9c3afdf5e40ff2c499e9415ac5d4b3748ffe8389cba441e32cd54004d385fe7a

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe
Size

1.5MB
MD5

c1937e581dda5b00f7b885d836613452
SHA1

8117b6e094dd0755ae311775ee5d0abec311e4cf
SHA256

9c3afdf5e40ff2c499e9415ac5d4b3748ffe8389cba441e32cd54004d385fe7a
SHA512

3c1988190182c426adc6c422dd9c9eb13cfa8aa6ccd2b14c1e315ed1b72c92d60f2522518c527ad6e5b477141ef004a28e7ac4aabba2ccea9ca47ece4e27fb04
SSDEEP

12288:wvXk10mqmFrfBCgiw4bivhqGoj85sVPL5qw+Dp:kk1vqMrfUgYbkhqfj8uqw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2208	alg.exe
5060	elevation_service.exe
2240	elevation_service.exe
3428	maintenanceservice.exe
1764	OSE.EXE
208	DiagnosticsHub.StandardCollector.Service.exe
2420	fxssvc.exe
2052	msdtc.exe
5104	PerceptionSimulationService.exe
4708	perfhost.exe
456	locator.exe
4548	SensorDataService.exe
2436	snmptrap.exe
4752	spectrum.exe
4496	ssh-agent.exe
1496	TieringEngineService.exe
4572	AgentService.exe
4616	vds.exe
2996	vssvc.exe
3220	wbengine.exe
4400	WmiApSrv.exe
980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exe2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3be4ae5d234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006572de475599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000634d99475599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000634d99475599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4ec77475599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e3b86475599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ee612485599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004539a5475599da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
5060	elevation_service.exe
5060	elevation_service.exe
5060	elevation_service.exe
5060	elevation_service.exe
5060	elevation_service.exe
5060	elevation_service.exe
5060	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1208	2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeTakeOwnershipPrivilege	5060	elevation_service.exe
Token: SeAuditPrivilege	2420	fxssvc.exe
Token: SeRestorePrivilege	1496	TieringEngineService.exe
Token: SeManageVolumePrivilege	1496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4572	AgentService.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeBackupPrivilege	3220	wbengine.exe
Token: SeRestorePrivilege	3220	wbengine.exe
Token: SeSecurityPrivilege	3220	wbengine.exe
Token: 33	980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	980	SearchIndexer.exe
Token: SeDebugPrivilege	5060	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 980 wrote to memory of 5032	980	SearchIndexer.exe	SearchProtocolHost.exe
PID 980 wrote to memory of 5032	980	SearchIndexer.exe	SearchProtocolHost.exe
PID 980 wrote to memory of 1868	980	SearchIndexer.exe	SearchFilterHost.exe
PID 980 wrote to memory of 1868	980	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_c1937e581dda5b00f7b885d836613452_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2052

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5032

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
38a45f62d0282f123d3418ee4772b89b

SHA1
45e307bbf206ba50ca0a55e00af1b7c73fbe97a1

SHA256
9ec608dbf96c4801b8d64957945c76736a419d3d6841cd3f264eec604bd1bd24

SHA512
39a74c94fb02a2211da6c9c226b963429694b63fff03d5515addf191f3f7443719c63299ea0e309c54a6ea50394ebd705f8972b8f98e86ce765ba7810748e1ae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
9f8784d68aae1523e8487278becd7b8b

SHA1
9fcc06a27ea8cbe7a93e1a5b924c9059fb8837a7

SHA256
da8b5a08e7795598cd722e4c67eee34b625ca637ad94fbb67025c83d58abb355

SHA512
83738ea3ceb43ff351cacc46e837f30c5232aca2aa24c337a3b4501d6c8f8cb5c7c3b4266d24d93bda595b13854ea0a4027c7e7f5462a9f4ceedee136b54d087

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
bebd7032628340cae75be292838b57d7

SHA1
ca4d6ba9af3ee2c6217fbd72ee9a2ccbcba6d7b8

SHA256
95c58747417f7653d8f1f904bc8f3da64fcab6f05f4a04e71489c3f2bdc2130b

SHA512
f17ad105d37159ea0e005057c9a07b2a718c73a593703094f0374e9719c00e46761548bc875863045bf06fdb5a93d0eaf5e159438ba57eb48d7aa2023af68f83

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
2741df0a29f7664463ae8de4da4568c8

SHA1
0a3b8dcd8314fc641135016dffbca481526755b4

SHA256
7b05282a7a5c8259cccc50d1082dc29e69c98f55c26a22592a6d381261fede9e

SHA512
ebc10a486c61b6987cae63b2e145dc0c0cd73299d6e863df3cb3275682eda446fd4670ff1fd808a8cc8984b58d81729c5eef69119d18f005e206e098dfb14cb3

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a6222a7b9205a3624963b9b3ad8e8411

SHA1
6c23de3b79fa2c992097a4f2eb5f5dda04063c5c

SHA256
6d9624abadbdc64b1a9d4915d59422acab319de7e2ca5c5a1caa0ed42778532f

SHA512
9d96c5d58e0966c560f2344884963caf0c4ca09a62c98532af9c7b9d3e8f8fbdb069c0a7135dc61912a1e0e5d101fa6365fe9a7e0746c7d0b322d984d1c41c71

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
1ddd19d28ee6964cf1873377da6194ee

SHA1
998ccb50f914d8b1db63c2d9d019b75e87a41bff

SHA256
389c49977bd5f1d883aeafda1fee3d2bb5e3f4d5b3febd2009c7970b399cca6e

SHA512
83f9d82592adde8362db50e10e60786dc9b465d30b5410c2e39022fb15d6bbdc099db4c303a9a235cd0aac1224829134cb9f8fd53748f97291186ce1465e05ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
68ced79f535dfe3b38a38f5f7b796200

SHA1
e166ea50bf4175eb5cc6e7986476ab542dcfe256

SHA256
038ec89590e959a903c2ae27f37760ba5a70faffb6c98471dffcea2027adaab8

SHA512
0f136311edbacd42b4d9fd330f035f812f14385e6ab3568229f7fd8defb9936840eac3773296de474c576de2f5ccc5439151cb5c50be6b37def6159b3fabb6bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4e26417d11733b52ca2e5ef80677481d

SHA1
2a2070cef994005c53a885d8e03f0578072eb38a

SHA256
2e8a43bf91d3be3532c691f97e898a468244fe7b44ae236ee2118eff7729ac8f

SHA512
9e6bc338a3d1dabb45d1f26d30bec08902ff2ea5780a95ef66043fbb2c5c9d5b687ff98e14f59022a39759900f1463198a6752209b102ff57c42cba671f8eb07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
9e2b91cd9d719b005506999f6c29d794

SHA1
6fa997a7905bb7ee9d0e428c494079cc97bfe93c

SHA256
de82b7e2e7f2888a868c03bc60cb57039ec4dff9531d0a638730f5e2f6186391

SHA512
c258c5adb008208a09409dcc1601e806d78e08135dded09ea86233f96d95f04c471a60be084c48e3f08e5f17e48da250db6bb55048b4d50c76486d3bdf4de505

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
209289cee1e1b76e9c34eb760936b261

SHA1
8b56efaa2f621de2ef3768aae516ad5fdf636b9e

SHA256
0963c766999c34c8c3ffe74a99ac7edf8308da1ae51f7c140d594c9fc28650ab

SHA512
156fcb6fcc6b0ee18a57d86eafa5149be09c5d85008f70e445338db495556acc8e6dc451949f486002fb900d5411d170c5abfa66fc3802d4993a50f9ae8768bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a09880599961b2c3f4f9365cb87a6655

SHA1
c7a06e5626090c7cddad924572889c3a6bbb73da

SHA256
7623b91afb1d3ee3b41397f22eca604afa63b9b8a21ebb3cf93ceca45eb8e89a

SHA512
9f6e80c813e0239cce9ab96a6eb6f48d599c4443d3ee97b7230930abfd8a199f0113bacb6b3735d3d6ef31b563217ac33f847dd005f7236f6c1227d55659254a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
28d81794c443fbf5f8f0bd4f8d8235ac

SHA1
d673c74a85d7245a0f8ff5539e773de9ddddd7fc

SHA256
2a76c835c2b0ac52e99d41a06eef2ab908355db579daf966223ca89d244a9881

SHA512
e533d3c4ea5c6ee2f918bb226440701b91ad804f0a019dd76ea6cdbadc3ee6c290ff624df8f0642b7a7fddf1409097d41a88b3ace02909ef92ccd8fab9789cd2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
e198eba0799fc72a2e28bcd683a6e1b6

SHA1
e77abb19c28583eb8479f8e9a4827453edcbf50c

SHA256
dffa7bc52b6447f2c7340c98d3885d0de540f6347322abb6924552efad3f85e3

SHA512
34a6ee9a18a5b3e5957a106eb61e4ab99cdf8cf7766259d269b6174a11f416d6334b7eed83439a87af813e47edcd9de9aa2b0db8cd8f29d195b160f9fdf999c0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
06255ba64036ee09e490cb5be8a3818e

SHA1
e64d73d673669e518de92473fca2662644e7ad35

SHA256
7f419ba2407cf623044137ade42acdf82989fe247a31d845ec861841575937e5

SHA512
a0a8718485216f31cbdd7da7cde6a40379053d0c047a40c4b2432adf6e3e1267d8ecc973803dc00556b849150fedf9322834aefc9e2f511469ddf4a7ac4e001f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
5d22a52be459ed990b2cbb056db01d73

SHA1
057247c39e506955faebd1760af31a60b5acafc5

SHA256
b3ee42d030dca0b943c14fdc01f1ad50de1cd126677a757201015df9ced9e2d1

SHA512
c9228e0548ca06f59e8fc54423a61ea10d4443337df57217e639158edfb01bff42578e9f363c90c2e2b47b1bc01ae61097ca8707d37a6d72f9344f3653735cda

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
6ecbcb0e3ac50e5cc9547d2ff57236c7

SHA1
0818a2bc1af8dee0e4d6119c5507e4c6b7e8b5ef

SHA256
380e598a4400c4616235bc221142ab2844e01a2533b4b1d7478bf76947a44bec

SHA512
b1348242276dee2cde50c58dfce78a9e53780123f4b25a1e4b484ba7c51c401163aa97d4bfcbd6fd495311653e84826effaad67012d5609bd982c5e9622ac2f6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
5271185f474b1b5fd0814720389d0c26

SHA1
9a07ceb4c3a312b4a1b0b64baab3adf489a808ab

SHA256
d95df1b3d794146539b2227f4750cd4a7d5cf4719cb4ff8b7d7b09682405df0c

SHA512
78babda785a202c9a7da756416bf201b36e3fb7327f34660e8df3811d6579d2fbe375b385a44d80b7acdbdb1c4bf537a15894953d57816a5c1e10ef7145bc2d0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
034b93e7bcf84603c56629436231775a

SHA1
033528cd21d2ec507a38a5f1b92b73eda0b4ac14

SHA256
cc547bac8984b48f5410e202cee40651c05c5bdecd01a1ee351e9dd627de766a

SHA512
b3f063fc482f4ac69aa7f1dd11bfae29f1fff7d527416bff954e2e7aba9984d45e9918808ac2ce34033cb8865854aa9f0b4132f7db3d0aae377fd01e096565e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
0211eb045318da52daf02be35cbd51d4

SHA1
59f3877aa55e2a9827a6c8118b2135f712928b0a

SHA256
64f5eb88958f58069472c9ecd453134d15466011c117279df5d42450f3eead8d

SHA512
bf7986e07e3afff825d2eb4581847c4abb47eb02df640e753fb529a63b71eb39f6c3f1eca4416ba79a8f6fce79051314ba11cd6ac5c921ae613936ff45980b22

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
97306d4b805fc684ade56332e4982c99

SHA1
84aa3afdfb5233357fd8057b0dc39aa4871172ce

SHA256
e2544093333d09f1a1be346144d7bd8595c0b196e8736f59acc1d73860cffb90

SHA512
ecfc2d0d117b793385bd49d13b784220be35061726ab638b91f8e54dd107e41f7805d0ef63c3b8329a372589ba0261d3d5bd5da028ed8d3b5d36adb6693195a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
fd36427ef0272d6d7179700f4cb3c372

SHA1
cc4e885a3caa3dfe905e53c5c6e23a672ec7c548

SHA256
bd07dc464d67941a706c4999f1a0975556472fc9c4e40b6aa24833bde2a1a7de

SHA512
d65a29421860e2f8a4c1b7265100d4a77cc22d2cadfff4d4b6fa73d1933e6170431d536155242409818e44efad701155334ac2a372092db702f1dea36be72529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
18af68d2f01f045e274807976e59df77

SHA1
1efbbfea09ffedba01fdf10324f5eb0c22953556

SHA256
a950cf7684e3a12fe2b43cb89c68d06e9eba2f3aed15e04797a121edee000766

SHA512
68ba619067cee007b07ee41f14ce525bad0340a14a0bf9bcd88b0419517f5d18d58ea34d80b3613e69dabe7bd3c55492207be5877d1349d6e0f314ea6347958b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
6e0841831cb3e9c35fb391b0a84ee9ce

SHA1
c4aa483b80a282d90ecf71fe9e2c371169ed283f

SHA256
9a9e976164f2a30d4c97ffe84a04f748615d95b107b62faaf0bc89aa15b37750

SHA512
ef62e7af1856ea82d7b2624afa4836ad70b2eee502fb46fe2777bb7fe47d998b6ee46dd8ad095488d9883f081b9883374b6787b651a9aa239dcfe853661069ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
d47d3d75a8354cbba676ae4f64ac5252

SHA1
c2f04ccf174e24e7b1957acdb9680994cdf2cd17

SHA256
837b935a53e24140edc6a8150b8bd68cb1c9c8dd7e74431d966e31134d4d13d1

SHA512
912cb4694c555b3be7bc5cfc528bba8ae0c50465d70f7598be35dbdf289c3e3478a1c48d140c4137a9b8eb0e48ce93659f4b8235cfd46d3fae2d9d31cf656cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
b588704308bab6be1f97fd21c6670d22

SHA1
b7e0fbb3f1cbf1f4a1a6390ee1f7bb63194e7920

SHA256
bc1e92e41f11f62a53be1fe9a00870d655021bb0b6ac765509cbc7f275ff1673

SHA512
0aa15dee4f5c4faf292120873e0f453cfd7d518fecce6fd571f211af9bfb6bbf3777052a3a1308d59ba2f9b0ec07b6ac49feec4ca69a67ad091ee243678648ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
aa7a082f4c7c8f8a8eae13ed3da560b8

SHA1
78b0f9ecdf6ad62c1c9c03871a6f3cd5e6706483

SHA256
3fb846d76a14c6ead432bbf13d80c0c127783b8c8454e8c2c11e961ad18b392d

SHA512
b799f93640ec15d77c02fc35284bea03f769000ed6e3fa29e9ea44ecd8eb3ed71e928cc61aa67ade9e16cb3ec6945aba8a549947aae02b250570f766be9c23df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
25a992876522b2eb99ee576debd6063a

SHA1
223e263e7a214e48daaf94e574a56663114a8b7f

SHA256
e401341451fbe56795ce7007104d673629ccaca69b73dcd1a8cb43d43f644db9

SHA512
3386f343c849a9a4df6d5e3f65063943471798525e5387a16eaa52de035b89a84f9cd9168c85f732fe394a4744e2abe6d7b258c5bd6439f54b073148b4d08e2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
91c6bc2832bb7aa68a237f8b46fedc0f

SHA1
f5b20b15fe016aee8ff10c3d1d4778fa4a37ac23

SHA256
077e0dbd337f2581555060491cc97e2428163e6f3163bcfa1262009b9197a80b

SHA512
4b0002b9d80fe32d8eae698676e9def11712cf72c52ed5689497eeb0fbfe8876d534956bfbaf030249f4a71f6ed4ea777ec032c637199a115c65c97285a7ecff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
9d21c6ef6d31c2332d9235e625ec34b5

SHA1
3c1066bf85a0105316716032e200184197e91df8

SHA256
2021a2fbd9cd106831f27f14f802fbfc1edc7201df000a91b9d4b3f38e9abd78

SHA512
18c440bd6c31aa9d2bdf0ddc1161daa1d51607bc452aec2b11192cd20c1f0bdc7e0657e0401087a0cafcf9d577360032892586901ff64a89c6bac3d64ea8ad08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
1d446ea8db842b9dfceaaa1f50568742

SHA1
1c0d01915eb8a7fe294beac2ea1cafaca82f6c11

SHA256
ca0234add21aba1c6f060ff758c8dfe7d760d136d5e57ccef16f9cceabf1cbd9

SHA512
0aa03549c9ae1943544771a8a6ad2d988846a3c4d89d9a2bc515de923f49c66895dcf7299c99fa2b71a459cf2a900cdcce1214d3fff0fb2207a6df1daeea03f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
3d250e154ba513b43c1eb1c827e59f73

SHA1
a25eae86bbee49903d050100825f296b8358dae3

SHA256
76bf4d4c5860dc784fd91bcb4a01aa9b2748562f3fb30eed65ffd973e8169b00

SHA512
37a853aeecf67668097291ad6efd6e6caaf89651f49bc878f3241d5a2028ceaaa386d316eb39af14a545f34e789104276f5fcb751618168acc540f9182fdf1dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
818c8afa4d4d553a605d1e5454d0a2d8

SHA1
122d24827a8f0f6063a7ae38b1da82335b168576

SHA256
0f2408bad8ebee51011e2a1090470646a78e278f9505dd885266993cb352c651

SHA512
a088c09441fa4bcb12aa400f8c5edbfeeb72dc6bada680645f1fd17ded7825bbb1745fa18dda4a54579664158f91e9acd1463e27b718ef60cc8ddd5f4da6d925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
b9ac7004160adc34d89d69acd71d6168

SHA1
ba6e9a2a6b0caad68a86d3b35f0e45919126b0c0

SHA256
0d9f5925c4c95238d40a719f31dadca89f015ae10c5f7fbf2489665eed4ae5ad

SHA512
bfa2c980a03ab961be0e2ad7580d337f0d4dc5de9d0d2621e2130337008c88faef6b57b2ce1e716b62b7269f94f7e8ccfb71563fb6d5e99cde209b49d52c1d96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
6411f04002016293b3815242bb07bd6d

SHA1
c6f87b7a896311b1dc2c6ead34bc35924bf4fa5d

SHA256
16da4874a5c45f0dc727d9b3fc5fe4fcedcae96d8fb3854de4c1ad3dbe19a8af

SHA512
b00b879de3d6408fc1b169d4c53b65eacde180027246e87253a35cda06b7ccfbfe6a4c68a1d7e9602aa3660d0c327c2ea6f3925e4ba2447bcd4eebe58b65fe72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
2877ca9ebc73ac12ffd6285b20adf018

SHA1
a41f62e5f41e536f0f8c08b9bd88e545cf152db9

SHA256
fa60d17af340694d23f7d7e824d068bf3e9a09b1d33933e4d915881e4b51f5b6

SHA512
b08b405e9d8662968d540f451a6fcbce93ed99bb8d97d6e2349ed31425a10ec62d8daf5fd684498a67f06d2bbf68538932f7fa2a118ed6334153bc3d770f8302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
00becabd3c2d4616c223bbbd39e55f3a

SHA1
70311dcafad8bbf2e8d31538b571dd6d5ad92092

SHA256
a35aa65b57f25b3c559f6e64df31b5d50edbe04dabe26cac466ac951b715d921

SHA512
5b68e6845604e685a3cd8dc05c15c0c6a966cef3ddd6afc73994e174bc4f2860135e7385b5205bad206d3e4a68553c0da25a3f41db3babb25bebfbcf59cfa8d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
b11953b92012c5292d4cfc88b58c4896

SHA1
01649f7a1e98450fa6875de9a6a1ac050ca2760a

SHA256
ef5338e003e4042e0e360b0e455bfc3b3e58a0332f691c75c8e96c5d79cdef44

SHA512
114d7bc1ba58a78ecf9225c3f3f07e2deaf4d3bbd2c8f96d07fddd367cf7cc45933bac4cf27fac7326b0a352626fb5f94ca9b9a1242b9ff6d620166f16f4a4c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.4MB

MD5
0ce98ebdd2a0c99127478bcd8f91abac

SHA1
cca2016542fc88fee5788d850ba2cc2978416da7

SHA256
ad9d41e3cd1758d314abe2ea1fa4cbd148c9f2b1ca96929741ea7b30e93c3617

SHA512
5386c7499e6554c712da7745d3353fee735f3687179c0f66f3071cdb491cb4139b129694e2801cbe6d5e9bed8a801e33106d445f94332439227d7ade83b10f21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.4MB

MD5
0bb4beef9a049b29b18005e30330549c

SHA1
e88e42718a57b504084f4e6302059b30ab1a5acb

SHA256
ae1923f291277f277292fdfaa2b84de0e2373e971a68e5cef528a27fe62dd5e9

SHA512
0a4ec6f70a0a7a9a8704c9bb4ddc2276e4d711703a724031197c6571ce46d1b939f4fcdeb0db9543e29e459b604a9faf280b7ce69c69652b111e556177bc4249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.4MB

MD5
437d741ff97b7b452fae70dfa5ce755b

SHA1
b0937d2618d4e6aeff0cd7c3ff3a5f6362d106ef

SHA256
4daed4dc5fc7e4e891a1fee071c19b0f6927b9f99136339d475daaa4abc32159

SHA512
8a539b291808bb0f433c5df38d6693add2d475be3b68af9df4b7a96e117efa8d18fe09aec6723196297499ab1930ee8671a645fed6a7d6fcfa4f6f154fe26c55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.4MB

MD5
efa6367686fabc02f8ced6158fdee9c4

SHA1
d03f6fac0e6d62c9cc0106652c685f45e94cc615

SHA256
ff8988d6c2cc9150f72eb9f8e53630e952a6ee4750928c226b3c949faa8b28b5

SHA512
c335581b2a21e6b7d6640e9297400bff203dbee5d59b1c926b4bc24fecb4d86a190c5c24105bb7264605e8ca05a4711ce3cb41a1cf20d8b0244971633e70a339

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.4MB

MD5
305f1a67b5c0c342e195a3961d3ebaf6

SHA1
052b93431c6a3608cd8310671a9a8b1d38b819ff

SHA256
b8c23b13d8cae9d1ad813a707125f8d09de11513e04ebaea30cc91d1680fbe9b

SHA512
e192d3092fd916d0220585c65136b79576a43bedb741c85784a21dbed9158272630b76fab2fa90204975de4ca741695af229325a49640e14eed7499c2a6e5e0e

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
bb2059c0b32466cf566e464531dec997

SHA1
fda4017396c3f9159cb2a424de6f0fc0e2ee7e8c

SHA256
3fc91d2e6daf132104596a7753bf7647ebcff396fa1f850298a375a921384b23

SHA512
11c8619827d870b846ddd1ff3af47de60122c4d6b0d14590f66f3fb8e2b65172e1f788d5c174d622ce30f5bd602a8b36dd706350640d57ae730c24008ce54134

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
20caf429f54046fc7ace58cd107707b4

SHA1
e4c25809ac146a79f933308d8a54eb37e164be59

SHA256
a51d8a2026811713248b51633137d582a822d29216d4c9545986e68eb56e9f4a

SHA512
bc69f05a31a54eed6f0e018370fc649f77512a978c91dbcc8bd46731e46eb46cbb68c4a430588cb6e238e21d91c9dc3e8ec615452f7dd4d68f3f8020285003a9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
30a7ae4dffac0382b98a5602e0e6f961

SHA1
68aea504aae83a3a30dcf67df674ed8b3fffa804

SHA256
5fcb9cffa9306230c8d1a7af55847e37c2bcc1b35ad1346c22cfa0d49e77276b

SHA512
92de92a368819e1d34bcb427e723f5dddbabda9a29c6040a56c81cc7eb515ea7a873505c8e9f270d6433c7f83f53a306d00c910ec21c2deb2486b620a4fb9597

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
170931905c5a09971a00e2b9b1c50cdc

SHA1
d42ffdb70b72d532b7fb5f5aa587c840f7ac4126

SHA256
54d6a62798a6082fdff0d9496173929a2746c5b88dc2d62abc705a459006bc55

SHA512
8217dea897c8f2c9b4d125cc53ce1fe0c366e3ad745b229e715356710760a278b289d9a4f028f4e53a852f9c629dc47a7e6f3014aef53e4fb766511e83541fda

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
af50e212ea104168356da44f5079ebc8

SHA1
8157f7809537f3c41d6b3af42c32fd025186d1d0

SHA256
0f45ac51946738bdf0d1ae057fb74daf56bf7074ba84cc8c840f5c7ab259530e

SHA512
dfde6b2a6c42140a59ee54a1827d0d8ea23a5acc55aa634e0dcf4e83c141d865251bd22b59f32dd0a06bc3c3ee966dbda92a9cc8688ef6b6c645c057d2dd73e2

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
6ab41daea6c4722da0d65cd5c9451328

SHA1
264f6337919c7981175a9b72e8d33345a1076bac

SHA256
eb11d0d1970535d7777e3bcaf6aa32589a6c78e749fdabb5e9921090c67adbda

SHA512
eb443c1f765b3729effd9d2e8744ec815a02a5e095a869358081dd6587ed667beaf6a92fbfc4a69111d60263b8b58383d2ecf4084897a7b78b1f5e875dd3dc8f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
cac388c61068c48ea39d5041369007b8

SHA1
385cc2bd5f4936c659973308c60d486d3a0ffd2f

SHA256
30a39c0f5b2d75cdfc5e1b5f55c7d7a20557d80572c3b155f8a8fdef6e62fcff

SHA512
d411b2afef3686c2e9abb3e9f94cfce88c50cd39d501151477875c38ee7d79800a8f90a90141d8016b08cd59da308b70fac8634d097f93d53657962a0dc34b80

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
f47a44532818d1a74bb1808d3785c10e

SHA1
3215fc10d2230604f8da92498a6ff06391be3314

SHA256
dd196320a6985326e5568dcb85bfe79955363b00c7930220003f7466a9b1589e

SHA512
e766217b5793fbe28ea69df1743d5be0e532f05acd422cf4c105b735b9001eb87ceb9ebc5ede3424e61e4f784ff5761f1bd8cb47346a99eeed99036cd0268684

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
faf8133937875cfd3c84d9c46158ed07

SHA1
cb491d907372a4294651634bfb960a463c966285

SHA256
969520b56e5c48371b7f957d5b6f9a7fe6a444365e53378b703a1e8e569bc72a

SHA512
e9a7a58b6f4970e861ffeb798755d14974b568fb3aec8c0a80caa34a043de761082f5db1701b625301198f2906d6370a3199b2aa775168b7d7986d0c4386a7a6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5fc0ceed364cf12fbb4dd5fbe1ee50ab

SHA1
c6b8f5dc38b3f41f391853027eab3d34b704d238

SHA256
8197a64a46cbd7abe15c723b2872fd9c230f9a55f7c175d5d92b51f882006f9a

SHA512
7f78683974c8defc83afd05680a9dfc24995a197e405b3a6b4f4fad0663821c9c2b5562201b22a62925af6befb432474cd117906db3b23b0c17986ba4244e472

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c4de967cc377c284578c76860badd44c

SHA1
d731314f4cf7370b5fbc04d0c2d671e9c91e7899

SHA256
24f75baa895f77e4fc2d204ebc468ccf9a4b29436cfbbeadefddc08d90d62e36

SHA512
ebd9b4b88c78a76ae2518cee5ae14229f262fd32501059731e82cd2ffae12a428b9a3f70d3920985cf276ac111059c21313acd4f4220ed51282f77135f4c4963

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
ece5eb88fa115afdf2c424dd6a0fa647

SHA1
e861d986dcd674c4c757ee5244cab06e5a734d8e

SHA256
ad031e6f98120d3448b251f1321e72f74dc8b7a945433190e7c92213d68e429c

SHA512
e049c9bb2996e2138b2dab0d9892f5b65ea27c683a5ae1460db1c58446dfa4a56b6e17b82faf6d0e404a26255536b538ea31d1f31c9342c24a5f62e12c930b08

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
90b0f4dd311d893806c2ad7bb7c4845d

SHA1
fdaa286b199dcbf39288beeb32d772324bf9cc93

SHA256
c2ed816ffb3fd4890daa8afb9d5fc7d0c639f2b68b0ee056c087ac16ab647663

SHA512
81a95bce2f32a015bb15726d9dd86acfaaaa127e39e4655a615521498b4fcc00ad9ddaec9df9e81b6c34056b2138a1f0f69cdbe80e8d502e78b947cd10f48ec1

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6a84d474d2b4da94cd2eb2b029e6e510

SHA1
2c523fb1c2eacdd106341088974cf9ec055c46ca

SHA256
4df151b253315b883787f9119206fca4e497356ace68a9b0568905e3e528a193

SHA512
846f8152c50dd4673378acc93f74d3cd4da91cf6a1bf7b171e3995338307851305a1df7bf7bea383e813456442d0b52a159ed291625d0381b3f9ff8af5c10225

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
5471458cb0b68259080af480c886ebb4

SHA1
2e0843ab0584dc37bb428a00a97c1ad6ed877ba1

SHA256
4cf5c3380fae7f39d76e2391fa8e1fa86668501932e29d6d623f67cfcc95c629

SHA512
61bb66f88977b5386525308d6a68e04c80c74933fe5ba133a9138561a28fac0e0e317ec135c5c417ec3c48f72f3d616b3ea3153eb581361a8784e78582a33eee

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
d03d4178230203a15eaa18a1fa64b17e

SHA1
e0b8c716a57203fdbe7d5ff0c7c091d1e968b283

SHA256
e4bc7e30ced6c4a3cbf9c26c70bc8cd84426774ba73138b0772b649151bc74ab

SHA512
4f404ab466a685629aabf1123412b8d2e46f20fa0be1c06cb14ebebaf3e0a2ed2cb8762ae1426721dbb7d5fa86eaf1927e3dd24dc107116e724662e353be33ac

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
99578f0e94dc7d9c84f74c7a45c3a83b

SHA1
ab69d1dbfab575b63fac7b9f0f211f539e2b14b2

SHA256
f9b22ceada1820b2d9d9e9c9012c5088b8578e46623b1d79546d62f1455e5b6f

SHA512
b4e5d9b7beaf165fc726a1e5faa23a49bcb0c493c26c64cba53944adac17a8cce7334168947955ea5dcd33780c23ae5218de255238e10cbbb97510ea6d9d6d89

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
9c96d1dc3244ad0d186364f80546cbe1

SHA1
d7f9b20414dff430edefff975e9856248142c02a

SHA256
86b59833cbf066f2ed111aa17e0a13c25d3330bb1801d09eaf2376e10bdad6c3

SHA512
bc0801805eea762723c425d621de9be7bcc32d3defc5fe0d843429a110d3549d558e9696d857e558e4f5adf3ff0c44f7ac23d7995f84753d6d0376af8ed3763d

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
abf5be71f6b402784842104147432171

SHA1
e892f364524976112a2f38086ef054f435717aa0

SHA256
4f41e2245d126bd842c3bcbf62cea82d32f29c68ad3651a048c857e4a3477c12

SHA512
5d5845cd685723c900f7d9e8cd09d5a42cabd4f4bc424e29d95e9210f1b0ca023d03cd27436d47dc4807ebe3f2892dc694524b2f3b681fdac2ca5bec23bc869d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9fd3216b0cb1657aeb3b3ac92d5512f6

SHA1
b92bfaee9a072b20ffac9cd6b67ea60b8461cb67

SHA256
74b02576b8dbbe268b0d911d8fdd6a6b357c7978d04a35de4250ad28cd2bb09a

SHA512
6f906a37344dbb5328dce0ebbb1858ebc10544c08cf39cfe4cb7fcfada56ca5e1c9f2d836b116bff793123406d742915f887a9a0da45eb3613c3c4dd37a437b2

Download Submit
memory/208-240-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/208-359-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/208-247-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/208-241-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/456-302-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/456-421-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/980-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/980-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-25-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1208-1-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1208-6-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/1208-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1496-608-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1496-360-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1764-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1764-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1764-74-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2052-263-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2052-385-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2208-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2208-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2208-232-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2208-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2240-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2240-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2240-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2240-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2420-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2420-252-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/2420-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2436-331-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2436-601-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2996-612-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2996-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3220-410-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3220-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3428-51-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3428-63-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3428-58-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3428-53-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3428-61-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4400-422-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4400-615-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4496-606-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4496-348-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4548-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4572-383-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-371-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4616-386-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4616-611-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4708-297-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4708-409-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4752-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4752-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5060-37-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5060-28-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/5060-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5104-289-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5104-397-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download