5216f36047d10979c3262fef519857c42461071606ab9a680429fa52292f3a08

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
Size

1.3MB
MD5

7f012801af4f66f6a2510839b8a5cc4b
SHA1

11b90e2b08635c2609a37e14f78b11ba63f26727
SHA256

5216f36047d10979c3262fef519857c42461071606ab9a680429fa52292f3a08
SHA512

4cea4d0da9bf32968dda91d0d9073d5f504f1a6b1ff399733daa24d71b445a69d0c91354d32e745aa32acc6e122fed6e1a4776f03af746ca840dd58998672ee7
SSDEEP

12288:5vXk1Q+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:hk1pMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3452	alg.exe
4404	elevation_service.exe
2244	elevation_service.exe
2208	maintenanceservice.exe
2972	OSE.EXE
3416	fxssvc.exe
1712	msdtc.exe
1964	PerceptionSimulationService.exe
3232	perfhost.exe
4776	locator.exe
2568	SensorDataService.exe
1384	snmptrap.exe
680	spectrum.exe
1228	ssh-agent.exe
3340	TieringEngineService.exe
4580	AgentService.exe
1736	vds.exe
1408	vssvc.exe
1664	wbengine.exe
4320	WmiApSrv.exe
2792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exe2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\95da9b22c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aa728458babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f7f21458babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075c6ca458babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053092b458babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095dabe458babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c31a7c458babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9fb60468babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe
4404	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4608	2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
Token: SeDebugPrivilege	3452	alg.exe
Token: SeDebugPrivilege	3452	alg.exe
Token: SeDebugPrivilege	3452	alg.exe
Token: SeTakeOwnershipPrivilege	4404	elevation_service.exe
Token: SeAuditPrivilege	3416	fxssvc.exe
Token: SeRestorePrivilege	3340	TieringEngineService.exe
Token: SeManageVolumePrivilege	3340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4580	AgentService.exe
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeBackupPrivilege	1664	wbengine.exe
Token: SeRestorePrivilege	1664	wbengine.exe
Token: SeSecurityPrivilege	1664	wbengine.exe
Token: 33	2792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeDebugPrivilege	4404	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2792 wrote to memory of 4740	2792	SearchIndexer.exe	SearchProtocolHost.exe
PID 2792 wrote to memory of 4740	2792	SearchIndexer.exe	SearchProtocolHost.exe
PID 2792 wrote to memory of 3788	2792	SearchIndexer.exe	SearchFilterHost.exe
PID 2792 wrote to memory of 3788	2792	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_7f012801af4f66f6a2510839b8a5cc4b_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1712

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2568

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4740
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1f8df26c20599d17c97c1399289590ca

SHA1
357802943ecf6142225f941a87825e24d9320804

SHA256
36e9888c36942501ee85e42cae6876789979804eb24946e561a5a87ca5f5ddfd

SHA512
4c9132e2bb2e0c5386ea8462599726ff4a31ea03b8d0a887bcb392b25a509f235bfdb4f4418410a856cddef126b64a34574820dc6ed2b1cb055b0c9482031f54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
07addaefcb34370709b24f3339ed99e8

SHA1
2a7bcf613967d015f6361f0e4a3157b0eed44fb3

SHA256
9e7a14bedf2c67d5e940bf3eaefebff7be18119c33392ae59d2b0f3f39749656

SHA512
75c37cd37fcb535c93a39e0688110e3f1d208aa3a26e14a978b7d1f45feb63321f024f1b6239c4f03593097a3955c666a41d861bc344988bbb439a48abef9c52

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1eaf19bd54c4d7830a0cd84c471fc55a

SHA1
c4f06b7b1291cf93d826a41617cb2ac7b228c731

SHA256
2b07f222d4c18a270500923f2c5fe477468943459d9dca06aaa070a53a22f7f8

SHA512
96f2182de2392dfb50d54f0161af14104d227c0de043fd8c19794450719eb9bbc04e963f65f526349e320b28930a092d543bdb0b82223e50dcf8f631d3abc688

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
29cc8742726513c757347e755104607f

SHA1
fa1a77879662f315cc5598fed2365011af11e651

SHA256
4cfd768d5c2b3880c08ee81b017252a83e05c756347fda3fd88e280608613b81

SHA512
32ff0d6d344da75fbf61eaed679c6ab89702938a03a88e0bfc366918597050d2cb91cd96153aa225d6298f8d9d521661fbfca7bee209e55fc0c3a7e843f4c3b1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c8d1a61af2e7c377c08ce70c0944b3d0

SHA1
45e5f4c960d89f2d29e1e34de54fec63631277e2

SHA256
34f35c9cd5b85e85106a54ca4cec4bb11a2168a52f9cdefa4ec5538182c280b1

SHA512
146b7ea83f0fd546b29c1fd41806be125f1ace9dd547b09fab95c7b08d6361f61dc7a357c21ccceeb0cb9beeae84268f5a5c24a3f0d0941c4d257edfa1545799

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
85fe5f44c562daaeabc5b8955fededc7

SHA1
2394c08d3a0c889c3effef7377269afb2dd65e70

SHA256
3d0632bc7f9abc70cb2e080abb983aadd76fe948141838f3710720c924548909

SHA512
c3131d98574327bdc8cbe51d027c81b05bab80c987258e56ec77b7c06e811a8facfd4fdfb963efc47629a1827ed6ae5d00679dc2d2f4ad70a0a9cd700f87ebab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2f070af97d3db1d2aa4e8e6375fb9410

SHA1
4d79c730296a80bdd130c759c2c2197b3db49c5a

SHA256
785e713487c0e3afed6c31ef10098710312251bba52d8487e4bbe4bb040bb147

SHA512
03c318e569465834d89a84d865c0dfb60789d45eb2978976294db0a921689c69f999b139b85be180258968cde78e9cb9588b4da1d31d3d35619f9d143fba498c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d4788e4b284aff464945b22f5a4ed380

SHA1
797405dba3c021d2bfbdc3fd78dfc4f6e0d56972

SHA256
a248eb69f4ed78c2a89b73ff53d92f1dcdc6b926f15dacc4dd5bd595c87a8a87

SHA512
9c9ef0debf4e9cc5678b48d012b02d28e3230e1b76be6d58a4368d76523ecf6817b5d535260cfe4b712e22280aa84fb90723d94ba5d46e7c76ecceb438996c27

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
94aee3b2f4740496c2b8414263c3cb94

SHA1
282dc9e6b751b1cfe4fe9f37e1f9255777f4ffbd

SHA256
cfc384a4dd24a8b431bf2fd498604e32cf865ed46b4119033481daca9febb07e

SHA512
25c9ae92efbe819adca43f0573855f276726749177e7d8ffc523f86599d282ffdac8fd1a8ba74470aa764923d1425d0d3dd5494ee9030d8ffbfc1be114581327

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1cbc0757bb87254c8d574ba66c3dead7

SHA1
beb7ea3ffcb516c4d682ffc686eb59a4c9f23794

SHA256
ad1ecc81f5293e93448e600afe4fd84535e246cf723a1385f856bae648474ccc

SHA512
78551c73d68b19b9b62223825f963014cc29180cdb70ee2a9eca8e23b667d31c756db1f16ca63e78068c015f962bbb2f18d2bdba1a0379ec0028730b469fe633

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9941bb91850d719dfb41ba41587d7a7d

SHA1
ee946d9894cc1b54c2f30683256f419891f5d521

SHA256
e938a14b20de0ef305c5d2be4e594dee0acc537987d856520ba72872561151bc

SHA512
2d8b0ee246d15f6cbae4557d568eb8f38ec7e5b769a03287a485eec2f5804cdee37c08fad11a7f52eaa237b5dc737c1468de3d1b7c36899939f1ca5a59a717f0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
822d748673b54f1c172881e3b346a319

SHA1
984a182f4a52c06aef4b6fa1e437c0e0e2b2ffac

SHA256
8aafcd63415a61fb4ec3de51aa4f943a5f57dc14b30e3b10ff36a80cd37b3d98

SHA512
4874eb868572c3af3e3f1f85c8735251865ed6e06f8b326ebf49f687e4799185a69414cd1c34b2e6736d4b54f13026e45c855b4d37404d24b2e23d5d9d1f2a97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b313977eb0d48b9db3c1ad316ec4044e

SHA1
62711cd52110e468ffb94fc6dd6ed14d07e0a48a

SHA256
e253f5162a962311b85fe491f32498812ff75840efb154ea110890b2c5a49f3a

SHA512
9d2013d41411111530604f6e83db89535e2bf63480f608e6f6fd3a8e57c79a856c26f58836e552d041d336db3e3d5506144ebcb1ee22be92bac7665cc916107d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
481ac7adac3c23162be1818650da51de

SHA1
6b16721a06ee230a5643883ef14dabeff20693e6

SHA256
e36da49750f34cdebd66010bf143015437121b71f0178fea2b24519149b37530

SHA512
9aeb21d72612510d0bfdf47ae8e8fc488690da66000a7ac9bcb95943e26b60b88124d7e3b6971a42b4ecf5c31e2942602db422eb43ea434d2325e4bb6c5482ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1a6d89b1785eee7d0535c507b9874705

SHA1
6162d00e646373a8914e6ab036ced9061e4669e0

SHA256
c0134a1ca84273be46ad3e43ec9b5fade60e0bfeb445d31fa69f23ef289fb608

SHA512
788537d5513afb962d770763f7eed2af84800a49e6b0c379e9c1525265fb3100d861317dfb41026c42d2ac1bda0031734ed64f9b333083a3c91b7b1643ad7dfb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4961a7d279c793322ed369654a476176

SHA1
c563258167ba14d58c094fe2f649f81332f7511a

SHA256
27b9c7f28ddfee6e636cf56f59e7b60a9dccb3e449080f27363e903b93b5b51c

SHA512
2d79e5487641bb98e178e5aa33b515936d0c05a2e958d1d433c4d95c4dccc50b3713ae3f70fd4d6a220c3bf75cfad27fbe81ee57bf56f04ad3517e40eaf721ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d9654c779abc9e2f73c1c98a8614c3a4

SHA1
f610cd5efd72919143bd5b4852ac4b9ed4940c2f

SHA256
22d7e0a12e35fc7ce598502de904d83420b0471fe0ba8fc079c707f4e468088d

SHA512
df01a3861b2febd68138398dd79eba8c1368e3ba470919341145806f4b342396a947e60b7dcc3894d615c40e7bfafe05b422a7eb388a0d4149842c4be7dbfb29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7131a74f6777e08d682629adc2ac3ddc

SHA1
af9cd21a816477ddd14c6f0f4bcd4de8e9554d05

SHA256
f8b368fa64a430de42c016190211140c0e6546b6b3da43f28246ae50542cd04a

SHA512
9af5f4e11a58fbecb14a8d6f979935d6272d4c9857f7347670e4c31f439acc8428c4e652f58a2a5d59cdc841ef88c29a1352ca3b767721fd0d3cdb4bdd98fd71

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0e164e70392576990e65cdf86eacd076

SHA1
38a5e57dcfff735c10c0a43b89964eceb2d8ee26

SHA256
af521e55c5fbae56e4778808b10b79dbf301c84aef2f5efe7bcf527a081d7505

SHA512
87f8cceb93a9976f0bf94899ed3f9777811d2a00ed31ed9ae0ecf1fce6d5b54b0b2ff13f5bc16a344e96340e4b04c0cf13909f1e9725045c00289af3f76ec3ab

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9d6436b1746236c88b3d45811f1b6e09

SHA1
dc51291f4bf0e585d1cbbc8dbe7625640250bc51

SHA256
71563c126ce842a8899e5be4637e01348b0582c7369e20fbdde8920aac7fd77f

SHA512
f5baca0d3bef559e85fdfc42cb546a6d5a301fe085414238d8ae705a9a357ff33cf83eb4f629342ce40d9e037d46046f600fab7b9b845748eeb6614d282ac4e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7aaf892d7f987c864cfb7fe306c03759

SHA1
5f440697127b230a0a8965e25491c85776adca34

SHA256
39c5f42d7c7fd9ed2da93d29cc3194155071288fa306336a8fdad586b6cc2fec

SHA512
9262565bef438bf1b2cfba33bcf27ff7dbb33d2a2c7fd3226a6e07b832b7a81367d1ad754f2f940821cc8082e275eb0de9a1560e6b79120652275183e62526fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
8921d75a2d07cde6f1990c0e0901ea2b

SHA1
f9926e45d0b718c91d352c96bb22ef0f556424a3

SHA256
a45939cf5d5403047c1196d9bc95f15e08f85d11f0fd4226618f3e5fd4e190da

SHA512
15f5db336f602768edea36079fd73056e3ec925355608a698795354e9e34ff75359a1806eb11a21d52feca64297fbdd8b01d6d0aca4e3ca16482a2c60f576049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4e5aeac7b73cccb9c1076295d287807c

SHA1
f8952102b3c13f9f8644d08daff2c0c3859c439a

SHA256
687c1724bfa1005b9849861b86544089a3eab222521abf8283127e554efd7f2e

SHA512
2d2702c230e66e32da34869c5c897aa49f19394bfe056e118f4e9ea8d6323ab44ee2705c143a0b37071f92eb2b8fa828c8caba9e8a7428014a7b7eeacd6c9aaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ebb69114f2611d08c3560447a7bb9c8b

SHA1
bd6409bb3bfba5af33f01ab3d7865c6a6830f9b2

SHA256
6523978a07646b43b00e87a0d1e5d9608aac7a323cb9f339191bb59359023a90

SHA512
0aef47ea60a58f11badd1ba6afe3b131a6075a04d2f5b95aaa499a88c9952fd27bb2ee98a097018562ea42b9009bdc2b21350c3dabba4c8343c8d51b6a5040c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b212da11986e7a4f022da9bd3b45b8d2

SHA1
8b25986b1e1224057ac2f4a374279f08ca08d79d

SHA256
978fe8a05ba1071630e7e949a70ed05e99cecb11ae8de3dd83faa95abe9e73fe

SHA512
ec011cfae83669d1196416aaa96c5bb9a50cf4a2613dbbaa969130fde0c2bcf02ad15b97739e1fec3d9fd650dd7d5ae7390289a99b102f06589a8594ac363f70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
56377f95638483ad80897a17494181a5

SHA1
2dca306032cb57cba56abb5862e1c8bba81fd919

SHA256
ef1215b569c6ab30ce1b9e26096276aa249d1a86c2c2e7d85f07b6637457344c

SHA512
8c7122239d3d6c838b44c3c285cf8658a1088448f6e9267cd2999fdb499456baffcce3a942102285839cd489c74c69302b2fe00982ae26719c26308eb1548b11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2221a8949dad4ffdd846716246e58eff

SHA1
d66757ab4b7db78b104e2a24d45c3429f432d640

SHA256
157b4b2abc02ac0c791dff16e3b0725efde5115049879c89dfdfa3c87d5753ee

SHA512
a2cc4349f4d0cbe01fee93150e0e53e7477aeb5af62558e59d2e1aa962870f39ec9a267983b98b00b81dfc121aec89b090eaf9002c298f3267a345f07c387ec1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
d35fcb6a407b214117dd9bdce314f4fb

SHA1
031da08e5d313abbb26e5b2b5ae8ec507ce6c028

SHA256
c8cfeb37c4251dd70b3be13c6bf3257e3a909f850b1140aab74f59981f9e89b0

SHA512
3dd8db089ab3ef5b75b81878451bb8f0dec377f98a0d64018cea60325d45338ec1db96f9df589fad076c5a95b3f8250fdd7820e64f96abea143b88fb717d0263

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6d946e977708da671995bfc6a5940677

SHA1
f0df6aea53f3eb7a7170bee1578a0290c55bca9e

SHA256
f5854da877e39579f7887942b0fb34ed244d81b80e667a3400fd17788413812f

SHA512
b666036db0e2f1bdb761bd2bc20f98a1745f577dfb159e0ba61ce008ebe14e9882b46915fae8a4bf7c3de8227cad3e5eb28d5c4c3679e07f85323c77443746d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
041630a5343a8a91a5d49e7e45d3c9a6

SHA1
deab28556f8ac7f96679415ea1ea43b7d624799c

SHA256
b32cee49cf1e419e40aecf7b3432e2b48fdb86e4be00d59c943efbdc3bda67e7

SHA512
608e55945d40ba58552320bb7564658609fd0bcdd17bd5d373d071e04fd1dc0b388f83ba4fc217f518c446b18ad51d42653ead11bede1668a4ed1ee1c8ef4cb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1998268f845e487ca14eec6bffae1d4f

SHA1
c4ed1738eb62aa321ef87a90ce374bc4c100dd50

SHA256
7cbc91b75c86d765797c12d45e31655a2f2516862062b43248baa4285b25921a

SHA512
7b1884f91c31832571f423651564edd67abbbd03c189771e92a32c9555593af18d026b1ec4f0e63a64541fda2a0d083ea7e9b9deea5992f96c29ae2db6d9356e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7ba7c1ad70453022642830f454aff1ff

SHA1
08ba21e8dfd483780ad1ad64971123c9aa213106

SHA256
7012976de107eab03dc32a2d6a6cee87c404f0b8b4841ea449d222e18efb8984

SHA512
6528fd1ebc97fe4334553295089d60ca4f785d8917102013d4c91094123a7d8184c7630753feba1452e06b62496d55d119c09f80c704afd3d1ed38daaa5f455c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
42ba01beaceeb7a56dd599971debbf78

SHA1
710d013c1bb089b49dc2aff09ebe6e156176f592

SHA256
17a712db9e83601d1c772472c9661abf144719437ab5044b8aeca05b42d96637

SHA512
d8998cf08938c1d7708eeca66e86099a83a8b9a04dc20f38ee2ff7b82bfb8993359bb285971e5e5f01000a0c2ee2da3783e8970af8fdb8c97b8ebc52653ea934

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
aa45e834068b36abc166f79a950a9c69

SHA1
ee1e55a6fdb96fefbdb154b53581631e2afa99eb

SHA256
dc293df0426981e978712212ee8a0f9213d023e9e61ed9540e8f207cdcb51203

SHA512
e2df5f11ad6c0acd084477a35e06097bb3e132e12a567e1d009e1320b1d693b88b52503068e4b514be324ca891bd58243091e69115537b786659130d621f4c44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7f17cd289aa28a00a243bc48e90a2e6f

SHA1
944951e15f93d435cb8d7bc2950deac07bf2bfd7

SHA256
9664d144204ca13ed7d807e16e6639f0ab1d7433aa60ee3593ab43a29e7207e8

SHA512
a49dfb3e385405dae980ee99102ff1c336ca0bf78d4289c797a89dbe22af3b330230b2f5933667c2c3de2adfed8955164f4b523eac47cf8ca1b8774f5bfc8598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
0e26b4f446a765a3a9d666f05d6141a4

SHA1
280998dd4e7eef84e37778dc74a96313de3f68af

SHA256
520768210c1deae03da8791e49350fa7858ed7d8eb6c780ca2c75d3a4f1b1c46

SHA512
e996afa5523a0a58643641641d7051091373ca67d3df3976bfa03de6fea4616de5a2ddcc293ba4b98d945b7effb6defb6876ff7cc470bc755042fd942c8e291e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ede391c1b6f60710067ef18873bb8298

SHA1
6608ae32e3d969606e2c7dd6e2b38119731c9ea7

SHA256
2e3d762c45581839826a5c3fdc68eaa505199847e0b3849b7e233b3c2c9a5f1f

SHA512
4824bbd342d72269d3056590fea2d023da399068394699cec156ee04db3cde0bd9191b83bfde2af849e990885e5c2a44e8198f743b77a345c232928ade3f8ac1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
1831e008819411c6cd6ec4a5b032db9f

SHA1
20acc62d6eb4ccadef30eeb6c9bf1f0479a461b1

SHA256
535bb0c9cfda8d13e7c7dfd8e0429397d63f752466e1b4d49512025fc2ac9be7

SHA512
015c9c2e0157dd5ca0fd5507419d292babb4c9558a311266f4cca2be2bd39226d7306c5b52b73016b3f76a98a051b39eb7271940db933f47e7f8da20bf6ac8d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
5cd3b35e9363e494080172a3bc9fc99a

SHA1
dd159af0730008106618570bccdb744976f143c9

SHA256
2647da6bbb647f1cb9ee95f45f8d98d7fc9b8202a1bdeb8820fed54e555292b1

SHA512
49a7d61bfb008b404bbe53613b6c276c131c9603571ae66671c6192a54516dfa1404d674012cbfbbefa0537b7568930c3ea20701d9658f93028ffcf55c54719a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
8b67a8c9edfa5c10c8264c8d3268cf3c

SHA1
77f7bfc3c330041bb75649ada436dc3e8bd4ea89

SHA256
0f89e3d4fdc64d9cde3075068e6f462ae57ba004b057ce05301d6465ded1d0fc

SHA512
941fbbfff277c939f53285a530b0d81caf031ae5b9721a52902f9333cd906047bd0a0ede842fea80825b732d392d40619e0f889fce05c6b8b60041bac18e33b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
b4be9b26a9d95e3fc2fa487b9340d58c

SHA1
6257d1b5bc2d5031c2cb4feedbdc234014338f10

SHA256
f0276f28e8338583487eb8a4e84d821bc4a83f05814be4751996b95e6dcf3c46

SHA512
e592d4eb5a5c2424c23f764ad0964ebb1d2dae321ae065ed86861721d3c97c643530087afb877572101c56c2ca21597e160b2b0a63a7a80cfab697acd55f85d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
d2a89d173895a0a63db26cefce95b2eb

SHA1
e9af379244d35e3099912283ec1914fb18963771

SHA256
11d0041fc6dc4b5cabcda4ba010b8821166711f392f65c856e9cb3653196d2f6

SHA512
ccfe8cdff62b35cdecab0870c20b5f4505ec7c3b175397dd371628e3bd59de8152a171ef356103ce318bbbed3df3cc38e724ac113a26461e0f8903dd8c75861c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c96d4c7dca7a737e56faa67e842c000e

SHA1
ae840f397f42d59436af8716c84b8af858992a02

SHA256
a7a776feee326dcf0d37600ee06e0afe3e9de4cb354acf719354e263f10614e4

SHA512
2808ad9c8b6ba637dfb8a66a7d80586a5b8fca58a9c23439a516657edd8c8b0e41c2d9ed3b6bc2380ab6b38716206f1e77ff6a5d7941d4f9335890287e879ceb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
edf726fc3d2fb90d3367b32f559ecd39

SHA1
6d6bdf6f1abbd95eabcdaf885762671968d5f426

SHA256
b61bf0cb1f8ab44a72b4eff47e0af4feed7c22a47fd503ca25bb50acf994e099

SHA512
14ed4a95f2c38704aea14da299381746d5d97c5d8126c48ea2070b07f7205b85c5fa72b25df0ac30b2f63c3f40ec096958403599cf4a51555e92ca95c0026d36

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f2ac8170f3a1ef8ffa9b2cf70f50fca9

SHA1
6f3c2bb028f304cff5a03ff8281275bd91dd85ea

SHA256
7dba5fcf80fc6764fa652052f78ebc04d9cf0bae2bf1d96b5c939733d874d2cf

SHA512
e8cdf567bfe44cb61268f17f5341363cd1d626710d4387fa498f4d032a73f3510c6f581b8e7e4c492d3f2d108d2bec611aded258d383637cd3f8176ba2afcb2e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
679cab5b781c56b573b494c88007935d

SHA1
d866e195c09da00932805bcf8b3c1320a491ceba

SHA256
2fb371461fce46c48e03a540ee4b30063cceae7a386eff2bc69a72e38c3ff982

SHA512
dad84997951631e53ff551fc353a2892b1b23732e0c6ce174c8fe1773617b576d1b52d4a39a18487e4918d57f425b398cab3e04283ef5f78ad386bffe03eca99

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3b7612e276ced8ad489323e2f6114781

SHA1
a85debda2e5ab79fe676c6bba52693a2c1219401

SHA256
59a80e5f3050caa415c3b299a608bb6b8aaa7f9bbea725807b613ace598a768b

SHA512
5f766fdf5f5c5c524404e4ca4095bf03c6f8d6db8bf57c82ea40536cc33c2660eeb7eae595283b64a5b0f48750207a1365fb4bdf60275ca65a42de0377de141e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0fb3a15115ea9cb557f45ff263ccf70c

SHA1
efcf65e2cc85db78c66c3791d15b05b2df66b341

SHA256
4fbc6d4a6ba587556d0ebb8530bd76c371412552d86c2607cbd8a5077ba0e6c4

SHA512
e3fec1e7b5fc6353a4b576545936f8cc0c1be502bd3d2961dae5e1e60eec61de5c4d9fc0d1493d391026228aee69683ed7101d08bbe1a97abf27413e33eebcf8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5f8919299d0d5aaa1b7020a97c1ea293

SHA1
7388240f1d5bc7c7740e653e0d0e5ac22a3dee6e

SHA256
dcbb7727fa7a6dc9453ab2b09afd3576e351680baa227e4c0c6beb67ca75d196

SHA512
b743d7c547397fdc025366ae8063f4502d1945c9ac1b8350e9a4814b570154638a9f3a0084e8c1b2ab160f3e9b120ff698b2042b6c28bb882f153b54e41cd1cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cf124a1aecdf09057b6c2845e812fecc

SHA1
355c39f478bca7925b5ec6e86e00061ef344969f

SHA256
28f85ff185375cc6c68e181a3f569c23901241634b15e6e00427b3b8e80f80da

SHA512
aa5783de9b673e76cb79de6f4141ffc71c83479d66bca0025c0fbfad4f89b14fffcf943ee4cdc3f2a4e74316bffdb5544e46a3820d1e48e0d31b4108c64f4e29

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2f3f486847860f398477e5b45b1b91d2

SHA1
5e40d4a7aaffade316090ee57d21a1f7d5a8f4d0

SHA256
93759f9f9f85a0f8fca9ea6503996be80173e3c0d4df605c5bcfa2308989b255

SHA512
0d8eed7bd72233f30f4c79c72cc0fef670da41f52e8888939135b06af041bc6ecf5a8ffed747c901ecb2ecf140293e89bb05740118b923c546714273a67b0c50

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
585fe97b5dd891e1580ab0ee5c046267

SHA1
25aa0560a9110fc0c531024c7f223f7effacc13f

SHA256
02405f8443a5cd42bb60721b49af3bf4a8afc4150e3a0e1c783e2c19c25809b7

SHA512
228f80501322a8914db518b7ea380728b5c507abb5388150642f9b2763d569c7a7fc22acf19ca974dff0278d81459843fecfd857232f3a0370929152e7f362ed

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c23500c2ef6b056540925ebe461809b7

SHA1
8d43155bb29b5d0c1445d0dfe6a017379f1d942a

SHA256
85b6b7310f201af1dc20b3363aff3c95906e4a2fc41b9d252820a42e81ab9a38

SHA512
b6e6d50a70cb6a5c5fb6f885a3875adf8d9b1def5f189e2ab50765446a67411cc2001e1b5d638375ee7f56fd7e74a94d4066d780e496ed81007fa198a9ad8da9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
33ab2a7a604adb2585a5b58d0d3fc9fe

SHA1
b1e7fbcf0a6239a2e065afa01dd6b1a9f151ba43

SHA256
d8fd26fb0fafc496ca9e9e994d051247278e6bb4928cbee701c2daf0735a7f83

SHA512
4b22e683f863f312fd7ca0adfafe549e0845bd7ab8519bc9afd3511c36727960ce1d15fea76bfe5ae286f5be4c1c6a816e652e2d710568d8fcc939eecd23ffea

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fefecbbc575ee4a8c497545947ebd603

SHA1
e6cb4f349bc36fa3ea6e82d70f4be09459301d68

SHA256
fc7f5f92fb5bc6efd6215dd4b383a3a38326dbcdfdcbebb132c36619c619c861

SHA512
c38349824c05b61eaac0f1ff34a6fd4918190b39414cf3485e319613ffcb884023b5c6df803972c6f79ab3148f05ab4e1df3bbcbf86a3ca2023d388c613b31db

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bc5d184a522b35270806ddccf82cf1f9

SHA1
a21dce312007417f7d2a56d0e7fd7954289c379f

SHA256
9c88458f4c58e524ce122ab2d54fe3864d08cbb66eac0563ccc3995239b2c881

SHA512
be4603f889a283529ca1402c46b59840297070169afc8c8ecd24ff94ebcc892faff613bc9a2806654631f41329aecefddf1d6b90035ee72e1c81d52a6820224f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
1d18bd4ada838d935798f10d65b1597d

SHA1
1324c32ee167dd8e1c613ef481b34f901b0d0d7b

SHA256
8ae27c3785a647f511830573e82c7b466fba6f0b56fce1e6fb4ad6572bf6d048

SHA512
49f9fe97d6e2b67d1690b3efc5ca7a2c6fcb67745af22084e020a2b35c031cce92c475c40746d8a94294f740a9308652abb366767fba881e485142b08e2e8a13

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0df9c7ec37c372a41df3b68ffab7847b

SHA1
33e3007383fb2a3c4c7b06375d5aeffe03a81ac3

SHA256
8da2e52b5b5b1c459315c396336d2dc9e4aac9c38c55788bf47729c8b91449b2

SHA512
4a88ea39ec51cec2bf0834a819b997d61ae707b4bd9efb5ee33ba9480f3dbaf2d8431ec2c26135148431643139990a392f7ca6dd2b6a5e6a0ed5d6756f271681

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
08c9431813b4e6967082209b732279ea

SHA1
84f8cc3aae2100a9332d9fac3e0b42e8ed55013d

SHA256
9616d998ee45dd52fcd3cd391f6272bedd7de34ab3dc8f39fcf442e4ea247b56

SHA512
98d6153fbb1c9df84c82f6da35fb2c0eca795b016f633e2d9ec2bd49ddfa37efd45aaef3a821106e768188c08f46d018eb0be3f9a8cc9c92514569633bbbe247

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
539a8da0a94c518958b7a226b57c12ac

SHA1
a81586023f7e71d7fb31ba1c1efec8588715c0ed

SHA256
6092c4886452eb71405f297031300a487e878d00c1e84333131750ed18d5aa42

SHA512
a229cb723a83bd5b806bd5354cc35f484b66f6dbf1b5c532a33531d412334c46e140a8bc1000314ad74f3749673f47cef3a4902b32b19cbe71df9de408a4d035

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
908c42443b1e9f0083756422ebaa48c8

SHA1
fd743de6ddfd4bea05debb460322b362cf3cf4e3

SHA256
81cb674f7e084024bb418f0f59bea1a86e222266cfe78777d398181b7b3137ae

SHA512
895b724077e01b10165911b9829a38d0de6a6e92731bd39e0f8ad141479b1a3816d00d6476ec38d716f9ef1b97e76ed3888f5799ad11917d5c4cff4e2e61023b

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ea7ceabde7bad32ca5f7ab81ae594974

SHA1
b2e8455538f78e3079021320351035048cf8e8e0

SHA256
a6bcf66c691977d5578fb24c4c9af0345b6e007d43fb41973405001022b97168

SHA512
3b6b4bc9c21bd06a4e4a29e9b09ba9fa23942a9e614e5c401c279f1f78cc9d35c61be5def9ff01cbd5f151ab18aee8eb37124ba3674e25a87bd2a88f0d7e01b3

Download Submit
memory/680-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/680-650-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1228-653-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1228-340-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1384-317-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1384-590-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1408-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1408-658-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-393-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1664-659-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1712-368-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1712-258-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1712-257-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1736-657-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1736-372-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1964-277-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1964-380-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2208-60-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2208-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2208-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2208-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2208-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2244-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2568-417-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2568-649-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2568-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2792-426-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-661-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2972-66-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2972-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2972-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3232-284-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3232-392-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3340-349-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3340-654-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3416-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3416-242-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3416-254-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3416-249-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3416-243-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3452-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3452-234-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3452-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3452-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4320-660-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4320-405-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4404-35-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4404-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4404-37-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4404-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4580-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4580-354-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-26-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4608-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4608-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4608-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4776-292-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4776-404-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download