cef392e30c97adae0af16cad4aa4ce628c36448607dad6e5e47801b77d7c2b

SHA512
99e8893cd36db6b7ee9ff0b406485aaf94462e8718a04b59b68cf9d53b72b633bead6e54bb098b5e1c29dbb94b60657fb7ee9e4566ecf22d65cd3c18b405be3c

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5b4c4d8271be30c87465798e6214fd83

SHA1
4711fa2541ac6868f6b537de977a45c0f1993604

SHA256
bee8aea5d05fe4f064660cee5e227845167cf81ff4bdf00b1305f2ff41bcb558

SHA512
f9459e043b1518442e205b39447a66ab8cc89393e67c56ba31fba95375ec27b49e34db7f606ab8ad578501b4fc4c6e9514fde5ff68cb859984e01e7a5e2e73af

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f30c7940bb12ecc775804fe2e4914a5e

SHA1
0b26ba7b20a386e53eb34a65d75607065e8b71c7

SHA256
74de5abb6868fce733b79f9a9807d71fd6e4f8060da5629e48368b46e9d1f901

SHA512
53f54b03f0459168426b5b40478a6f63e674188f58271da4711e877bf81c21ead9e8cb6ebc59444fb6d54b8d8336bdeb5ec405d10741a50b73e54c8015856ce3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
d58d95f191e3936fb2055853272e9aeb

SHA1
fb2fa2adcb66a238e58299019123e56249b20e8a

SHA256
0f7c7b08d4c11218dda2ffa1763e12d31cfd8257619c1020fe58e0e59d8ea087

SHA512
3b2151443425967e29dc9bae2a24837c1a6fab6f661c46ede562facd1864c4c769ce8a04f90863e8bc57c8bc7204303e97e3222cc9d3a6441ce675e1e3d6cd64

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1f3ef563b760fbf59cb404b406a80b4e

SHA1
3c27fe81938424a0b8dc7eb2fb5d8ecdaeda6684

SHA256
6118060dc6e1b0ff311e7aa6129acea5d95ff6f5ad8c19675da364c726628c8a

SHA512
f791d742741b783d67d35d21f5ee9241c22931ec3de6babe606ff7d3cbe871e8ffa6d072442a2d908a858ea6a811f055a831cb2e393d9e1d19b85ece10577e58

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b088b008862f437c18c7e94415ef0eac

SHA1
809282aa500f3d270a38035ba40dcffd09f77081

SHA256
5a1730fc192ae1ef5319a1556afdb480a111cc02dcb919798d0f75b0440f0a81

SHA512
49e1d72d45318da4596c4ee86daf4821e07851ec32fc778d8b5c2957ab27329d1c90ebf82354e4ecbe7884149afaadbb9ef17ae174ee1dd40bea4ad4caf1a95a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
163dc4239617f0a3c941ce7802c977c7

SHA1
6f1e8138061fd12cb5f94302baf583f23fa148f9

SHA256
b289be06ab8e371ae99e035b422a1424e1da026687e8a46fd91db34c08259ee7

SHA512
6fd28166703028f23e7eaf7fc6dbb6c63437b41dc06f5335f267dffbf8c33ecc383e4056fed28ac89701ea95a6e6c87ba98dd3b68f846c700b3f1999dfcd71f7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1d226d40280a5e98378ca8c6fced4a15

SHA1
5ba674cd28457cf8b7d80fdbd7e449dc464d618b

SHA256
b9d469633044c5a9017010ccf7502d504466d99582876301bd570f8b9cb95ccc

SHA512
97396ff8e2f7f971a009c55365e1d38bf6beb138e81af4e01699fee8fbae637467ff9f0bb29ebf11f43155ec1d5fcfb7efc38bca132876b6e41401f87797d892

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d9280806cc99c826fc92db850cc3752f

SHA1
fc0857122de7f11cb588420629fc593b8e2667b6

SHA256
52da880d3333b86e53e1e64bf8bd9f397effbba5d9818e04b2330bfe02da58c3

SHA512
30f6acb240d6bc08791bb871dc94fbbe9152fe2ca3781d2d717608c25a08f0ddfd202a129b93d45d09730348a475bd3ffdfca2ab485dd4f243627bc5f9f7a0c9

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d0a6f10d6ccd9cce10136a51567edf76

SHA1
a52d894677c4ded11d328888f98a637b476856f9

SHA256
5792b023515ce4c7dcba14c8f6fd8ddb4858fb4a87213f3516cea3abe2ef85cf

SHA512
857e95e7a5d04890a3640e20d9046bea2493d87d65937ba6e714f6d072de0db8aa63096aad592111f44c6a2ca18d6487fa7463bb6c12502c21a7d3e778920ac5

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
df834beb6d1a1e75a3d137739811b5f8

SHA1
8bb0c86c8669e5d7e202cddbf607db20f294666d

SHA256
92d2befde09532677e62025686c90eb259edc094382aca0f1b46b6becdcd708a

SHA512
d66a9533dac9c56933f656e2028774ae4dbe3cd3e4f1274d8926d720a4c91f4f7985b162193c5a34ce8c7cea9f81066a1d0521eeaa9866f6f06801d76c553d1d

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ff8e4933b52b943e968522e94e389c2b

SHA1
2ffd710113f497bf32b8ef9474e2e3df77abedcf

SHA256
a972c31e159f718d7af05c02ba5b4548a763cff35687fb36f45d693f4206edf6

SHA512
f93a9906c7ec68a4b3e0ec3bd533eb4e36234a07cc0bf40136ffcfbe5adcc8eb98af107f6a511458804e8b6febf66da105a36468cd6ea09e9c4d954660ab7b28

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
63a20c1f3aa5c8116a602d8657cd6a9c

SHA1
a262ccedf71910088d2514d14cdfa77458a489da

SHA256
3ae2e18ae2eb436095db96f42762b6ad4045e5a67d71629692ecf07e5a7686f7

SHA512
49f800b3677250b214f2487571d9c256c260eb126fa290e2bee8fc23044bb481269b8315942e46566e3b9f2062bd0d1764245f2dad0b055739a2e1ff479b9e5c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
65cdc21888364ebd35490840c161a206

SHA1
dac20595cf34e15b82055ee320f8e887f86b9283

SHA256
b8d44766fea45d82fef6126f1fd45dfd62a09940ecedd1f38efa4470addfc61c

SHA512
42cb2834886aebd2ffab8b187924624557f077dde132fa65c2532d9a033cc204d8fc5ddf00c0c683ecdd940c079d37cc7abdbb2aa29afa9e7bc92a4b63ee54c9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3fcae2c320a963815554206e61ff487c

SHA1
abcf51998ba96e6b6e337a2435eca45bbd0feabe

SHA256
a7cf97aee5e0c82b0e51d03bc627c12df1f6c384b2b5f8c3f6c48ecf8e42973e

SHA512
20664f4b268a32136e633b9310bf573b0d862d5bbb52dc221a1ee1916604d2152705ffabd1a1e7a0636a89f655ac57ba9daf28c579efafd9a07028010d6fb738

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
7b3e75be6b487d06012cd3cb6ae37d71

SHA1
f0436cf7ca5f35fcd562cbf1d62f072e940be146

SHA256
f11e9c5ece613884fabae23ebb503562e1ab4ed9becfb733b3022d28b11dbe9d

SHA512
d4a4bf72045e626f582016b29d3696be4478d991d8739a9ff5ec1fcdd81591da7c66809c5f82c47f749aef9ab273474ba9f0ff51038cb9953205dbfd8f601417

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3de824461a946c9fac8bf9cc6a4cf384

SHA1
b30df5c53782eaf7465aa88ab5465384bf5c858b

SHA256
d66b5747b28fa7615834b9bc41c92f972e2b5bd23b7ea56483a0967feb04ea1c

SHA512
288443837d7a8164ed31dd7c299146eeab58a662cf41c011bd82fdf61a0811729c0986d777000b49726c00837ec455d26bb43496d96101c18d50f69dfd59ea38

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
72dc784e23303947bc5c0e4559bc8b4a

SHA1
dd7b30a7d68bd8f1ee51fd3397216b8fad9c483e

SHA256
3555907812631c99beff1444b38b081b37c703c060b38d308ba93bcde2b4c552

SHA512
0ef84c94043568b95f413a866b94e6a23b892f993df5692368314f755c6ebd5ea2537bc6c959f081cb70108d360cfa4ba09b18c56580569e44b8f72ed64cf26e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
126acc529e97836af20adce9d238d601

SHA1
6c512ba3b057fec324b1acae0b7f44b36856fa8c

SHA256
838694ce201af945144fa53b1da927e6c15f1e93d52f5e410d24a409608a5d94

SHA512
1c149d924e30d651f0ff19cba71e5a6a5ec84595afb3206abdeb679548ae829573d992d3ed6972ed1d1952d1bfa3de32a54010ca82f4023353ef7b5779afaf2f

Download Submit
memory/1184-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1184-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1316-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1316-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1356-411-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1356-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1528-6-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/1528-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1528-1-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/1528-8-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/1528-24-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1564-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1564-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1632-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1792-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1792-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2128-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2128-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2128-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2128-14-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2260-249-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2260-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2260-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2260-361-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2400-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2400-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2520-254-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2520-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2520-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2880-609-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2880-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3436-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3436-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3536-614-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3536-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3732-327-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3732-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4044-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4044-72-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4044-66-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4044-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4104-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4104-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4104-34-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4104-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4124-423-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4124-304-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4572-616-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4572-424-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4648-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4648-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4648-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4648-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4652-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4652-62-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4652-51-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4652-56-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4652-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4968-610-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4968-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5080-542-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download