31bd739e93a9725799f4f776b5b4e7ff2acbdf96b0f88f9939ee5f84ede81db4

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
Size

1.3MB
MD5

a43a9fd03ba2d538fb82950692bc4323
SHA1

15f03611adebc267fa39fc3a06ec0479634daebd
SHA256

31bd739e93a9725799f4f776b5b4e7ff2acbdf96b0f88f9939ee5f84ede81db4
SHA512

f06808994a7f8eceb317faad2d79a11f7d6567d283ff02452f03dd8ce9b3b15e1ea9dc1e1ec454bf2d6f1afb4ac0059b35554c2596c575b261f42ae0644262d6
SSDEEP

12288:CvXk116EGpCR2rxWpsiZiGo5ffsVcIhP4aF9eUnkBXNBRU:uk11NIfQin5nsVcIhPF/vqs

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
920	alg.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
3624	fxssvc.exe
100	elevation_service.exe
1492	elevation_service.exe
1008	maintenanceservice.exe
2760	OSE.EXE
1352	msdtc.exe
2964	PerceptionSimulationService.exe
3664	perfhost.exe
1488	locator.exe
3176	SensorDataService.exe
4016	snmptrap.exe
712	spectrum.exe
2784	ssh-agent.exe
3512	TieringEngineService.exe
456	AgentService.exe
2412	vds.exe
3692	vssvc.exe
60	wbengine.exe
3472	WmiApSrv.exe
4768	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ffd95c9a253fadf5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a83d00df00c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0771adf00c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ff9dddf00c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000606507df00c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a3d1fdf00c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000531518df00c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000732569df00c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4836	DiagnosticsHub.StandardCollector.Service.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
100	elevation_service.exe
100	elevation_service.exe
100	elevation_service.exe
100	elevation_service.exe
100	elevation_service.exe
100	elevation_service.exe
100	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	804	2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
Token: SeAuditPrivilege	3624	fxssvc.exe
Token: SeDebugPrivilege	4836	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	100	elevation_service.exe
Token: SeRestorePrivilege	3512	TieringEngineService.exe
Token: SeManageVolumePrivilege	3512	TieringEngineService.exe
Token: SeBackupPrivilege	3692	vssvc.exe
Token: SeRestorePrivilege	3692	vssvc.exe
Token: SeAuditPrivilege	3692	vssvc.exe
Token: SeBackupPrivilege	60	wbengine.exe
Token: SeRestorePrivilege	60	wbengine.exe
Token: SeSecurityPrivilege	60	wbengine.exe
Token: 33	4768	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4768	SearchIndexer.exe
Token: SeDebugPrivilege	100	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3864	4768	SearchIndexer.exe	127
PID 4768 wrote to memory of 3864	4768	SearchIndexer.exe	127
PID 4768 wrote to memory of 1956	4768	SearchIndexer.exe	128
PID 4768 wrote to memory of 1956	4768	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_a43a9fd03ba2d538fb82950692bc4323_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:928

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
86cd6d275a2beb8078f54394f764f475

SHA1
031dfe98ec5af7e61a74d4bf0227533a4b600f63

SHA256
c9b6bdedf2ebad3af9b10f125224b3e9271c9a754af57be4c64c2697b5d95362

SHA512
c3d2242ac73aa5683408f0e13aab6c22503b9dbb8e5bcc07de8f272702dc3da3c73b49f17af4cfd8aee8fc994b13da4f257213bea6f1590ec2bf0c309acf92fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f113312cae41267d9771d11903072866

SHA1
0a7ad6a546afefd5bb2c62cdbaf14f99dbc2d5d0

SHA256
41cbc4a0e6bf2628dbfcf0af87837d36995fb2822c932decd18dedbe7d43e27e

SHA512
bdb64f6587f19922510b4b6d5c7ffe6a7480f85dd7415c0ccda8832364bc6f9bbbeb958a1f4db6f0360ee48d07a725fd0161990d62188bc9161ae087a1b0ea7e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
eba723d02a08f7ebdf9e5e5447f14bb4

SHA1
03d26fe2b16b47501d4766a5f413f390243155ff

SHA256
922aa5b1c6810837a60576c5dc8f210a9112735d87af0fd0c083003cfa59e372

SHA512
c6cfc680bb68fbb69be4f0b18a73abb51af699d523736efbcc1d9c619f113f66131841d14e9f0e2239035f6c03de980b65c20512297c8e4ab5945fa9031cfd32

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84289fc43e291c5c6b1d17a6f6d5e0af

SHA1
5bd47bac710d9726998cd49499549374a47292ac

SHA256
16ddc6e7040507b0ba92c4883e6799a55fa55549930806d373fdd7ab8cc2b95e

SHA512
d92e95f60514c8567fc7b18060d1dada01f5f1d544c3a46f28fd3ad3b129ee9de8f2b579cf6874f45b7a71ed41bba8f6ed42aa413410603ecf695dcbe72c5c19

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
be305eb31185ef92116f133ccb30c860

SHA1
da1b2d794b7e9627b2431929f9c46df1a9ed171b

SHA256
69c101d86f8ee2b2c117398f57734abbc62541c2ceb2595cb33dbddb1e7cd3de

SHA512
f30b336e2e8e425e1e4593083d4d7c8aa233468593b9c3bb0dc74def1d235e03d2d3776a5d9b961beba28d206b5d27a63a0ce18e62b111d624f692b68fd204d9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0290d37cbc67d10c88cbb00093d6e568

SHA1
9bfb52e72f83f5a28a4ffa224ccbad96105dd26a

SHA256
499a8b8aa1097d981b679a0211705078b4e4e400b75230620fee2523ac61723c

SHA512
64d264f7e8e8c02d9a9215e7d61d13ea1e6e032e850309977ac544fc2a5f5d445b254d73eeaaa44499d29167b13049ca7e119e4af5feeb315401e8abbace8e95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f58d932593594c59a1238a6c9dc66807

SHA1
276e77454512c1b2f6819454463cd9b47a1a4ba3

SHA256
9542a340114aafe3fd9ce125bef62a79f59bac6ab33b3549da7e5daa601570fb

SHA512
718e8c8e217275d2192c7f6fff52c5b473103a3aa43958dff308a0f7a9c4a15fc99955a09639aa532f05e008130db9d02a47bcd6627025954e0a8b9d47dbb8f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1d6b888e4894a588516634b6d27e841e

SHA1
49896b10b2979ea197fab042fa844f54257d18ff

SHA256
6cafff5a2b921bb2fa92a3cd6defbf75a8fcf9439548803507a8d15fb8feed8f

SHA512
b404273728ed6cf50f3baeb4ed415a3d8881ecd00fb27dd98824859c580e93a21aec9c4984ad438df49dc0ec3e0996d2496fc41974ce7d4bfd48b5a2e661a31e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
0c0afdd9ba0a09dde5aa4c09b0182f6f

SHA1
4ac219b0bfed4b3f0230372044abeb717ef93497

SHA256
78c9e477a582ca4e6215c0adf6544d624ee2a39043529fafeff494981ce5108a

SHA512
266eaf7105bb1ed2999be3c4f372fe20a8253bb47b3b446444b2d5a9769ae5cbb50cf8c07a9fc5627b9a6bd0a592167e4ac9477d86c3c5b821bbc6ec6504bc9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6df0378ba6df088e72fbdd049c8ff82d

SHA1
6fee79143404bb2a89cc0808e1e1259eab717e1e

SHA256
f12fc91069705320a0dc3e21a4c5c31cb7adaeeeed64b27ad2230f1de17c80ee

SHA512
3f434f6790f170c586e85db8b4d6c8cefc4ff6919074cccbe57d5d06b2a0fc67242cd6e7bacccaf476cdfca3a2b883aa8c869cb3ad3c5ffd25ee8bbb19e0fdeb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dd82cb6377182b5004fac5e2a7546b0e

SHA1
8f4989e48c11a1c1971fbc5c0f26c86647911237

SHA256
ce404e858534707d459fb64e539ae48e66fd03d922e2402dec9fc03dd6e17de2

SHA512
579936c3589802de74236e6367248f5c77c9cb640f106827adb0e935246df4a37e05ec3902d7c8eceb818a3799f3e94d5c4addcc0c8abd830ac3ac5d53d5967a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4abe90f8da9dee8efd82f5142f30b9a1

SHA1
48dca13186257a1657337f999ee2f9602576821e

SHA256
795990795031c6fae828f6e0ad99af0b5379ec3e042e8df0821d9b4612574b44

SHA512
fe8d73dcd0e6882f356a922294d0c51b207f8ccb476f8e8132a9ea6187502bb5e27ec744e56e0e6db6712e9585446eeae0466aacd9032832518d42ea04546ea7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
845e22fec429038e74cdd8f1f4bf7be1

SHA1
306499567ee71482fed3c56451c798ee2109193e

SHA256
0fdf739cfaa6e25630faa082f54faa74abf5a715c4d6b7766fbd9ff86920d683

SHA512
8ce3247a8ca923f24904f797b240fe2497e52248ca763833338af31d36b77b12d8ff1b633bacca97bdd5f80e1450b6eb61c6b191c7704805e13722d76a3cc510

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
1a91426eacbe5b5ed7610e9d647c79ae

SHA1
19cf0797aef0ca11aae26f7170d85656974ac62b

SHA256
6c87bb906ffb9fa04cd275eacbe526d22bf2f869a4d817a48bc968a7d8c50780

SHA512
f9925a5eb37651d60e163aa6a4e92ea0016d30ec5462fe021372f8c9a98c0f4474a95e2a26425e2ffe36533c9d5adc5e9a9f2bc2a30f261a473d8f4412b9bedc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
197c237049802e8e249e09dddb213a12

SHA1
0cc81373c664595b825266b6f161d512c83b5d29

SHA256
efce0219b389cc4d7859a47598b2c9a576b95ddfbeedc80846ff6b7559957579

SHA512
2d52f42642435733f3dcc34bc788111e4ebe3fbf3396b9d773b27e05bf00a1f7c0b2116b0771b65d3922c36aaf37b17ce5642dbe695aaeeb7e22d47d3b815c71

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1f4ad081b3dbc89dab3f9c61202b4420

SHA1
1c1bd0362d4152f58214c4127d5db8e5caba0f66

SHA256
653db906665ee342b36be04042d04628eb9307ba5fbe2d9ed069e003059c2795

SHA512
bccfacb4215ba98b5afbf8bf5761d7c9445808b01f469207d44a901e72fd0bc7dd6928690037ae7b1591b5f16ddf63cad7e1c34a982a57d65d104c8216758b70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3be98d93c2af5055a64c4e12460b92b2

SHA1
c1439e71fcc6c8b3412bcfa0d0060f349a65665a

SHA256
fe3af695feed56084ed39bc19e3e2aa59443d6867df81f168dada951e414a2fb

SHA512
96928bbd5a14b77daea9cfd1f6679d050b72d10408915a53a2ac71e4d9ac24fe2cb4b7622fb2011aa4e83960f7b073aadcaef2da5c7e4dbb64c69e22fc36f8eb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3ad137a817a7bdd690f7b09753bfc8ee

SHA1
c985a68369342214427fcb912270a51f781beb3c

SHA256
0458c06957514652d8f9faebc199179668abdb8f3eae64df6714758e8086bafa

SHA512
13ced47c887682e2bbb39925c4fa3bda3f99d1f0637da322d9e48eafad08c50e9eadddd145c682c427b8fbe88f23f8ca9b5b9205e25da1a517b9ba0a21a6a760

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b05b158c2a5544f2aaf2f9d772c58181

SHA1
31f2c6c2cbeef351dfaa1052ab292e84bb8b80ca

SHA256
a33a36c5e21de214fd213ce7bfdac76c21fb8cef1c13a615068af6ae22f2ee55

SHA512
b3b5fb50765c189962e8b91969a8732fb663956c399b191e70297555c61f29ffc5d84a9f81fcd13dab0c1578ae6e254b72c703421f57768df189167ca24b68c6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d408afc8dd04aea84f318e1a393ae654

SHA1
7ad1c52f6c10a941537495a28c21f11ca76f6946

SHA256
5514042e56313c6d461bfca3a70ce332b8f2b935d1076e0736f59811d3a0ee64

SHA512
3dfc94bcb37cf47eed778a1f87d799b1d89d24377fd36066e98b67d624ca076c7ec7d8a4bbf2d42809cb8626ed16caf64b849220e022b082de8708b7e32c3011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
be66ed361378c6426fd66c235274fa93

SHA1
4563a261749a0a5dfad8a9d895f40a41e09d9d92

SHA256
dfbf8f50389aaca5737987c278fec9c70f70018554c9dbdb0ac68ad44b5a264c

SHA512
e035c3cb344e97960b3de7f71ef8b6c03b1125843e071aedf9f6c4f059ca675aa47307fe6875c0ed2d29f3675a78f7b0fe8e833ef7b53054eb363e0aecbebec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4e4dfb087c39f61b765c41234f98be9b

SHA1
3636ae640569e64c4421463b47232314b4fef83f

SHA256
894524259cd040d86257394964df5b498f5d13dcc8222abe28d123d275c2416d

SHA512
6e667a33ed4f389eb4d8f9d53fe102a96b05f045ea4c612c7a3d1876c533f857cd7d39cf673741aed31eb17d0fe3b9a81f42f755f92bf6fd40a8fa40c4f2bef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d986325ab3356c3d09ca138c1fa2d716

SHA1
9ca83ef7ecc9feeef6c8197e11e04b8cb8a73091

SHA256
474fd4f733e75438e8b039bcf355e09d7d5cd8b882e1d3364c418fd6351b560d

SHA512
0cfdde0f49d4d0be9ef51c0732f3f30153e2e67b6c147bf86d09dedd7340f0f981975edb378831182fbcf8f063b624c4761339cadaa3190b351606731cfef0f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f8a53dc496c776bf4b45fa4fc4a45ee0

SHA1
87f5d072a1bbadb6aa9e5ca241c35b70e6444cd5

SHA256
a72cd907a3d73d88ee1c01dff98030c941c91d3a02db033378d9bb6f130311be

SHA512
b58c08e474eae002a244ae84afab7ee766abb1d700b2fd7229b87e08b16eeead5ecb0436cf22bf4f453fbdf9ee127965d0a114206b061a3ad03c293f2a9c6956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4f2f68c9705e198409072866ad25d809

SHA1
a21636ac4fadd34aa8414d657c6cc690bc0e1adf

SHA256
14e4c55454a955c792acffe21f82a565b0fd3c27df62fc14440be763a1193c5e

SHA512
0eb4ded17fcb438372aafbac528834eeaa0634f4071ade2f750e1e12146e8065e7c410a34cdc482860a792e9623255ef1a963cf8a345e16f60dae3d078d9acb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c3e71c3945827170ca00aad64085afee

SHA1
29ad9dce61fae71c03c32e9291ea47f0d4f4b343

SHA256
90bce58e813ff6a5b54223b6a1fb70cc52e7c4e81d033b997c2fae3364cf92f2

SHA512
1e5bc44d604fb03688cd6b00d46bcf2c2da84ce2cb3c22f94b2b396d24ce3dadc50f5b834fd3676567219643ff94f85fb2516a3446762a1325774fe82143ed30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
400abae5f5b5a24a31c5b288667b396e

SHA1
341e2ed97f97de4927fb5a35285942bd63c9cf8b

SHA256
f24477a79d9db456ef956002d2fcfcca46091044f7bb76d60f758cff027fd1c5

SHA512
c2b98e217adc46328adba69d4ff977c89ff092414193e376d4c17c14ca5841bc1cf685ef0bb14e4f03fa8905f591a9dea8b407409851631567492d0fa96fdf8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a952a4c8b0cb1749f0cb998bd55e45db

SHA1
0c23b6a50b082655dab74ff278b3c8ee901ecc41

SHA256
90de0d371720e8e758fa52061aadf772e8ac02a5e11b4185a987789433caee64

SHA512
70c2fbb811f728752868f98a6ae94f2b47b7d04d3acc46b2d179a0db5b5e91a1fbe6841796313eca5249b6e9c1cada1d40eef706a5aa4dd8304552fde693bb9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e593256f126fa5493d93a1e135c162c0

SHA1
1ad0d2c4a81fb1f0c3fde240e8bee09c835f9ba3

SHA256
acb5d3b12799d333efe8d2b8400cfbc26edc6fb9f625667e9192f06ad1c4dc90

SHA512
9b8d6f88cd8625dfe0e8fae3e70aa0de15224a41f2f14b38333e68583a97cd6c5811e290c369fb192a068e2bd0b72b820cec0d1bf86a8883a39a72b30514f097

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
cf803edcc91bb65ea13846ed5165a056

SHA1
c7c81beff7c38b9510a33a9895547ba965b588bd

SHA256
aafe3fa9e37a531c83a15824f5326249d059229f767b303958d4b35823e7c62e

SHA512
aecc9d1b1e2df081ebad675b617cc1d4b95ea40faa1c48414df70cbc1f1931b433c2f2094d86bc575032391275aebf04331c0076f150c45c4575be26f648803a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7c90686bf6ce2004283815bd774c0845

SHA1
b969589afa7377ccfe33eaf80338dcccc6241f46

SHA256
9628885d8da5514a01d6a9bb5805c78e766355110023839e77003612d78b9daf

SHA512
3d2aa60c8786581bd632e4110a46f295f5121e72b76db716f1a6048fe420408dcda17255b86ecf56011ae1bda15dc8d8fe6c089cb4b63ab276d64d3b3bf64842

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2e09a4816f941787e3429a3ccfdd502f

SHA1
e35e35a50119c3ef8ce87d8bc877fbc440e68982

SHA256
2c0887bae6dc66cdcfa4ba7673f1ed0268a2504d3f9b4295fa62b5536541d851

SHA512
21d25e72f275f7a2cc332fbb4cee9da34568c62abd2e7e0750603c6112a7b5e743ee729f7d2de5cbc0a063ac874c82f259f1eeaed57bb254fa7d7cd3bf721d81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6f28599ece3354fdd3608faffd93b042

SHA1
a20a71a659eea5138a60da37a152fc34c2914c69

SHA256
e8b3fe96764928694aa436fb32b3cbb1379e8d0315207473b2f00ecf30738574

SHA512
bd5e83d787068d29a154b052785290db0e4885b24ed590b73fa0baeb42fc08f36ba990fc80d1047fbba4f82148a49214a58826ad712de96877ce1d2f2b1a57d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2912a8b348931b119feb83754905fb42

SHA1
8e18c806ce9e5ae4f41a642f66d89b855d235130

SHA256
1de531a2ea9e775b4e419682aea1acb24972a5fca7821483c8e66dea3e454189

SHA512
c65d5a1b9a1cbef6de6ef443726263ff6219ed57dba9a4e15f8db053a92bff16d55bf5d1f1eb716b96519073e64c98c7579ce3367e93e762edd52d9cea0f7210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5b1fe68d4dbdb35a5e8f05dec7a341c3

SHA1
babd87f4a6d36d41fcdce9abe3462060ff349f79

SHA256
2ea43efa96073bd2b2fada5d1e8721926a5399e7cd372090bf6a0bd638fd3af0

SHA512
58ed790816f91cc65535eef0d11abf658cf43076997260c46703dcbceddfcbf4969cbd8f09eb2c7f196b98eb988b63ff05b42cf559438111dc8917e2003cadb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
37d1aeb55f5c4c8d68f83766f9ccf8a9

SHA1
b2accc235c7340ce781c0c50236ed5fe8a566653

SHA256
db41d7f4112c97141eb782e01f778212eea11caa435842ec3aabd86030d2d4ed

SHA512
a47c27bbd6afa896b60420aa14c0fd84bc82ff7f27254fb56e5e9c7f4d08984ee220b1ca3708fb0ec9ef5dbb24b5e78f554ff5c34ed870b0eb4d559207094c2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a1980304f3816b6fba640dfce51b694e

SHA1
bf5a22b9407fbb7c7d999c20540b27d0f14c7a2a

SHA256
9d453a23526f0cc88d6f3ca3908eeefb801fb28a1d381e980cddb3eb93532443

SHA512
c95ca1e419598bafe3dcfee33b6d4fe3ae52f6a9a860ec6a5f2b5527eb939c0905615af1925a118a3790f1cafe4da387f09711c15e84aca6121a08c025fff0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
b60cbd29e3de699104feebe4751a80ee

SHA1
25c268e6d0a536b5ba5c77ae624a0775a3fdb81f

SHA256
88694cb26adb48fcc28d9979ffc6687ee5d8d33e2c75de95aaaef70b8c68b36c

SHA512
3edb9da7d77fa97af6a8f830e906554a2c7ddd77dbef1fbb048066cd4f1b110f27863d576d5bc4caf7a4d94e842b4c05ac6b7908207503404f941a95c7f88d88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
98ed163fa62fc2cbb695172c3121086a

SHA1
77e7dbeb8c8b262c4ed3c26cee64eda19ea3bfb6

SHA256
16d0dcb2da07ecd80b3f37d6f19e64259e0b2942a7f0970abf4f3c4c4ff8d860

SHA512
440b82ef9451b98463eafdbb488c8acedb704ba084023cb7de02b13185bb2112f9d1e0a1d52948fd2e1195f17505fb60d8fc657911c4be9f02c8a04cc30fb533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
9e354157693a19dddcdacbe2f020deda

SHA1
f0ca4369403ddc3a577c2c74a471f0cd049f44c6

SHA256
dc2724e50741bdd93b9a3f570bee09dcf337e8fb2b844416a36cfe49c8951b4e

SHA512
c6c922d9005c8e434e59c0360ed4f052d22d6ec3c1c127cb0f34f9981d270689c431554fc44ddb39d90adcad7fdfffa2eef34e1812ad2144458f43550fcc973b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
560394b2bc0a528b9c02a24fa56bbf76

SHA1
9a259065ccdab7af443741ca602e66cdbd7c3440

SHA256
b13213a9bbba1f9068453c9238a046ea6a03cb0bc366243e96308d42251c421a

SHA512
d8c3c1f60b17272081afa9aa9e1b8f46053f4ba5b9c675ff92bc7600ced358deea27ac177278466c58455e0a054d7adf6ca6d6a571bc18e632b07658d7f3fc9a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
223b0ec01e8190b5d6ad0fcf175fe4dc

SHA1
80624b973b4802e87706e6e1095ac0c34e25e294

SHA256
413242ff57b2a088a2c08fabf69ab698b3e44f201229e5efbdc72e5fff8ef921

SHA512
cc9592f8d175587c709ce2801509a1582fcb87975fb39c5de0e672f88e6a135041985b32c36d401b8c8e177b892fb175ceafc2306e76a1c1c42f45d9cbcd3b30

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c834f2820b89e3d3c352e3881aadc7ba

SHA1
48ac9fd651ee58b1eab1070d524f600f6de3e287

SHA256
1e80b4c09853bde4d07e462676c511da70c1f72c6d585ee123960815a1b9a416

SHA512
c65b1e186d8b8ac7d20891c9a48b4d06fd8e1b1a6fa63b8e4ea231188325b83bffa25d9da4ef473632f35e715e94605d6fbf4961ed96afc1c11403dbc4b430ca

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8ea70fa7aacd8908d0decfdeb6cee183

SHA1
4393f67c16b48286b41097d38e08972974a41356

SHA256
b04614706f462d2654635192574cdf6260dea0565ac27ee241e25fe0f220c3b4

SHA512
607620ef1b10d9d3d8d4999d82add198b83bc5b4a54694edc3a23bdf66cda0d46aba474db72e8f5286ec9b7c6789de28076a48d6462a3f0d301fb7dd02b445aa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a7ab350ffd3166ba3e252e57fbd95a55

SHA1
4f8197cf21be02ce32a5ebda01bc24a289b6571c

SHA256
49e1cd0b0db6d179dddb7af960c4a61c3cd1e9ae35f741f6f9fd2b87167df750

SHA512
0116fff7a76a0385b6cb95e4dfeffbaba1d9f5f42e5af589579cd954f005df98e593dd626e5292e573e805ed5a0dac08fae3622d2433cb562dcd8102b7327f08

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
00f7543c1cc5bda58a8610f69b2923c4

SHA1
13276452bfa37f15de416b4e197d6018438e4482

SHA256
dd2ce36ba03e0a18636c1b4df8d2fef94b0b85567c9c99c3b25d8f99adb44197

SHA512
26e2423d1e91c22fcc80b4a8c8c591b0c66a9f6fb7b5ba2847e1427d2f578a5f3717aa7c33ebdcdfa643895dc0100cfac1f7abbcec1236867489f57b5347072f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
111ea1f36d20e2c4e6b96c2ecf49d38b

SHA1
e6bd2ce80b038a1e9706b899f5ba9ee8d2c4b429

SHA256
4fc0800aefff255354f9e82202e52d5b8430961b4e45843970240c7f05dfa98a

SHA512
6e3153a3a49f912d2f5a6953accb8b17e5e0bcfa76dd4ae16de2049a76e266f354167f4569dcdfe24f3df33796f9ccf1031c81c3b5f0f550b24c9cfbbc667904

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9951684650f1d69fed807e4358bbcada

SHA1
93e3ea52aa9d452b75cfccecc5fe09a679adf02b

SHA256
2acdfddb67a7c81e164874bf9957a245c617e5a8d97a85197dce624d7f6a6271

SHA512
94cf41531978eec30c82a4a8b64261314fbf130584ff8679692d88cb7e68e6ee32e49d9487aaf85469716abf612724a797d6433bf3548d661f302ca07611814b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
24358c59369043346530746b4d6778e2

SHA1
3e8d018934046ff3bc0846ad3262f08e603a379a

SHA256
c5e2b2ebc31d5a95765fab2116b25db93d24a931316887b3414ea3c4d352c1db

SHA512
02050aae655223c9f7a5a604b67e579800a92b7d519032e17111f3ebf2c0325a0aaae8de4edbd6e1a4d32ea1cb502d838468643781e00094c51914f91ce6ddc7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
956bfed30f3453f5ae00167d40a0f3a6

SHA1
0c60d9ed1f26eff20a3cc55731f1dc04176fbfc1

SHA256
611652cee1cfc9a881d5c63dc9e5691fbdbcc53a66dc2493540629839bc05029

SHA512
6289a14e7c5aff95653cf48ed028c6e7e2ef13222dd0186df006eec71121ec32dd5ba5040b99fc09cb46619dd7283e7125120192761a342ce118925fa54ed535

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3ca6d0ed3d6f33a726fe199a5245c488

SHA1
0cc3e267ed3180f51faaf3eefc8cfd960f4353ad

SHA256
9d6801c6b94333e50f3cabcb2f06d022d67d785f16a5d2a9d67c3ae78513d7b7

SHA512
aa1e9db18d2d2ad8ef4fbba331e95c018271a9e0c627c9793ec1632caf771c9718a08e7e27d38970f5b1a4ca128f1bb4ffadbb08a69e1879aaccca285a72105f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b8d6289d214a48da0c0f1ce2f6c54f27

SHA1
54167353f01334c310765cd002329606ab88c1ff

SHA256
dc7ea7c4dcc5338dd5751250d5c3df63ccaeaf55bb72fccfbd65cab61bdc0f2a

SHA512
6cc74bc002b2cb2f9f50220b9638d87d1c5dc3b27341d5960c1eef637c321ee65e6f68b81f28dc962ec8bf4d680cd7cb09f21fba508b1039b8ae7499389017a1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cb0ab5e531212e9c21d582579383808a

SHA1
fffc94210fa2d699b983e2ee341206a56241ca0e

SHA256
e7dbc7dd19c4a6eca538fc490956d66aaa1c06cc69a005d4d01f960d2d6d8ac0

SHA512
0d21210ed970168d9c39e1688bb3c512ff0d82692cc553172b1d4bca337fdc86718b6858990dc7661730b55c39484e537faebb7c1f74ff243150c1cd0a53605f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ae8a3033f85f380ec00959482163108c

SHA1
9066eff03fa60774327b84ca31b7b52caad3e2cc

SHA256
6fe890f30751350beef5352bc9d2557c78d64eeeabee5de5d17b0122d3888e6a

SHA512
4d221fcae9902b1592988ba8758f303869868238de7ec5baadb000e30bb5c2f3e525d757d8060908e3568ac32fcc60e99b8af2ee0d3c19049065c8d4f0103d81

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
582f6a1fed3761cf8145b069e61646ab

SHA1
4be9fdef36d19b7b428099e4719913ce691d1c25

SHA256
f7006133ace73fac1d851dc4c75e4f94386a4f2a7b3d2dff406fa03496d9940f

SHA512
ec0a791a1cb0a1b89c23a44d9d2f09baa952ba1bcc3030c6016770e2c76e8062eb69d19662360b971ffdca65a3fb68189f7472481a8cce09eb1ae0f994bed01c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1772c1a1223608386def8b491091ae6e

SHA1
fcc5ab9598c9e5666c43bbfa36250feee188af5e

SHA256
404cdd03926999e3c7fd54c09f9d7f6e28738286acbfa1da76aa6a211bf27ddb

SHA512
a7ae4caee4fb391954ac5ce799233ba25cf0aec6dacbd90e2c7e654959f1da067085d7ef5ced7a7520d824dd92b9f4ffcc7620971ddb61c36f671b16787084ff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f891984419530f2f517c654d9735485f

SHA1
f2be7d9b1c89d575a37f5418e8529e0b46712059

SHA256
f82872f1ef29a0c6cdcd4c18d7306d77ddff376b3246f94342583827ced30ac9

SHA512
3390b55f910455f154bd2c698d56fe3b2496b859c09db43a7899b56adbb24fe1e69da452c7b0aa1e264802beaf8fb01f8df98344a937ead1fd0883a32aaf87ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d2610ee7d029bbdf6504cb815e0d8db5

SHA1
1cb81697018729e64b991992bf539ca82fe61445

SHA256
247088e783ef6de5dc7c1ea2fca7ac6872cec122651c8d2735f691f96ef1df83

SHA512
9474064b52823d1be9feaefebc200fc5ffa7a4a4d2d85906748316df823260be6fc2755aefaf493318f4acf8e0ed8550bb6b5291b511d536ae2c8127d35e2221

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4fe2a846048a4cb2cbae43199eb54ecb

SHA1
2e5020e0760df2d0a0b27061039cfa7bdf5e5013

SHA256
6c53a8b064c241f784f8eb0e1b27a8ff2a242558b5f141aa25be247ab214c27b

SHA512
ca3919ce5feb753d351f0bb4b4422a99f01cb0098cf1b0db105fb131424dd8ac0569b2b5de0bddc772f2346963420950b11549ce45160f236b759b522c016774

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e454353785321f415d8e22ef42ee74bf

SHA1
5835093221703d36850367b913c128c61d3fc520

SHA256
8d560323aa08c81f1696e7d9c7950c9131f704f0cb460eb08e97178bd6acb29b

SHA512
6093746b87d7d6bcd63c8dd517ea01853aa287aa390a456bfe92553c77085d6b1ba0f5966c0165abdc5e67a017782b648942083f8f900f68430f4882d0d4c0eb

Download Submit
memory/60-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/60-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/100-243-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/100-41-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/100-43-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/100-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/456-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/712-495-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/712-289-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/804-6-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/804-30-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/804-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/804-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/920-240-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/920-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1008-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1008-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1008-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1008-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1008-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1352-318-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1352-251-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1488-330-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1488-279-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1492-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1492-55-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1492-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2412-502-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2412-319-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2760-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2760-78-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2760-70-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2760-245-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2784-301-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2784-497-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2964-255-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2964-263-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2964-261-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2964-322-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3176-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3472-506-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3472-331-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3512-498-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3512-312-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3624-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-34-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-326-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3664-270-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3664-269-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3692-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3692-503-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-286-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4768-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4768-507-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4836-23-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4836-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4836-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download