f2efe14cfaae0ca084d9226b80e9db293a02fd44c3e89580aaeeda069b8e39e2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
Size

1.9MB
MD5

dd764c529d2c276b6b0dfc6703c93fe1
SHA1

811fd5ff62b8f99b59f7884a8d0087e77b96d369
SHA256

f2efe14cfaae0ca084d9226b80e9db293a02fd44c3e89580aaeeda069b8e39e2
SHA512

cf54c861a59f0256d6f96a3ac1215888330386e52d7cdca6fb9501e01e8616d119562c9b865b21eb6a8796c8c23a4e3ddba44206d5727f3c52e2ffebc482c414
SSDEEP

24576:x2lmz4RPgXe4i7ojhsP5Lgrk1TWb4AN5:x2Mz4RGe30jaNf1TWbdz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4728	alg.exe
212	elevation_service.exe
2036	elevation_service.exe
4584	maintenanceservice.exe
3240	OSE.EXE
1496	DiagnosticsHub.StandardCollector.Service.exe
4872	fxssvc.exe
4548	msdtc.exe
2712	PerceptionSimulationService.exe
1952	perfhost.exe
2032	locator.exe
1032	SensorDataService.exe
4840	snmptrap.exe
4696	spectrum.exe
2152	ssh-agent.exe
2804	TieringEngineService.exe
4352	AgentService.exe
1052	vds.exe
1044	vssvc.exe
4280	wbengine.exe
1364	WmiApSrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6b1e28f84ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085456b600fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ec44d610fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019c62e610fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000493439600fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f742a9600fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae5b40600fc3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095a308610fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ebd61600fc3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3088f600fc3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d571bb610fc3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
212	elevation_service.exe
212	elevation_service.exe
212	elevation_service.exe
212	elevation_service.exe
212	elevation_service.exe
212	elevation_service.exe
212	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2192	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeDebugPrivilege	4728	alg.exe
Token: SeTakeOwnershipPrivilege	212	elevation_service.exe
Token: SeAuditPrivilege	4872	fxssvc.exe
Token: SeRestorePrivilege	2804	TieringEngineService.exe
Token: SeManageVolumePrivilege	2804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4352	AgentService.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeBackupPrivilege	4280	wbengine.exe
Token: SeRestorePrivilege	4280	wbengine.exe
Token: SeSecurityPrivilege	4280	wbengine.exe
Token: 33	2352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeDebugPrivilege	212	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2192	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
2192	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
2192	2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 892	2352	SearchIndexer.exe	123
PID 2352 wrote to memory of 892	2352	SearchIndexer.exe	123
PID 2352 wrote to memory of 4608	2352	SearchIndexer.exe	124
PID 2352 wrote to memory of 4608	2352	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_dd764c529d2c276b6b0dfc6703c93fe1_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:892
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0b808778ccd2e2022333ce2ad1d66d5f

SHA1
039111db1abc9c7f16e0f88311fe192002c80e39

SHA256
69cedf2b3746beaccb4ee5f688943b013e42bd6486f67df54be1c267bdbadcf3

SHA512
8677909a4ab170f261c888e7b04ed3f35637ed47a2402c6ec5e734b35f37d37027d485cfef6db850e9f3554015084841b03195827ed76d41ea187ffebf341eb5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
0f928b228f901fc9f9f6ec69e9bd1fef

SHA1
d01fdf73422b896e6a19f84d47075e3c89cb3cd0

SHA256
95dc83ca8efd6e97add87b65fc89de89cd2b68cf336e92cddfca3d95b278adfc

SHA512
b6b6401e669e7e67a91c43c7891b04ecc5b6f1a7397e5ebef7d15a88c6103f0ab701244b2a55128e91d4559136ef09532811866614e8912a6dcf1cb0207b4ef8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
390ea7b941217a429793943d91aa1e64

SHA1
58ef26cba26121b4e45255f6e9ef14e40365266f

SHA256
f8e33971a20488cee606003a7e2a1022fd8062311ce284641bf827a66a61c15c

SHA512
9f584093afb044c7c74af642b92a4027aefe2f4b13687ce786a79a781e8e647d6fee2e3565351cff4a54749b57272345ac194a267a0e80e5d14a513a58a2b7b8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aae6d98755817d1fa821a2e1267e70a5

SHA1
1b7e836f59a39ba26124f519a9a40fbaa78c2644

SHA256
3e52b5a6d1234a45d83b88766edec37a3c00182cbe6b6c69e2046c7016e47cef

SHA512
f9877fd94665b720929b5b33cc437b23a0859054c35c0b319124854f0dd9eefa10cc5f0083a39c9d05651f83c66de3e6fe67bf8389442707ec398ec5101fcce3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2196756172357d8d7afd4285b57f5f4f

SHA1
c5d62eff676d93debee99512c2afe007c4c1bbb0

SHA256
1e4db7bcbfc4422e2f269308a48f099defb873f61a1b9cb57fcba43824517301

SHA512
f8540589d75c60e954377c5ede8d540dbe77b6308db184ec293656ee476584378794540c30faeb81ecc0fa5ead91ca4cb3996c6cb4d6d3a396b6ab8d968a1bab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
76ed28563af3860ba18ade79d8fdddfd

SHA1
271fa1ef5a04948ebbcb55fe5bfdb7e0d99c90fd

SHA256
71f8aaed56b1e6243877ecf96b4b1183c6653641702a4790ad9f953e3b320d0b

SHA512
b833d49dd3555d0748724f09726189cc0aa9a8949aa36f98a46c79625dbd51a257dbc7caf45efcf3902aa64f60987f1d36a2b5686ed4a9578a6e05011d5fa5c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
161723908090390ec6dd1fd49d66aa48

SHA1
bf703759b27069bfc21dcf2d4006f56c18b5f27d

SHA256
a8eab1616f7fe6a60f5382bbcc0c119a017442673d782c113a22b8a0dad7da24

SHA512
3550e98a274a55568281efccb9239c5e45b7128eb8264fe86261f0bec2c99089ac35cf0deebafd0a7b51d42a82c0ad9e4aad04c3de0dcaccc10007e260dddc2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f78086ec62eb6f5bd42a7dd015bd4d7

SHA1
c34f937d7baa9be84f0c6063eb8c5eacfc42637d

SHA256
2b2c828f528c678e7d1cb30cd09d36a9c3dca6cc61cd4cce9647ef611920cb10

SHA512
27265b70fce0831f972d51d129f90c2ecbb21253b81594236f1253a16138faac64ea5e074fee37ea18ffad751900b8fcc0aac18661d14319743c40f49de53c54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
5a1aea5cd3af4968ef8d25554b55e7b3

SHA1
dec8b0d86252bd55b0629a03677b9912aa7460a2

SHA256
32cb061e6c036ef88effe03fa4a8070931d74d1da403a84cfe726a769a4a25c6

SHA512
25e8de53e602474bb9e3d354c48d906e96a2677d263eb3e50061c18cfe72214dacc561685280cea3822fbdd84d37b91cbf8ad311f7edbf947bcf5f9262f73f9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
539c061c5abc13c1fdebf0926bbf47a1

SHA1
4c6ff5417d24273ecaac8c1c0aac8248a9bbf6d8

SHA256
34cb2a9a3929836425b3187fcdc0e4504af8422fbd87c9d0b3bc1b187f01bea5

SHA512
f736a37c09a25ae752303b6615ebc9d686a0fd62071d1134dd67ee53139f3d15d74f127cef30dfbf7aa270d92f417797073cf763d6d25a1370f2f66ff1eefb66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
427a8850782a61d5e2401275d307bbb3

SHA1
6ea565911dcb3e4128f76ea44eef5020c8972d4d

SHA256
5b8aa87f0ed9cc2d4e869a525626214b7bb406c0efe0b62ed4c70679c8c6f7af

SHA512
2613258a9e15b172f199d5c97f09fb32c5a81ff066178315e8a5f0910ee71aed7cfcaa436d5f43fc77576766ffd276fcdde41c5c87605a232171156ab3a6d7c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
68186080bf9c074597c7f66186d89a43

SHA1
db84392abe2589d0ca21afd9d29263eb7eb4eb4c

SHA256
f5d30b21ea35ddc9e434093d1fe1d0ac4f7c56ce64388ddf078fcf4a4de057de

SHA512
18ee3e1d24cce3d4551a305f976ddab8573dfa6c4c97f009c79894c61e3185c020f2be18aea83ad6972bd2c00f7a53433fc035f3d80a6c48ae04ae2626e32b78

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
dcaf1c0b14c6dcc1e728a19adb3c6fcc

SHA1
4e1ef88aebe6dc8496ec6b06e2b73e03082c7737

SHA256
c281cba9205bb13c9fd121e452b886d682a33f4edeec02ec7394776ed24a0191

SHA512
eb8e89ddfbd46bb2d33a74e266eb0b4e88613fee0e1988c724318630eab72959af94d92248ef75bba8b031239d288c5e1d84ff822f67ff472b6595d5fcacc649

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
c098b1ee08717b57a3f229114ae2d40e

SHA1
235ff0a30095b818aa83442c180b1a8731188dcb

SHA256
6ff9e18d1b4588b6628e594b1d71133b1915a49dab97b4f948d291d273e32c53

SHA512
58e40d22f66164822ad5b2f93d7fda927effc28584480dd6691912d5950a346f95a6e1f951e4639688dd772d6ed72f58834f86c14d55e586428d9af074fbf87b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
118a1deea8c30348a81211ef61a56d94

SHA1
8c7ed22e7c29719b8633d0d455a3b96817a2da6f

SHA256
d5027d8df394ecdaa4a809a2c28e45bea82cd3fffa5245d3c53b1f990b3d49d4

SHA512
e2a5edb35a116b2ebb52f09b7c7fb2adb869a9c503b6b891c773212374c85ad510553bae3cc09cebc463677fbcf019da414e75c03a5624b0af0017598c6e6e35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4d43bdd326fb9411e7103ab3482ce401

SHA1
49d6c8cca40a715ee0664defcf9f8f7cef49298b

SHA256
a899564b70770514e1034a683b09d95dba4073f526d00ca0636596d30dc5c17d

SHA512
b948495a6784199ad1de38a664083a76f89f88a4449db7bc587c1e61165543fa857e17c489ed397463c48f9631aeb07caf377d2fe91e884bce0943339dbdd1a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
caae91d01163fb04776d8c5c57ae7064

SHA1
093ce118b73744b26ed2851ef8c9435a21e1024e

SHA256
95b8d3283abb20c46dd1d8c6e2b8b60746321937f5229569c36cc2d44692669b

SHA512
dbfc2d09472e1049151101c64508f0429dee40e6f11420a4188a2bbc4c3c86656d5f0c08c4963fb83f73e0d112eb4f02d68e3d23ab2c4b12daabda2ba58c233d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3fa07fdc4801af6cb5a155920f279453

SHA1
f64f1e0c7c4f4dfc76c277f9464d129159ccffe1

SHA256
22777f6b435db7cf7fd5ecc1fc3597fc653251dae6037d10bd0c5274c004d8dd

SHA512
a137580b2510c1d24729710d258812211df9bade0c3b5eb591a2d07312de2edba53092f8e1c339f57f4ec2a65f12ecbe75b47f02d38fdd5d6c28a4fcf11e8d93

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e82c0ecdd0739a7e01f28747b4393d1e

SHA1
3b1496663bc7b67d05c0c57b3808782b401eff83

SHA256
75c0846944ddebe912b16ea8a6abf2570cc6c9e1777668172193322f1a958d01

SHA512
7136185e13f2329e4c8261fa1b7af5a7d2c5f2c5f05373fcadb0c8f04e825f9becbefb155172086667e3a40fd814a5e9170d6386485e9c9c1ad82f6a02aa17d6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf0b057cc22a3e3c7e082de731959185

SHA1
6973dada8d1f2399e32d0a3df1b28e4ad3fcfc25

SHA256
d33683657222b977a489d6404f5243bdd75a983a6259ecfaea4bd3adae98eec8

SHA512
6823a39894f4a33a9f02cac8ac3f0aef68f2d3704115329d57af6999252152bf852761be6ce26a90b1082e7fb9a57086bda45427ae9d2cdb5e882fff1969722a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
9d1aad343bdeaa1cbc037bcb3020901a

SHA1
0d8f333533193c3262ff7a7c31bc2a022a53008e

SHA256
ea700bbe697fdc51c7de884584d8dfc4874bf7f088ea3bec90c065668aee7d66

SHA512
5a841d11da164649d45933279b6393ca1d04d86c39d565dd94d4dadbbfb89c881604d54e48c0a89d986200f626ee31b65f8cdee3ea0584de02fc5927577548b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b8fca4e609eea28200634a0c72eae386

SHA1
4964ac7a77bc1f8083421cc3e899e2ff40bbddc8

SHA256
0407ef7da0b437a4fb38481087ba6dfd16dac8d91ae34fdfdecc1eeddf83d8c9

SHA512
a30eb8df5acd2bf5e5fcae8bf83d3f2c75bb38104d3d1ffbc34f3fe5450e11a6c1b6a63566e40e47d3509a9133502fef92359063682cbb1c1c8e613a67db5e46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
56df49116107e7c5b71ffed219d5d4ed

SHA1
ccb98ff61d54ed89a3e02bc06aef6f53674253dc

SHA256
744cc9b932bd73b8baa6b7c7c1061a7512296be46f5ef88f91a4e4dbc2a51e45

SHA512
549b338c68e5d6ebbd20d56f650415a11c7ff4cf25b8141f4866da6231d1a54392d793952a0a21a6a0396c82093f2242fc6b2c39fff628a3cbde360e45093f71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
1b48ea076598024cfc5fd3756ec8463f

SHA1
e9f6d5cfdac58ed5c27f5b251f85038532959882

SHA256
547fd2043393b55094cb4f123a2441f3464ea27334acf39604905a4d7a1ffabd

SHA512
3dcd89a646914831b1f7cafc339d8d4b49b0127e1f7bbf89ffd80afd363d202acf351238f205c3e82c4636af4e60cefa67188f91b723e87834709110946ac0d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
144de9167ffce39d748cc52d264bf1dd

SHA1
96b66e65c5b33944015e1a45ded47d9bc01da05d

SHA256
ee4b5b8c78fcacae4c1bb342ec27ed91901fbe3253fe795d52d636d2290002ad

SHA512
a0c153eed44be4ffe7d00fc527ac8814686a702ee90479b3c410680387d3d065db6f809cbc0cb5a5ecd7feaa97cfaaa1187114665068b043dddf9152bb6c0c62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
50450b1ac105717c5d9c9337ffceaaa3

SHA1
9e3d90393a191f1aade8dec8dfe3fee803b238a4

SHA256
4ded4680860826c23b94c073c32552b219b9acd7d129ed9237f5bae017372813

SHA512
9b28b28b73361605f859c213c14ebcd6fd6c035991b3f5a7b0ec98da19ffcb8de1e4b1821a51137eae309c5abcb57339117526fb6c797deab7928fd3220c0e68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
262345468f986a5873fa6a02dea52131

SHA1
1835bf614b3df01e4ce457d3153fdaaf941060b7

SHA256
1025441eb1695812dfbe4c4dd2864974b9acacef846d31629e97f5e9d0c0ca30

SHA512
5e212b694029c4525e1f1cc33cfc8b61ca7c6a3911a0dc70114177f8a4c2221ef0d31913f17b96d2986824aabaa34d94be37868c9e320680202a54e5d5fbb750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
fc06685bd30f46365168d8d4ef24a61d

SHA1
3018f5b6408103c799b90f69ca0e497cf63c25aa

SHA256
68c552c6ccf14f02aed6d520602eb0dd49bb71f1ceeb584f29e22ff0b0acc79e

SHA512
0e6516ffc5f5c8455e41887ca84289e882a4970eb59db0c405eca5518d3754053cb16ee1a1bf8376e7ac928a90664c088232872d4725f2902122d00b7a388e19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
605ee9d48709f7783e20667c79b7a272

SHA1
1edd3c4bcd3694b365ae28ab1d81137a22ab9249

SHA256
6b4d500cb81e5ad434dde159d4a8a33bf148e45ca5147402013df103a11b5cb7

SHA512
91a9a64a3800871b428a201fb6a6bf949bd83002c944ea4c5aedce257b1e37c19f4f0f1249a51d916d14326e6b14ea58ffd875ca11d77eded36ce8cdafcc0b4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
de74f7bdce08895f6eccece7c0b1bfe5

SHA1
4ba54d7a59176cb8d92048d44dbc5219fa56df7f

SHA256
d1cfc7621b38525ffccf25f1fac276d435a97a88d2f3e1dec9eb5eb8449a35af

SHA512
4f8e344a511683cbec14045c6e5563607245753c1491f8c63842a8af74e147ab7717daed47f73cddae07fddf1e252cd1c7c1c6315c48f36baa7032d289e77fb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c79952af07111a1880f9d61e50dcc199

SHA1
bd379f142b9d6470047c3bd094aa5c78dd4c9b1b

SHA256
e19c65fdd882f7a12c8f7d324cf66c8c9aca888ab0afd2be6044b78fdb348ad1

SHA512
24399966cd091a8f81f25bc727cdcd4194bfe771937d629637d85ac1e5c6d9117c4325f73d0e24137b5e89df7cd9163c361703bf6d733b6fde39bb0d48f81217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f5a0acc42f228a896462539ee4c9dd0a

SHA1
1bf57affa58f764f5c37dbf1d0a0ad8b66e247f6

SHA256
1ecbfad0a4f65aa7a2537cab39faf6fbef89011327d01e944ba9e44e41671df1

SHA512
0e0b26dc8387b6bb4cf6732dd2eae8c34e09d02a3f645c7244ad9ba03a8e457ae6134d26127297d642721c6803e541a46b7f0f25990f347577f737bf91b730bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
1fb9f2f2c404653b0993cedb37fbdb85

SHA1
a85e7260094e37eea9ab9973bdaf55f005565dca

SHA256
c3aeb0032007db499bc8d334adcf8960b7149dae6e47a12ed487716a43c6983f

SHA512
e05575f90e2a6013c6a10aa28fe2edcf098606a87623b3d35346ff2ad183f8866a9257157393834af5f2b08b19ab638644226138ccce2afa3e0ef150ea65e13a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
64772dcb47cedadb3f5f96081d7d8485

SHA1
17fb2ac3d9768d8deb0722416096082580870c48

SHA256
4e8eceef00fcae0b3f5a40f3a5eea9e42fadb204f0e9b145b939c961e2a194bb

SHA512
a66efba378b1b0bfbca9d74c0e986fdc2c06210473f93aa2c5b46a2d18745a49f6cac0bf67d579c3a2ff077357a622bfa031fc519f13b959ee0a18a69d760701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
96ad7f787d383cc558344ffc0de76d98

SHA1
0ad390febc2a7c2d889063a17795dfebb0f035cd

SHA256
90b03bfb98e5d5fa91ac3a8371a32638e2260252d9b711a598ce146f0112f074

SHA512
166bf26f313872e075cd3dfef76a93d0d974bffafb920e551085cc2c37ab2da4868a9054a3e6832d4de181206a90d4e301907d72dc04a4891f331f6ad772336e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7695c5933bd17720811c1e35dd00786d

SHA1
65d26da2259907f231667d0359f21734479d78f3

SHA256
3b375ca0866fb432e8274059de1730bbe8d5530381c80c1b2b65838ea04ff243

SHA512
f24a2ed42901ba7548ebf217a4d4741cdb45441c4fc86315ce4053779bec85b307afcb45dbbf754d37961a718e67620300346029abe912e25be96968db899b54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
644ebcb3b99c7156a3cde2c8b90afc82

SHA1
004af80c6f72df8bfb4842f26a2d2341afc6e17a

SHA256
10a8173f1e64c6b5d476db263704c899e3ef01ce97a7e97d375ea84ebbf8ae7c

SHA512
f2a123d7520e71249eee3cd8d4962ee63a73d8f7493712dcbe9d60576a10d39247f409d56da0308cf09e2a25ecf9cb993ac09466fc498eedd46758182e120dd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
d341d24b11ad118fad045bb351208efa

SHA1
2073e7a56ef1cacf7ceaaea61cbc63529445e4be

SHA256
507a70006cc1a2ebfd11fb146b961e14126fcb8e98bf437941a148a4633a898d

SHA512
71be8e85ee323163ccb32bb078446230a89e2b435b612ebdd4f213382e5a443d179d14dcea196613f90deba110e3d78cb9eec64de13a0d4f8c45a5fb5b174ffc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
64fa4e57b73bf3dc8653ff88fc59c210

SHA1
30efcfe1a9eb6a2e2ad5e9066284aaff6c09f4e8

SHA256
667b6c0d3cfbb9ce49b33d1319d9786d707f23d69dc357cea7e7ae631c335192

SHA512
638ae47897165e745273c99376041f60f310c0a59df45b3cce8c152743c983bc76053e4ce228b476b4df740def60f7b6621f59e462fdd768e051123afe4ec18c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
a8d6c31b9923f4a99c191e6358072433

SHA1
d8d8d9517377b91487a49426057ed9f85fd6eaf6

SHA256
af3debcd02e9dd832f40194446beaaa4a811d655af313c1056a5e9af7016cc72

SHA512
689c66264a16a2401900469b7df032e6bb559a7086637a37e2b4dd0e4ab55672fa29a635ccf3d22af30203999296d5effcea81b499bd7ca4524685250bd3994e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
5dbeac46753b4160b80ebfebea349d99

SHA1
b69f0c93957aee947bd42d26fdbbe86765288ff7

SHA256
70bb4a4b7f659dcd2542cde594f8e064a31565a86caa5eb99f8cb15c44d7d5ff

SHA512
20113059cab0e1ebc5d851f9742ff87781dace7b4e0087a04f38ecbc75134b1763b7499681a071c38f0f6597bed0b973a830296b9bc9a4a6ce2a74c558e832f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
a6ca2bc87c769b6d8c539f8cf4ca351c

SHA1
83ed5d548fbd6781b72b55ad175978fbb48bc835

SHA256
ac0046c42e2327025457f7cf8e7aa5fafa62dd35b5e6f033b3ae8dd6e7decbc9

SHA512
2ac9c93fbb0ed44955dde2cd05324e91a1d709182bfd640000b8f2ae6cb63c50caed6080eb8e0482e6e07187d5d2e2bb25f1a44a96903568b98c8f26dafacddb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
f675580b1792a687a6b729e7ba8612e1

SHA1
514746339bffa9bb0bb7088c967821c7a453cdf8

SHA256
0419ffa9ba99ba049917cbbf40f36197192afd476dd74a36745b68fd6779eb4e

SHA512
4e1b9c34105958f11265ec9b4bdfebf4a87c5bb56e5d978e162a40ebdd14b7ab4fe327fe606f9fdbf51f6a86be7eb69d60f3db41cb728e1c27a8ebc7ae84fd26

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ff7f27d8861e94747aedfdb95e9f8ea7

SHA1
025f73e0c455f5d5e8b4fea88981885e8cefba7e

SHA256
a8676d002832927b94ce4a7fc22dc0d4ff699bb105d6c52ce6779add8ea86579

SHA512
cd2c3c51f5e9fe7adf23cc5a439e8a13baf60f8a6ce0b1c8d239b7540d0fa69a2971b3d7c5074eff3c029e6a68cf37e5f89b3330cefe058b897fa1979993de00

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
652192ae58b95cad89174098c2e2f980

SHA1
a1b3e1ef85b7adddb865a4b6fc5a155b7413d97e

SHA256
426e93385a072c6f593fb6e79ad7672a7edaed282312b11aab99f57f2667166a

SHA512
6961a680a335f1353c9215c76eacdbdd4b0757792962acfac071deb406ec7b413b5b2202e87de06fba948d2456e072cbccf3af1bb2da06b914e1fe1571517cd7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
502ad31169c97fcc3a4709b67da361b5

SHA1
03d39a324369a3eccd44f5e0f34e93fc217defd2

SHA256
01bdb3dd4ca993fd27fca20bd458f64df7ab00e73e9909fe1ba7bf38ed648aed

SHA512
b85f38f4a4875162ea2573f716d7201bd562fb07eed2f26735db7f9f6203b26a976ed3c7778ce945a67710e56412fe07afd70dba2e17b0026427e301d3d4246e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3d6b11cf0ab014e602a589cc86304ec9

SHA1
90336777e762a5b173f2dd91a9eaf117cb3a5851

SHA256
6805d533017dba1777b80b0c50bc594367f2ccd0ebc9a8515b7168678540a41d

SHA512
8885f5c9d61e23d4db5f1f2167064679dd3542ddf9819a00780e37c578d3956d8e4dc654da93aa3085eb5610c30e0a70601a5afd8c447dd1fce927e9aa8c8dc1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7ce09117d2e8928736743d9b8c5fbf4b

SHA1
01d4e774153a1c007dbeb6afb9120cbe4677ebe3

SHA256
73e234a78c1cc18ad27f75d5aa47221312692dd3045bc61dc925f2e8c5f90e39

SHA512
99f160508b52b4728a93e65fc5aeb1483b1de1eafdb93e54195255908246f3f099d05b97e2abd9036eae4c249b6490177d26ce2323e7e4767aaa2757c95de5d5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
eab38961a71e7b6d49f9a4207c478bb3

SHA1
3da12eebb24e1e95bca39da031f4cd5d94ed49e3

SHA256
26d2a9f187e7c30133de2a884359865304b3cc780379f888822eb7f2069f92dc

SHA512
011570a372523952e3ba145d83a8191d8b1dc6ad32b172b3df516f425d9074d0869b9d47bd9a82a4e6f9e4ba3af636791c259a9b636a41815bc79dcf2623325e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9fedcbec812bd313758112d4c7d508ce

SHA1
9bf66ac18db06ef6e0d326fdf554782c9a32bad0

SHA256
77a3d50bc303b0a1f3be2acad84e69928f0566cb19b1dd5ec4371ea75d41daa1

SHA512
de34955d93ea8bf207b66134730806700ce300c849dc54e365de912cbcfde8fce7aa6f1eb7d12715cd9f8ab8853707bc32bf79c1cf9ccbaedcf8a1977a4bda75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
28f2afadc83c1bb3d102863435ac55b1

SHA1
99b841f91aad41f67660999a961bb49514f68fe0

SHA256
e13ef652a8cb8ef8b077f7a091073e1ace53ddf4b13dafe5a655f7636adef75e

SHA512
f02a84af0494b2ed32cd143296bbc8713a2240b43b0b683429196c86252976563d88f5cfb28a3c376eff73ca1985ed19c16dedb6ef07fbbb2ad2f9a74b0a0887

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
459a26f6d1bbc2084ebb2e3a7b58825f

SHA1
c7090adecb96c27688dcfdad64c67051b3c7002c

SHA256
65acd339ffb77dedea593c998d6d1f31e8e5a36d46be9f070c8448fda23f2de8

SHA512
218e797222d8a3d08ec3e3e580123cad48facc1293eae0dfc93d1f3634d8a9404c7b5ba2f877ae634d3fcbdc2798c92a10cf6b15172f9eafda94d41591d61d20

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c0e960069f8de8dc2aeaf479ca62d9ee

SHA1
6d3a549488410ce3ef68bb737138e233120cf92f

SHA256
842a7475adfd9d746a76407168b3b92bea89b64c04890a78f398aff4c9983b97

SHA512
194bf8646f612d9c3e67e855b7b00ff801c2be66d894c932d53e2425faaa30b6492ef7cfc26d62ddbf2d034e28752a72d0d3da2cf30b3cb1c71065010280a696

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
40404fcf4fd29f9dcb860f03846ba2fe

SHA1
befc42b9f6eece30b1f771ef741cbb2b16b26693

SHA256
dd7d5dc82a8400671c86665c80b52a95783ecfb61d8b033c60bdf7ec36dcd965

SHA512
850f7ee595c8e28d70780e2a59bcb3453e85ebb95e6e39d42016b832a0a9344bd3d115e01d3ad928578c1a96c43750043aa3f849ade7a7db8f21434a347775f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
58840dc0aea0bb2d39e7ec6ad06ac612

SHA1
7247cf845ca87c8ec66c7322cd81238650a6dda4

SHA256
5c77ec44b2180e39dbc71381e36d43fe639b4bdf39f3212b9fffa4ef5fefbe42

SHA512
ef052ff9ee15186ee1929b580d2ff861e15fd139e34572967f04c820aad25c3b702f93642ba972f98588c56cc8f331cca27f54898d5176c2309002f4f4b8c86e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d097920c05fe2fd386ab43445a583a0d

SHA1
baa6b72cae1821a851ef3d24244083b44373b571

SHA256
c357afc37dc7b6d22e4a3bc07ad000376bc1ea4de3037238eb9a22c3c89f9c13

SHA512
1311a3a4be8badf5bb198bb31feef56a05cb266d6da20251a5380139feeb2b36248cb30fed983b93db731f479eeb8aded6da2acd3f794f519ddca1de6bf75346

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
947f9421e1231a5e59abd325d8e152c3

SHA1
ae27f3c3e04562ef646dc9ba3bb46846a3f43f56

SHA256
9070592a3b0920bbb54a3f67b131280eaba4279a145aa536cfc4fd46cc7a7599

SHA512
01cae79d192b225dc33c9a7b72f425cec6ca02dde2aabafa7ca2b57a8c3cc12b9d46d63374d7b1965470955ee07116033f870d27d5121cd48184557322b07e29

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0359a33540a341b301fc549e45383e93

SHA1
323868d4074c85e4496b973b95c2df3503a81565

SHA256
6fa1616ea8e94c7627988802d640e73e8109a2872917a4e30bb3e16330a7a690

SHA512
ef1eae38123dc2452235f0d7d338f628589c5ef562028f50720ee0d5340ed354a89f37929d69511bd970ad9f7c7011f63d31b6ccc9f11f5e16c589dd543259a8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3de112b494394026f079a07090ad3736

SHA1
cfbeb1439dd129a8606fc6598a5e2cb9476ad5b4

SHA256
e3780721fab68ff7b05fc6f63d33c32b8502b6b428a0ffc15b15f9239ecff2ff

SHA512
90cb315b4990fdc697150a21de9626ebbf9119738f6fc9ab243324230832d6f9ceb02bb17a651146201920eb19ffbea0b980881ed714ec70940f8ba6c60d4b45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
28fb02152395eb4fd7d160bbd85669f4

SHA1
eadea05c8f8e3e81c3e41691a4100032c110a37e

SHA256
93616cecde5a56cfa58b5308d4aa21bc073fa4a43481f0d99fb5dd2b7f0a0ed2

SHA512
a0248604962bc0b289ec817bcfc23963fbc6a28deb6772202d250268ee25d48ebc708fd6ec81625a6bd6ca31d1db3b7233cbe516b9c29a409ea248cc56e27cdc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
de52b4bb637dbf70a22fda8f7c06b646

SHA1
cfe249fafa87ab3d2b4bae7e0cabdc29a4a48a6c

SHA256
5bbac0f4370d543a3bb68e9992b6381fcfb64a994e67f1fb8347c902076a9ac8

SHA512
ece32727dbe6b8b566edc207c8deea50c2d71b36aaa3e49529bd4102907aaa22322ef2ff1d5b21655f48403e144ed450c8e2fa0a66f9ff6af6106c68bd722260

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ea06ba5ee4dd61b5d5765376b67982f1

SHA1
1575e197322fa51240ca311ad3f7872ddbbdea39

SHA256
07993cfe4ab599b4ad4ab2ccb13151eda8ad71564eaad397bc76dfead1ea33b5

SHA512
c23d5c25ca383c939ae34375b1c46e4a38aa109992b3b6798598d1e0dc55c147ac4330e2ae340c6b09bec9a1c97927c985b68004d44420340bd5e558ca46a210

Download Submit
memory/212-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/212-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/212-28-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/212-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1032-503-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1032-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1032-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1044-567-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1044-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1052-566-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1364-417-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1364-569-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1496-354-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1496-242-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1496-250-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1496-248-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1952-404-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1952-294-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2032-416-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2032-305-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2036-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2036-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2152-562-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2152-343-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2192-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/2192-6-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/2192-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2192-26-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2352-504-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2352-570-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-392-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2712-280-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2804-563-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2804-361-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3240-64-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3240-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3240-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4280-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4280-568-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4352-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-380-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4548-265-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4584-78-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4584-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-61-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4696-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4696-529-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4728-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4728-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4728-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4728-234-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4840-509-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4840-320-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4872-254-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/4872-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4872-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download