9ea105c857343568d6542e8215da792b479d5ff42f298b2a70c5b454b4073ddc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_fe3f3a7dff24b0006687a73135bf3d57_bkransomware_karagany.exe
Size

1.3MB
MD5

fe3f3a7dff24b0006687a73135bf3d57
SHA1

346f1fbe7bfb3e1e2d333adb7f4ae3cdbcc40350
SHA256

9ea105c857343568d6542e8215da792b479d5ff42f298b2a70c5b454b4073ddc
SHA512

39243210a469d89fe0c9d49fd3c2570ef1dd90bf6aaffcecd7bdb5880e4fc701795eb73f67371c421599dd306f61b4ac52e53d4c48293cefa45add89ddb6b037
SSDEEP

12288:hvXk1coH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:5k132JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4280	alg.exe
5048	elevation_service.exe
3152	elevation_service.exe
376	maintenanceservice.exe
4084	OSE.EXE
2104	DiagnosticsHub.StandardCollector.Service.exe
1412	fxssvc.exe
3076	msdtc.exe
1952	PerceptionSimulationService.exe
3944	perfhost.exe
1656	locator.exe
4676	SensorDataService.exe
4112	snmptrap.exe
4184	spectrum.exe
2996	ssh-agent.exe
1304	TieringEngineService.exe
3452	AgentService.exe
2868	vds.exe
4388	vssvc.exe
4196	wbengine.exe
1808	WmiApSrv.exe
2160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_fe3f3a7dff24b0006687a73135bf3d57_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2955622c234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f04bded419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6b970ed419ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ddb5ed419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029124cee419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ba3baed419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9ce64ed419ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097f38aed419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008adcd4ed419ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033b88fed419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da66bfed419ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5fc76ee419ada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe
5048	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2288	2024-04-29_fe3f3a7dff24b0006687a73135bf3d57_bkransomware_karagany.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeTakeOwnershipPrivilege	5048	elevation_service.exe
Token: SeAuditPrivilege	1412	fxssvc.exe
Token: SeRestorePrivilege	1304	TieringEngineService.exe
Token: SeManageVolumePrivilege	1304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3452	AgentService.exe
Token: SeBackupPrivilege	4388	vssvc.exe
Token: SeRestorePrivilege	4388	vssvc.exe
Token: SeAuditPrivilege	4388	vssvc.exe
Token: SeBackupPrivilege	4196	wbengine.exe
Token: SeRestorePrivilege	4196	wbengine.exe
Token: SeSecurityPrivilege	4196	wbengine.exe
Token: 33	2160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2160	SearchIndexer.exe
Token: SeDebugPrivilege	5048	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3576	2160	SearchIndexer.exe	121
PID 2160 wrote to memory of 3576	2160	SearchIndexer.exe	121
PID 2160 wrote to memory of 2456	2160	SearchIndexer.exe	122
PID 2160 wrote to memory of 2456	2160	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_fe3f3a7dff24b0006687a73135bf3d57_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_fe3f3a7dff24b0006687a73135bf3d57_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3076

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4676

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3576
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e2acbe244e9b4893ec56b76c6d7300a

SHA1
1de9e430402229804f3e62dd49d3017a8bba03e4

SHA256
bffb878e781c5ce46a6451d2d623aecdddf6d2c1e6a6e0c5c5cad541d45b09ea

SHA512
f4184d546d4eb19777bfe957cdfd66c8c39850483d33fbd7c96269f2422deabed044ef585790247b5fdf0dd2e21b16c0043c27e09f466dbd8176f10f21adb330

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
e3deaf5ac7f0fb1a4595ce1dea4fea50

SHA1
e4536bf02d03eb43fe54b4de3c4993732786b905

SHA256
df7e826ab6c4a23dcb0405e7d90fea4c8b056e428bb5072af78ea539f61ab18d

SHA512
7fd9970a834945c90ae7335fb6c3a6bb96d13f0ca5bfd0f4102039108cc299a6048cbe9cbcd65b73724205d85404b94bd2faca598153e4d2580ee327b3044847

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
ef7eb3d24b2507b2ea66f390e824770b

SHA1
2a7ee481ecaf70d986267b24be20b32bf91759ae

SHA256
daceb9da8ba60e25757c2303763773cf755a957e19c88d28b0ce306ff8c5c51d

SHA512
ff1e4dad868483375d373a83a70b3861272347943c163671880c66abff5facbd55322a4609483850a037b6328088042d3679c75fe5a79bf7b1ecc384ec50cd60

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e040b3b32c76e76ade63edc56c9dd2c7

SHA1
cdd200ffef515dad7c870e7f44433ddf2544c550

SHA256
a4f5b03e431fc1e7c2bfba3a3e803e56862753e55e3adb3bccb167ab213de859

SHA512
836f287fab2122c426c7ea1209258a41073a2703ed2d5a023103b4b59b165cfac499359ccc68aced85bbbf8bee2c71ce5a7521d8789b33291ebf11548f490c87

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
deca8355df92f66a19da35b50ad610e6

SHA1
a62a3ff24f879a693534e4c4c8e67c92041e7955

SHA256
be3b76f55d43f9e41572e4aef78324e3b056a3c529a0a73cdbbcfa4ba2f02e2a

SHA512
69579d5bf7450333899ad0f9110e6aa5dae32f22a7100a6fcf29fc9d44f73734bfd6b74ae8e70f2d3ff829ad076ff01a404640e58c4b2f70acf1896e9aa88d68

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
304c2cccec4867744ba3d2f640071672

SHA1
ac3ab5a136254380e452899bbb2d0bec2c2ec401

SHA256
1ba2be80f880caca131cc18a243708c1999aabd4ee85b235ed1f7f00b219654a

SHA512
16be963e7b84a080d4f7e2193e3ae13d2e8587a74e62c6523ff0a6359486f079566eb43865f8a4a6716c08e4d92af3218f930183546d8e9781148f7e4a393a62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
558044dceead19ffde327df74d3743bf

SHA1
f2e66221283a9a37965adf3f4887c7191aa2104e

SHA256
fc8520ab12ba16c21b8d92665260021ab57e5232156591ec7728adf31af67f6b

SHA512
a3a83992e502efd3c9a6bb630318daff569a44b7efe99c3f42ecb8e2cb9ed612042e5186087662f8c8db68ca652592ec4a4077f82a813237aeab9dca87276395

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f7e450e9aba725f56befa0ed84cccc2e

SHA1
c98243e4b94ffb999e7976e6fb596827fa4df552

SHA256
48db53d8f9bbf980969d273c299e3f4434ab96d36a90797fb4ab3d5990a2a252

SHA512
d75d9539b2846bcd2a1463ed75260333b3d4b0de1307e1701b7c254c820e90258600407a73f207e7ebcf9c0396c01f26a99fbdfb80e7d15f257707664b34c723

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
fc6e20dd43a35633761a2f846f91cf67

SHA1
390d5bd25b178992ac842ab8a345b13203fae5c4

SHA256
c9c3ad97938cb55e420a3892ed9ab1cc27d518c08afd6c302921092b0b60397f

SHA512
8764c505c0c952fe543764cd38ffd9e9214f770d04ad27483915d78a96fe7c310efe76d15c4848f5b94a84cb470f8b7ecc9f92e3458fac3c960caf8e203a750a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
22210647ceb9fb0c7742dac92c0f2ce0

SHA1
3dc1ae3399e79947d7323e713d674b9768dd12e4

SHA256
1e3956724c33f392752b6111f241753d01e2e8e7d58d8de81f27898772ff0a61

SHA512
011ec0d29d18dea048645ab589b069b420ab2963fd43d94fb930650e4b04474f46b27350c8ce61fc0d00465736505408ae67902d53006da114f191ee49283a9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
262eefb339fa7c1f43592635dc8d42e4

SHA1
f7d6ba5c50ae32efa1776217351485aaa43bc680

SHA256
ec44cd3d047add4983309181ed1e7612c3d06186027e3232526ae12a888006ec

SHA512
7608d285b0e05b647def841311016290c5963077f70a1792b0e24d1dff433f2a413058e283cf036eb63f1d805e79244f5a5d5dda684cd91e89709bd1eb646c61

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
04d7483498d3c308ce2acd82d446ef45

SHA1
208eb0267e08523f681a919a303e2ef603342430

SHA256
5edeadb36d40cc7d1ef91356dcf67019cd32f64ab7715c213e5dd1974bc8fa36

SHA512
5e6f546fd3321f924cce8857333c4c95c2fbd224a13abd59fb0e84406fb9a28277e6fc61d83e7705eab78df7a3295b7c55e2454838163f98b665c93a76adb16c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f6ee832126f1a6e138baead39b5d7434

SHA1
9e6ef4f1ff4a2efab59e38d0ce035f05a461079c

SHA256
7b0dd1be68691959ade282bc793496b2ca95bd99d9a6aaafe4fa2dcd6aae88a3

SHA512
5461f9f67c4919252a8ee148e02fb1a13ec47293ab8d1e0f2664010b090a08220f64038d59c11e53bd26bd2679010a255d3bc971e619df932e5ee8f5d037249d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e76bb1a99a721756fe2838459cf31188

SHA1
2b51c25db0c4f2a162811702ee64365ba99ad7ce

SHA256
a2d365df6d6d181facab7901ea88ab43e7323c126fb9d19bd2dffa3179ea8d11

SHA512
58d738132c11908babc80cd6b81be9dd2c2b08c3c50b8f0188ff37b14cca0e6f54f3c511ac5171be99aebd22a6487f38fd05a948ace121c07b12d3eefac19911

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
93ade7e3b9080f5b933b0026df56c32a

SHA1
ed8ce72cac18915670a8133cc70bee881d623782

SHA256
7bbe58e15017b38d943c36d58260a9ef34f133d77153522188fe1b2d553a5a49

SHA512
59f93ff6db459ab01c46d80c9fd5c614a5efee1f8066c62d53f05752b33eded6adcb724606cd8b4a76d30bce1366680c94969c64d70383820d602c3d8f709791

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
6de7cce9ca603e197ee80dfe8773ba70

SHA1
636c1f02fc7d791f743e52487f27087a603777f3

SHA256
b2947f7558935613b68a7d3d6dc3880cb1a95dc07792354d50fdf3e27c8817a3

SHA512
aa91c7038cb9de569490e1f881e696d612b21206472d2be06404de1d0f7b042eca877717e48e0933716f1b6adb1b17143c937cd1adb6a5b0a5aba4f8ec9e58fa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6cf9a9e43ad0481c4ea7665cd4c7667d

SHA1
3c869b195bef4255df96d634a9882fb198ccf2fa

SHA256
b155f21b85ca23fba406f3b1a4544ead1c3694d8c8237682d216b3f4c2da2865

SHA512
8ead585ecaa58eafe631e4416e50f51fee90bca8d419b667615a3b492fbc107936558b7b679e6421b6539b67bf48defe48eb40dfac0900202582753feb776db0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
97e566229c5d8abe4b25c3cf74613106

SHA1
d7d4afb074bb7d04155651306aa2f6a5efdea114

SHA256
c518d037215f2d84d1c5bfd7fbd3976cc570c8b444302ae1544f014c92f74df4

SHA512
24c90d5b4b515acf2f0203bbe716febee1a727273813622fd87111f1cb958d4fe0b298a5c59c7ff47798154c8eb2d2264991edce0d234a06e3b8a1981ff634bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e73752c53c4f529b16f9d278f884541b

SHA1
63df1f506f162ebce1abe6cd78e115b684293ae0

SHA256
9e839d9bec1eeac8ff28e86d3d8b5825a3036d0620787debae360c0d78559c28

SHA512
338b4c1ff81691ab60366416339f1bede38e7ed099baa99b7923bf794f4cab7ddb39d04084cae8d507b414d49990703cba35ba3aa27b464469c814bf80bd8e39

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4573b2a2210d2c7de83d6e0b54b0f871

SHA1
260359be2ce9f1c3244313ce7b21b1cdd78e52f6

SHA256
29cecea02df640b4e810678cf68821222d4baa8dbc624f2af510cf7092bb4ded

SHA512
7bc7b0dbc9dbc7398f5df96da4b1ae22f20fd88745f9ddca06ef138e50bf002bfdf0010c7d2d76a71def7f0745a4ebd5c02fa429d78efc166556af4cc9660c84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
63e9b6d5e69a79d0dffc20b7a20db03b

SHA1
caf3a80cf21ac9d73f6b6a79cb7ea745f71a7e6d

SHA256
c69ba2cd9b564f64b9065c4a8582f4fa43cbae725f0d1bcdc82b9979ad51bced

SHA512
72512204fb82dd1cfcd7b0b15203388f2da2140714176bb0831b2d1ad25b12f57da82291e71ce4c023bbf9475c18e4e57739425e0016143d4c41e38b0686f784

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
08b6d6c7e4a2969d6b22ad1f22429942

SHA1
2e4747aa20e68e15b386237e7a863bc498a53527

SHA256
83f5c9a700a05864fdb351e7142a7232d830427819964029b7c9cecd9299b06f

SHA512
4c076f892cd0aaa11c4df93d7210a56fd11e66ba9096bac7057ef0467b6b047d6a4db99af13422b587ceede37dad0585119ac9bd3befd63f36147ac121342db0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
16fd08ea0c6207b1d160b6b0c9303994

SHA1
259ae5ff2e2beefbd2042a5dcb47c818c3649771

SHA256
9acfce0ad0baa2d1eb46207ddde361b52d80b09de1f62dc9b73a439b85bf1b7d

SHA512
1d822cb4a5a4a75edf5b9d746e5a63e9131f7808a9938ab129e6db4679e51898bbd7cd6876c5c5ab817b2f8b91728febc7af7f152a98259041178d582635b478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
c89abec002f8377d8084acaa29ca7d70

SHA1
c37dd41545e8e2d9fed5026395043201daa6843a

SHA256
180672fa7639887902ee65960167a845817c540aadfe9cae9a6df148e6ebd57b

SHA512
ed6f66106a4786ddffc017b650e32aeb699e597241ded6e9d676830e37b90b3eaacfd0d89eef76bd765664d33f61c6eae17f34860e6edd6ac0a3da7a754ec928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
6802c2c244a14c49f8a696f990b29957

SHA1
f29420c19d36aa9cc44caeb28a580ecce6dc9e78

SHA256
79b8961ece4fe78fe995ff30ec33d7c4845f9c45a922ec664804035d3e0fdd01

SHA512
ab65ad1011d9e2095d53e1629b878c0eb990f685b75a7e42b9857922c298b7b9a67cbc0cc973dece7cd4d2518dc1358f3348519653b3545c1c28c2f3462bc839

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
d22bd143b42e8b91f1416ca24fcdf022

SHA1
2286d8274643e0bf0ef54cf8d6031f9f2bea2987

SHA256
e00d9bb6186b34d8a18e61b5258a6a27ee0403530ee45673b97ea29857193afd

SHA512
94b9495030a46440ff92dffcb59fb1c3656db0490b73b48b25c6d1a24dc273e75b8140d5297b42c6670bc33659b43d6d3d5d489a328da92c7e7aea15fbf8ee0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
ee2333598b968a828146efc65a78645f

SHA1
0292f269e2071a86de9f1181b8bd06fd2ae052eb

SHA256
96f62f4394faf53ec49418ab165f600a25f0144a3770aa74743e217144f53d29

SHA512
621145311dd87954a7969fdb8eb4d3e9a6781b8bbc217ab219f05e906654315545fbf1d3ce12ba22ec8739e68137b3d3fe9fa82804adcb03eaff10b5eeb78ca1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
8c8e54b2f5b8168f8ab926bdc74da30f

SHA1
a4f731c52f65c7cedbcafa6c9ee2fb37c12df8ea

SHA256
00fed6127265f5c7bbf56bc901ca8cb46f1474ca0c22dc4e5b5554f45cbe855a

SHA512
23b45264705ee0ecd5b484e44b466034fea9f9c44dad2e073a680e1e8a408245171b7e0a1babd8b7b2df4192c085e4ffb1cf52201217352562347ed585cf75f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
88558fa143d313a550656f4020fa208c

SHA1
539561bf68088599339e1ee0dbcec233977a837a

SHA256
53e670275544257a1e60be7135547e6e2c8100230d78e91a18a290f49cc25572

SHA512
3cd1b091dc6eae51746bee8afa12af0774807869dc277990370fd6d68a56408f4081a53d2bd4e9371ee879878101eaee4a2c77dc65dc930e4d99323d14ab2688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
4083bfb5f9c2b9c10f4459a2d4033116

SHA1
af8b4deec0d2c1a86e71b5f755e2a725c19e0f4d

SHA256
28421d65421c80b1a7e9a430c52b60242b09e9a33ee7501973dc76466cb57386

SHA512
676b58c6ed26bc7a74f1eacdba3152faea35293a76bde8909da4040474e43b336009e6661510fbdf02f791ae873c0c0862288c1af56bfe95314c14abdd33811b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
a22668d63efc058168eaea71018ef925

SHA1
2cf93cf099199af053bace9c4c4bdd7f55f8315f

SHA256
5b4dd284ded41f419e5ecf088b0d967eec3bafeabff0eaa630dc47b460841234

SHA512
0aaa0fc008f36eafe9a2d46e357b4450846e2762def5efe70c6abdaa8d6b1509638f9a2e4c404017366d72364df39e03daf8fb7d87f13824ad8d956fa7efac3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
734fff141237c80f17d0fcd908312990

SHA1
f76fc3b4794a3a7e344385cd5e294b435ce4aa23

SHA256
6f3289ee47c2f9e0fb030ceecaee77c4be491c4d63187a821e96d1380d96848e

SHA512
fa27526e94a9f1e20b0dd4aee16da47d7aa2a2b96ad08d848465b59a97bcf01b87bbed0342841ef0ed04fcc9dcb77fe88c0b3784d1400f7e336e8cfde1e243ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
1e10ad35695f236c6a57702f1e9a8e27

SHA1
3fa926e3fefd0d565c0ff582e94100cee8c5f68b

SHA256
a24a6d1f46f86eb8f9e3a4d278dd84dbe384f626b619f3fde70b9cfb2bf9eed5

SHA512
7591384cd61efa05e1d117fce15a881244488239e6128bebf466760b689e36eb2532428f6632d793de244a1a693b922f116631d0c3402e5324622a55e0e1fa22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
f5abd8ae9a3dac4e205131a9d5ad48ba

SHA1
25fbbf3d695de32a8c1dea0934799c50d4fb96d0

SHA256
e94f599b99d0fa21010edb56a0fd6c260d6d85f4385752c62c9276458c86d0e1

SHA512
7032b319f8a909f0964c34a63eafb62c1266791e727f907b4d7a7b0c9c9feaf6a0cb448308a8acc89538888aea3581911c0b5bdf3dc45efbd2e721e9bb7ab2f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
2f73c6c763942c1f43e822ef9f656c95

SHA1
4a6aa877ee94a6e9bcb8e3624639945c22f01f08

SHA256
483f6dce1c486b44077449a6679ad0d6ec1cfeaac6e5e7f0798cf12341a7e8ee

SHA512
2f523545d2fbe3cecbcc17e13dafff6e10c69e401aede9c9b5bdde1641b0a29a8e41727e7208ae0cc25844d53adc32e97be375d19f95a5ef02ff48568849c383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
250950795ac623273bb7f738bac6fac7

SHA1
7235416da8d8b7b788b9c95286f9fa6b737af652

SHA256
43602d6b46953f7a94e32e43f7b86493d66ea79e1a0c0c5e08818aa2fb444d3c

SHA512
b0089fa2bc04665a28680fb225bae115783beced16a74b9b10d02eb0fed927b9d43aa28ab856d3e5bacd67612a55f9191ef5d3f5cb80db4b954384bebe702469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
a54bd0440c0af4e1f2982484aca0713f

SHA1
9b76d702b89073bd2542a0d21c193181a3f57f5d

SHA256
b25398e38aa407b9133704049a491c527155ed01fd8a7d3f739329a5761b5d99

SHA512
c92b791bdef85dff20f28e9a0e7464f814e02697196ce671a5ee002d888b267833242b2c0891e63a06b58a1b9abb7c048bc5eea857936fb14b7c7434bc1d8588

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
fd999b21f91aff53a7a537ad2eecb076

SHA1
6884b2b131b163d53bad4f90b12f2356bad912bd

SHA256
a0f45af9279a1a89f596349183676b507b61e3a660a24219a36a2c53cf91ad50

SHA512
97f10c47175438c7e01aa20e69d83646fed7089e7e21280623df7af0f9755c1baa603b84dd361522978e0be47c3b137ef19979c0fbe2136b70e03a1ad20e7373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
7938cd027f81be8d7a4e873cb344d194

SHA1
efd6752dec3c2dadd13763d4360a564bebcd2c3e

SHA256
33ed9cfe66293c89ec28485ab48706dec28993880ef90d1f977b0ac1ce65b1c7

SHA512
b638feb98f49eb6e007d0eb1f5800e22797d20b1f005155be1dc7513d9240daf92d17ba93cb9e5075e261017b5556b0a2c4682397f5830c6f48f1c8b04ce1bff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
64612a8b3114adcaccf47187bcc68f9b

SHA1
c986ea1ad9ace39c8213becb9bdd6129b28ea753

SHA256
65d68799e26b54b4e1799c22ebe297de89d6b2e56658f15c7b1146986721a937

SHA512
9c6a7e5a7f7c850dc77c455d5cd72f2b5b932cb5f844f6436995a10e37e51c1e7bebf316fd0763a79a0241a15b940540d50f9bd070c6ef133b40508c588a9396

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
f8d09a707e949b6ad37799e1b5e613d2

SHA1
5283bb6786532ccc2cf9282612971708a0a0632d

SHA256
24ab6b21d765253ae91089c97001bdab3c49400ed2093553e293c6c289726846

SHA512
0be1078c1d08919eb66b53eb3930297dc26cd51ec69d0fd2b6693b2000c4f1939d7085c84f53c293df8778087902da8b2ec5c550cd098157c31a0fdb24b60a0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.3MB

MD5
06a5a851d7a3f601cff731aa405f987a

SHA1
64102abe3fe7e3aaebf162243520dc2778310b90

SHA256
58105cbbe7b05ef4bacb11af856a7a8e6d0589c18aeca158cc0b11ca14a33cb4

SHA512
bd1aa2a13cd70af22347ffe85a91da48ef163a4115a661db9da2c0b67e29999f15f7ff409b8ca5f14b41cb55b3629184ce5028f39c6f57fd17855bd8e92ba9fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.3MB

MD5
155e6f3d78e57d0b7cccafb2d26ecc2c

SHA1
ef29ea6a7e75f4646b529708beae59be49f7f0a1

SHA256
7411baf6cdf00f4f49976e9006e74e56ff4738621f14bf75b84fd2d0732781c0

SHA512
b7ce10f48bd3a5041905540bd5f60915545d5e4dd989cfd49736591a19fa29c1b01550e6f624e382f06afa0c168ae188888cf0858f22529cac532d97bedba921

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
391d24b4fae937fc62b9f6195eabd718

SHA1
de1038727b12120b840873607fde6ad2402341c1

SHA256
8dbf422494e097e6de8c0b52c9a38bbd0b6166452e9c50809d5ee8b1041863cc

SHA512
9b437fb778ccb9425ffc918953cde8511a522e0390c673d87a31c93e24bcaa7eeb1cc14169e672f7fc4da9e5fe26b65a88de27b4c9ce29211440ca3e6ee933ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
b4a9c82970bfdfb2b1d36f666be79b4c

SHA1
d0aec863eef035071956da6cd4d1e2e2ac8eeb4d

SHA256
d2235f0e3a2530acd8ec8b7a7208f6e62cc66d58fdf9e4ec77c8df95a8c9f842

SHA512
22948edfd04a1db08fa09ba95494c609d17d0273e4698ab3a271a9a2e11bb3d2616ce26f132b036c6b865e71d7584fd3b91cb5ec625d32b8ce683f9bce4f99a0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
90e3f7b9312541c2b59e859fcf0ac8fb

SHA1
f24ab0dfef27935307b8bea4c4b44ef8b2691ebc

SHA256
cc8b331d665f635b1e473279fde6092499a27b3a62a1c3fcf5322c0aa0a9fa21

SHA512
5bfdab9d4a86581d0f80321781e8f063e93d5590b31c3df31972ba5789285ba893429d799fdb9d3bd65af8766b120969dcafdd09104c47605fcbbc42a7fe7501

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7d48a4541a538d9833aee8b3f6ef9fbb

SHA1
fe4822679084b3383d8bb2d003dfb9e4af07daec

SHA256
c25a405b3e4ffb07a26d072c1e7d0a59a54cd51ad916512b2b9d529863fa3168

SHA512
13cd68af2f4f8132dbda504966ee10069768da0b560a48a41cf3d9bb2e408d4737da9613e4d64a61a40b0a66d97f74764f64e641f1e56317fc9cea2c708d68ee

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94402c59c10c3f2eed54e4dd745ee8f4

SHA1
f3d1d47a2b4ebcef6c48f88e0832f9ac5d332948

SHA256
5b06f26622c67c5ea09379a0b7b5ee23198bc76dfca846ef056b19e48e8ce3da

SHA512
c40ce9805fb0c1d8bba9630f1b9bd10f2ee87bec60728bedc9ba4e22c5a545db962cf6dc3a46161d91c58885fc25a1795c51b3fddf575e7c8413a8b4129f6780

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
cea325c05ea580c4f73868e6304cde1b

SHA1
9bb0faf8f149a05f6897766545281c4876e7505f

SHA256
8b0a1b826d7a3ab2e988d028edd369fac940e19b4493ad6720538ec197a52d60

SHA512
69fc1551917d9a684f7567b81b4e7ac0406e7073c3f7ca65fe2de30204eccf546cff78f0291dbaae1c2713e8f1fa68a761b5d6687902d8a399b638443dfc9e18

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
7689396cf47bf06fb64b42dff7fe35f7

SHA1
e56dbc6c48d0fb1851e320b6e8ee92c52cda89d3

SHA256
2193964b9cc176238bf6d24c20722f76226da77e2e889ff4189c978efc599788

SHA512
4d57425b3c2a7310ffefb9a7b6183166d6edc45920f9201f4c17e6fdd8bf98619e4b3f071b76ac17c1888912832cda0030cf733594b30ff0549c0e1091985def

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e8c73a10adbbf6a2baba3741420c48ba

SHA1
ad5b791659ca56740058e859358e37d9a61dba6b

SHA256
f3776d0cbf5def835c6588eca7e8b25da97857688f9d0faf0b4ead0c2ae26b48

SHA512
1c0afa6556901ad842b3b77c8407b707983d76a8cc8740f6e4a3624865c1d228a361f5a6f762a0395ea6efc1601fce9d3a26fb4b8764a3b6d172aca36db77283

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f30c12d1236ecdf6fd380064c2e4c376

SHA1
d7e99f5a19196022dc9c3a4c67793fccd7a3bc9e

SHA256
cdbff6b52312032cef909143ff760c9df7951987e0cf3749a567ef4744bfd8d3

SHA512
14a9441ba137dd0c07637d02cdfc70277432d9ff19cf14b7e94dcc70a39947e1296fdde9a63633c92faa6e3fd8897bc622f78d70f5cfe2c4a025b516084a8a84

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
678d7d0fe90e403e7d9716fb68444d08

SHA1
802cc1d61f04b916e72958dd8bfa789e310875a7

SHA256
1618be24bef799ecea71b3a7aefe419db68654b9cde21fb9bf7bde292ecf56ba

SHA512
6bc3cfc917ca822fd03697521328b50f701509d71deb00a8e5d5a1bdb9728466ed79eb1dbe1f70b24f2ca31d35b9acd1e3d6744e0d91b655943200d45924e7a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
23fe31748a32ff2907200dac9d052d30

SHA1
55a7fe79a409d398df1c9985bda88c36e1993c09

SHA256
6f0f9430cb3ceb83e02464e8da9dd5c65d2ed42f58f59ca5f7c337380902a81a

SHA512
3745192a0a9efa9e87ce0b94befc9c776068b635da49122b83c3804ca64abd4a8ce0819795d26eba61c5bb26fdf6dd1a3e57d65de55b113972a4c49f23798610

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
9a937aa514515d0082a300c515ae579c

SHA1
e67b84bd42882047187e63930b9a8a0b84c585b7

SHA256
17e3da6c6ef84840f9efc4610189c41b756cacfc4b51ecb984f1ab105296cc45

SHA512
f8da3f68288337002247a4c2fdb9016703352db4474fbf0a747db0dd976ea4359758085b1900fd0bc666d1ad0e1433590e650c52f18344110279c98851138c31

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
89a0ad5c3844c5eac47236af6a965f96

SHA1
d54e3bbf58a10a22077441a1250c37adf057b649

SHA256
8f0f3e3d85760a7c064ff62b1e7bc23b1d9825967866be9b4205572547758db3

SHA512
0f64f930c2e1ad6958939e6936f8ad44b183c2d86417ba7a14c5fd71afe4d0dc2562cab4366bd8557392344ec98083fcc35cff0403c71d92ac6e61c69c52b06a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
576612eed0fef4e788140bde1a8e9cf6

SHA1
c62e67d121921aa8593ffc8c6ae2a7296ba100d5

SHA256
5f3daa8fc390690310cedf0c8eaf9d8f3035da7d01d252873149fe417b75487f

SHA512
174733c80ba788f064232d16ef811c1c5a14e7ee85db8ec6948279841477a1e468c0b6843a1be22679c16d47449d59b8500dda0721a5cebfb345f950a255e5fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
82b469101c10beb7a678151a021e1b8d

SHA1
3787426331da08aed98586fd38b7329c9a8a763f

SHA256
172a6caeb7a88fdb64a7710276bfb006aa8a9cab408ccda88e06f47849f28e30

SHA512
56df155701911b9d33a81e847b5dcf54386088da287367e581fb502c3caf7b88a188db83cfbd3035150d9337afdcbb542b79f07df0a063b3f32d9f029ac771ce

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
eb050746532b8897d9b96277033491bc

SHA1
d093eb5d880ebb5942f3b6948f991b6902c2b522

SHA256
6e24b27f5039d62d0f263f8c39bef49a06ab1ab2e4b4454873832da747a1eb30

SHA512
e283dcf5a63f9d0a679ba43fb469ed1f5878747d7d7d200865fb874fb4858e1dee494402f66426cebd32e7dad371acf74c18e950f573a4f4ccd5c5c827d5109a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e95c74e2b4280b746b4013f22c0b9543

SHA1
d99501eb73b10baa5183be96210bda5162a0b85b

SHA256
f86660eb741729a5d17c78c6864c7a5d7a0ae6390b8bf2e1c2357fc231d2fdf3

SHA512
95c1b86d47bd8f565d33459e412acc756a736e14f6003a065314efeb0f6164eb811b274da3c9fc75c53ba60774eb1311277dd240f3fe01b99a19c657dabf5eac

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3f65462a51bf7f669bede7f3292336a5

SHA1
f5ae5dba27ff540788db75fe014654fbfceb9281

SHA256
55dabac0e324144b7e934f782b5fa7d8d14a089ab3ee8ffa25057c4549c34a84

SHA512
3efaac193a56ca09e6de6ef3fefbca30b950bb3414562628ad4107d3259142f94a7129f74c6d67d785fb22952e2af09d1463d88d866d7037c3fbeb70de9c064e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3f2be26e1c17a853cab77653ed7d442f

SHA1
4e896ed920f87d3df2e2d6ba7e8ee1b4f6feb3fe

SHA256
3d23c3c01e4a618e21967e6ae7ff9dad6e9fe69751487d94d9105eaa8f5f73c6

SHA512
c9cc14917688e0fe8c14e647632a33c13d7c4e3727f8f79ba0edf64046d67fa6b5c276a215bb4e18309496e2d4462c6a5938cc447c65960f8cf8e10579d00e5b

Download Submit
memory/376-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/376-51-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/376-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/376-64-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/376-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1304-594-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1304-370-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1412-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1412-254-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1412-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1656-304-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1656-429-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1808-432-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1808-602-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1952-399-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1952-288-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2104-242-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2104-361-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2104-249-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2104-243-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2160-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2160-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2288-24-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2288-1-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/2288-6-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/2288-0-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2868-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2868-598-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2996-350-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2996-593-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3076-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3076-387-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3152-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3152-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3152-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3152-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3452-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3452-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3944-411-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3944-294-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4084-66-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4084-67-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4084-73-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4084-237-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4112-335-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/4112-540-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/4184-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4184-592-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4196-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4196-600-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4280-232-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4280-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4280-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4280-17-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4280-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4388-599-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4388-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4676-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4676-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5048-27-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5048-36-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5048-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5048-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download