5069dfa024ba207d5f80b58acdda81520a48493ab3f258270d847ec3a8d846bc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
Size

677KB
MD5

4a2ee4eb41a42c39fd4cffed73d03941
SHA1

cf9338b766495f8a80cac0ed7c2377748fe12379
SHA256

5069dfa024ba207d5f80b58acdda81520a48493ab3f258270d847ec3a8d846bc
SHA512

41edeb7f88203e44d1ad32e049c9762a9a53974a61f396dc9bec907ebdbb26c981be2657a92684a9f409228836b1dbdaad965717be59882ca93db47e344bc756
SSDEEP

12288:tvXk1CLD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:Nk1CX7bHsMQ4/O6yMLprOInyT/Swl8Mg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3776	alg.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
4236	elevation_service.exe
540	elevation_service.exe
4720	maintenanceservice.exe
2960	OSE.EXE
4392	fxssvc.exe
4492	msdtc.exe
2300	PerceptionSimulationService.exe
2352	perfhost.exe
1232	locator.exe
4300	SensorDataService.exe
3156	snmptrap.exe
1964	spectrum.exe
3512	ssh-agent.exe
4408	TieringEngineService.exe
64	AgentService.exe
2780	vds.exe
1124	vssvc.exe
3708	wbengine.exe
2860	WmiApSrv.exe
2876	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exe2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\311be7bd85ca13a2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04e260b6b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfc33b0b6b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ca2b80a6b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000264fb0a6b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d67bd0a6b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbbdb70b6b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1076	DiagnosticsHub.StandardCollector.Service.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
1076	DiagnosticsHub.StandardCollector.Service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe
4236	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4792	2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
Token: SeDebugPrivilege	1076	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4236	elevation_service.exe
Token: SeAuditPrivilege	4392	fxssvc.exe
Token: SeRestorePrivilege	4408	TieringEngineService.exe
Token: SeManageVolumePrivilege	4408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	64	AgentService.exe
Token: SeBackupPrivilege	1124	vssvc.exe
Token: SeRestorePrivilege	1124	vssvc.exe
Token: SeAuditPrivilege	1124	vssvc.exe
Token: SeBackupPrivilege	3708	wbengine.exe
Token: SeRestorePrivilege	3708	wbengine.exe
Token: SeSecurityPrivilege	3708	wbengine.exe
Token: 33	2876	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2876	SearchIndexer.exe
Token: SeDebugPrivilege	4236	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2876 wrote to memory of 3524	2876	SearchIndexer.exe	SearchProtocolHost.exe
PID 2876 wrote to memory of 3524	2876	SearchIndexer.exe	SearchProtocolHost.exe
PID 2876 wrote to memory of 4980	2876	SearchIndexer.exe	SearchFilterHost.exe
PID 2876 wrote to memory of 4980	2876	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_4a2ee4eb41a42c39fd4cffed73d03941_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4100

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2364

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3524

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
3547cf070a9fccb396584a05cf87340c

SHA1
ca44b21e601116c073b8d58c55ddaaa86b1ba1ca

SHA256
4fe5571b9bf5c5ef11dd8f9c16440385b55d01ad40de84cbc417acd14ed5b109

SHA512
bdd54ae7793f8cec5304894914638bbc994b78fad561e2cd01815ea889eb6b265d1554bd09152f55dd3103f9f42a30a4e2fc61067ae25468ea6bcde6908e2fc4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
5becd651df1a60a97703bbd8a4d5fd8f

SHA1
342d8496add6448babdaf592cef8a4af37959cf6

SHA256
e356490d9f12fd244790c6aee4377d758405e1e6ed086a5d43a9895aaa87c650

SHA512
52c67e8a8c3c07093f025eea377b9c6f7dd1403d436f2a6e78b5ded8eb9413d92262ee3311b0b4141a8c36f64e28aea435c20c704a48769189b2b2abe96bf065

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
756cb12b98d15a4127ffe2eafa06b345

SHA1
4ed625fa2a34192594675c89c9a51c1a9c8e30ce

SHA256
9f55ce31a60540fd933b1b56255d638b4edf34312232a72590ba65911f561ad8

SHA512
8c1011d8a8e212c0ec409d2c5382a3eb4e99ed19d175efc9ecb42b3e367dcf338ca9acd4520aee4678b627c6c661b9b39ac1e0f29c6bb5260e631c7d54831970

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
68bba56c5ced72bb45451a98e4506169

SHA1
96cd6a9097b79e77b04a145adae3436dc0db8043

SHA256
0a61342e162eb975d89ccdc9e4c0a662a13bf7ee3d2e3a006d7afef0ad6cd6d7

SHA512
5eeec22550b747e759ca4f4f3885903bc1cfd683c7a01de1abefa22b333375f46802a5f97cbdbe94b0c3ce6fdd3ccb7a3977c6358877916518438db98b8ff306

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
009d4d00bddc3304439849f49b77d1b8

SHA1
78a5c7c460bdca9546148722ab4bd2e8e5bcaff5

SHA256
818d8777319696cf1322fc4a76413957d9b03ee000cf7b7dd3ebd9e0e8f0a1a9

SHA512
8d44d66fd80dcda4f62bee76ad721321f3efe0c02f2397022cf853694fcda56cb3d1113c2bec50ada392c7d18757b3c06156aad2e0662780bd1487285ac7f8e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
41459941c3b2b957b369aa8eff727422

SHA1
c3304585c6c6ddb2a86359f3682b615c5afbfe91

SHA256
9926780889573d887bf0f0d40202fa744554a871a293736ee34e47a12823ea55

SHA512
16dc0925f69b19e1f39f843b38506511c4008caddf84b53da7d8dfa657b7362faf9dfd26239a68559fb1fb6b9ce0d29d80ea5b0f18874aad6d244d35829024f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
185d5b8e5c3e931e74f6cab07d239754

SHA1
ac26b959f38a15ec602778e4ae03b127f0a97f50

SHA256
30bc843276a666a10b81da8410f230bd0b239b268e81b3d711da3ee608381d00

SHA512
43987102bb5ebb91a939d648670351a6d968f54efdaef5171e4494e817d6d4504c0341e9bdf67eec51a0eb71a3ddf9d83d284c3530834f5f7c4b953f3c106d11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6a233ea478f02585243d700df84390b6

SHA1
a2aa3b46adf851eb6319ea34e15487f7c567948b

SHA256
bd168e1eec907a5ed960eaa6d1570833d84f13f8918f1f93a11267b949d168d6

SHA512
ef561f674813a71b26d94bb5aace2cbacfeb43185878dea226eefd6cbb03f05f73df12f74e4650a432241ebc02e4122d941c1575d14b8a3bdf1189c9798eaa83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
acfca791b26a116322650eed569627ff

SHA1
b702a773ae47a1c54c4f99421adc945bfa84c1c3

SHA256
37afe1e262e4f069b1492f05189e88e7f763ff30c8b32bfc04aa845d2738ac4d

SHA512
1605d7fe8e228aaba92aaae0f59c6795290351edac724596c8ddd17b6dcec05da27926c94a219066a9d4a5b47ac85b944d66646da628acc3f92ec0a7b7cbe818

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
76eba0e59b26006c706465af348b96bc

SHA1
0e7744c76bfdc7a6d593c6a364e4591e335365a6

SHA256
ef1c3044c636b7f2bbdc33911cc75a21fdb0fe0e3620d7e704b52685ba3ede5f

SHA512
a1977423df5ec7f45cfa5d61be827b32eaa6abd65243c4af24fd89e41c640b574d116b61c011d785ae45cc683303743c6d546de5ec085bf8f7dc736b19eea2dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
00dc95120f60e5090589bd0d51db0829

SHA1
ef9cfdd676f5443226826e0fd44d8cf6e6d246fc

SHA256
3e1cef2105306e10dcc01e5b07cfb908e95e451e93f2d49ad9a4c35710ddff61

SHA512
f11c9ee01fbb8f7b00c6c7969ec5bb515264c4d9edc4bb938fc11995fb79fbc9a7cc388603e258b0e94db882141d4d0ee6a89d6373280929072965e25a4c9e33

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
d1485f4ded73ba5dec1a6d79e6669593

SHA1
fec0cc3394b84866e51c5a372bb90b299bd44136

SHA256
d100a33c84c5ac98b6510893fa890e6a68625923c37acdec1cfec13774118a74

SHA512
5834123b2bbb0fd751e554a39e7d04650efee496ed336e0c0ac2e51239ab7ff56e3574e5f112402e9f2ee0b11913b81df0a50dc43d16238eb7e42a65530f0c7b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
59a5530046a262242cf85255a642d1be

SHA1
b8d0fead168d636facce7b457968be096ae7e1c9

SHA256
6abac6b4d0648655171d23075c1e49b6cfebcca2ee5c9012e97406a584293317

SHA512
bead12ea477d3ea620f877f16ca44aa507745f5d225081d2da33e52a17804080c451a39bbf76dc5091c073849e4e2d8902a27cab4acf28cb4f809b4e93be5102

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
cfb2c277cd30c2e9eed5bb3ddb2de207

SHA1
3e116bd35134751b4fc19de0444050c3a18d3fe1

SHA256
dc2766dce4d59f57679550379242209b5ca07a13ac735d698b78b668547842b9

SHA512
2ab5880c396d7abf969856a13405397af6688090ca2eb8f7bf853291947918b2cdf2e1a5274d976a693c4c28448488e10cd63a89699071931d8f826076244ab4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a0187ad00300613a60480e23d2b6aed7

SHA1
9f4b5f2bc8cbb80ff16fe71e46b445fa6d5741f6

SHA256
15b65c6a27e06573f9850903949b9381b77ac94f4a4df86e8720b87b92247778

SHA512
7b265fc9cd373683f1e1ab2528576ddb4d5eabfd17a44db1efc2e533339d5962454bf1e4fa2b8878996e9aac9f20db26d65c2ac4b09e7e828caefab5348e8b4b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
458addecc4c80d4e68de2cfb54cf50a1

SHA1
0692c0b01151019691ad622d41bf0fb80599bb35

SHA256
9c573076f1637d4f06b163745d08422b3af6cb9cb5076bb5e285f8c022b8fe24

SHA512
bdc94808d1430a5b6305bf92797ec60978d7b7c17cdacc57f9dfc97aae6564e907bad028bc6c0301d225c0244b375dbcf7bbb52d44850d2b8f92581d7514884a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
b07fd10565c087d88a8d55ad35bab9fe

SHA1
e3e17b04854a5ebf421a6fa75a833b4a23dc1511

SHA256
c8920207dea8dd7c0901c3f60487bd1625c2fda882a151d0ea7cf3bf57ec000e

SHA512
44e3a716c12b7d099a50dc37008a37050f07fe64301a57fcf81501c36b514d2042b2fc3ed31e9b02748b5220725cbc7e9b0559f8b5552bb43097826c7e10487d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
39d68c48b7c35b4c4463dac6f1c93762

SHA1
8a4e556d250f97cfda573d947b8701b6aa4a5536

SHA256
a72d46dc40e0df9ce5d7e585a6d963ee95bbb0687af91bd5d0394723ddca5913

SHA512
5195d3994b607041fc995a8a1f24f9c59302534b54d54425bfa0d6a6c82fec52a9a5b051472dcfae775b07ef40215c01ac02ef030b336f47ffad431e4c26fbf2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
cf1ace3940bc3d3794680a4a2158ed25

SHA1
51ddd0412d3244fd4a8bea99295ac386a163d081

SHA256
8e94c4404cb47204c45db1c863ea93ae7ffc2be5674f8d76bd41a9ad983492d8

SHA512
cce5d8907e24578f449a6926197b7d2554fcff16ea588daeac2958b0a6655783eb435098ffba77d11c503c5e05e08c7262036b2e35ca5485562963590304e1f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
80cfbf7fc24bc9cc4d630ee280634de7

SHA1
88583235e1c1678fbe2ec9b0ab72ae06937c3407

SHA256
e7fbeded0e66c44bd9f51420e2d7e150897770dfdcf1032da77622053e9ca617

SHA512
8df1a9a3360871ff37792a0e0c68006c18e3c73c383625d3b1897b8731c59f9cec026d3616bbd18e0237c78c5422786678ed8177131d6aa964a5e5bc8e4d2ca1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
76e81fac6c7538b5f4d2fbf893e49134

SHA1
5fc366514ea756e3bb2be62c1cd65386e37bd3ff

SHA256
2b09fef429af88dde6a54250feb6f93e166eda178c06db67d6a831f2bbd9af1a

SHA512
9fdbb2cc0c1e1a98e648a7a3c203c093c486d89c5cdfbf365e11ffa852b37731febdf0b555202d415cc83ae491fe50966ae97efa31029d097b2d05c28a5b4848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
1a7e256a14237df0160d3a59e14187ca

SHA1
40735a053db15e8e516fdc6bc1fd498a28aad30b

SHA256
93ac59b8dc033d39e9d8f1ac16e3f8eba74c4404a7a9f1d8d93d9d29442484fd

SHA512
8bd2c4accd9a5652816c24e865b46ae0adb2157380ff0ff1cbb5352b55dbf39ee1334fd4ae6af90b9105f12afdbfb8936e19e5eac033d9c6c367f59ba54d7e30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
57de10fffd58c16d286f020d63a5a438

SHA1
792f48a11427a2c5f83d4b48e27bc43197e9daa7

SHA256
8eb14d1cbbb16199f9b1fd6d04f099c39e4209ac1e958e8e71db9317ecc0c806

SHA512
e3f9fb090a2902c5fe321edb3f0d62aaad260706399ebc76940184a6c6c69671562b4f05553bf7e12ca7ac8c5e2fdeadac1a99258c3e15da3f2686b1767ebfcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
62fb9247124baa2f5f690c2692dc3474

SHA1
9b58bedb2fbde0536940c69d90662d98f067c8e5

SHA256
3e74c06399b8b3ef6893ecb9740fa57599133a34606b9ffcbb562ec24ea518e5

SHA512
8738b15ceb9b9e476df5d2db7b6561b040cf67c71434cf0d1d95cfc000bc35de78742afc3abf7c70c95c45cc658a0efca1448f56622c2050caf870aa8c88df02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
aed7dcf07bd28602aecb34c9b904a4d2

SHA1
45532ccbc20fdfceca322b4a3b91ca733f078b26

SHA256
489566a9155c690dd9333cac30fea8b03247c30c16332ca80bb610a698d69763

SHA512
e741e00054e7988f9dbd4c859385a58bd41a969eed9ab5b9cc8df78e964bfce6acdf4137e2b7371020487b856cebf15aa4d141f14aa7c7a24a5fb81a81ee5b38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
b45e033f186d9f8cfed603d081904b4a

SHA1
b39811be4725263a29e87696f486ee7e33e73f75

SHA256
dffdf65cd14ff7d58d2ae99285bcc1fb5ce912f3094ad482c03d8c92af0f73ce

SHA512
0219b85eb826d1173a901434c435b4e8138cebfa22838fec81c74ab7ebd440fde200f9ecadc58cb6eac3b1e65b3cd3d1860a20523b3a118c9faec8d224dd41ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ae74c1eb5e3412e00aab4eb4b03ea4b9

SHA1
cdf7e4bf48ad20609d5bed92a717fd3706cf5726

SHA256
5594664f4e0258f60af6e9347afbd54626a714cc907cebec94220980a6d6f556

SHA512
6ebb3cff4b9981699bcbdd42fb353c5ee1057816b5d6c16cdf89f3823f2ab5b021a1ff0a03f5a4416a3ff4e935764dc23554edada49718f59f0e37ed44a1a969

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
74a086b351d2a0ce89022a9d9b8e598c

SHA1
0ebd939940d58120715f36e8b97a295c9eab79f0

SHA256
c8265aea49167f124d0c99592028cc738a79f591aa8c9851ac1e265c2b48288b

SHA512
e3c5702566e32e101b194ec78b897bc443fb99999a57874559b7a2309bc1fdf731840281b82d318ca4097e0f04034540407e967f7ba9114894c3918ff6151337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
289f14f80668226f6629ae5df9c4cc01

SHA1
857c1ff5661db26bbf0a1cbb164910b00efb085b

SHA256
2b44f2db9debe4f771f5a0ee2bae70ed8ff7c557d3a354c4eba94a21b2fb5ed1

SHA512
92929d202dbcfb8ddbfc616bc675cf5f6951a0b0c72bda5bd1b9ee3306466ec1f0ab8877e196038c2caf73b34776f2b25764c883dedc8f1346f7a90e49098024

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
ecfe7186a9342fd9af19c0b9609e43df

SHA1
f2ac86ff32ab3c1d513d636e48c99f9ab87ac018

SHA256
9ae1b2430a6b28016ba5b33266645e12ce7b6551c3e660233a2b23501d49b6ec

SHA512
842baff6c7bb4a41768c2f07c2f9c96f4e88647ce55117afb61dbb93cb35f069e0825f4a77123cfdcccf88fd1679fb8572ae098d3dafe87f440aa910121a1710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
5e0c71f1de04f2e9dfccda0238fbd358

SHA1
106a89175fa9bc989ab41172f969c25412bda12b

SHA256
e932e0554ca538494fb8498bbd3bd2f106ed03bbd2f5540ce81dfa11b3882afd

SHA512
daefa6e6986032e1606e373d207c5166675f34d1e9ac9eea3eba8d53272f371c698325c8be1026f59949d86d7ccd997a55fe79b49f05ce0be57f2696987a29c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
628ee246e44cb3e10fabec58c93b1c36

SHA1
ad2ef45bf26bdaeb88c9745922ef91737bd21525

SHA256
a4054007c23c777b90bcfb20cf10c2d0675cfc7313b3a84f04430bf93f9c325b

SHA512
8760e96ceb35d5a2891672b1dedb8fe0ffa17c6f785ffc69718380dfa81b8085b17185ee134d389fe52d3aa1bcedc99b9bf2584536bc92596bb285361ce71fe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
264ca9c42a581e781d2c504c6c415412

SHA1
024e042dc59f6428f1198ac4bd173d55358fbd7d

SHA256
82361e593b10b9af2cb1e1cfce2507589c06fb89c69cf59237f50388d99589ae

SHA512
34a05344d6c73bf82dc0d8d8fe92de4c9a2e06cedcbae6fa3ce294bb01c39d71b8228ee72c997fdeb999f032b7b04c1f864ae432b75e5738e3d86223f5d6dfed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
ea63cf187f9d4e2f81265c951e350d2f

SHA1
b18d74c1d0b3f97dd0084ec832d4385398e5fda8

SHA256
8155d02d6a21365cb8f4e185b16eadd002f8d941b4c75e74196cf45f16d3b74c

SHA512
35b97315133c868bd317f9e53514cb6aff77343f9e910743014184a5374a7af9da9ff23a1081ae8ad0abfad94a755af1702610d912582e10e7f70c322a0d40ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
b6bbbf00aa162cb57cda01e9bbae789d

SHA1
ba6b4390b42c368e66ecd6d0b2ef82526015477f

SHA256
713c9d0eda5a8a1ea015fa6cbf1cf8e0b34358595f90f7b073b27f8ed55ca57a

SHA512
c15a3502d6b93554c950ef8a055dd650f497afe1ea1cf4a19f60f035c2112810f441394989dc5a6099602cc5c8292eb7e0de666ca8cbfcce5c9e2b60735a4bd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
66b4980ddd9c33d8489b0dda1a669cba

SHA1
b5c3f3bf17148c8091e14a36f422f2ab00067cad

SHA256
3dac14706f5226da8d8f4208f752a92c7bd0ef0765dd9de1bbdb8f38ac696a4b

SHA512
61f7446823a6b688207cf90a58d2dedce2c929d00d89f464e65472f8c04a5f2fd38bdadd21a66d486715a0396059575931878c97d958977f95f0688f2d3dfea7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
f39928b7ec7516b288deffd0b6be0249

SHA1
7ee1c94884bfd6d6c70ac18d53f30db405a8b2ec

SHA256
68867e5595a13e74f316475d9f36dc8ad77a3aac99064957ed31c7f3f573c8e1

SHA512
a943aaf2187622baa76e09f9c9b1c51d7128ab9970597b17dcafb71f4974d09668ffb50bd1880e9dd5118c0897451acfba00cda96797a4545fa129de1289eefe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
31d1b86228c9cc68b1a10ac2c74b799f

SHA1
c2381b36e68b6e982f604e893bc299fc714b06dd

SHA256
68d893b9fc83a760a234881bdd5ac5bef855aedc372c98dfb0afb401d7f879a8

SHA512
c823d2adceb41771fec5d90cb17abcba2a21ee85de5cc0ee60b100c5b3f4775cdc93d13e613c195171bba0765d56776190d5b37ac0b75d2780ec0a1d8e11df67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
f016934dd651c20a73a3c1ae254400b9

SHA1
06f2f75d49b276addf1f2fdaaed2f257ab70d4f7

SHA256
57d72b0ba8540a9777916d1a287a775d91154bcd59210114e549421bfdf2a44e

SHA512
73a8441046dc9bf11e494abe0c59f61fc971406d12f1a32300a233208bb3284cf9678470d75a7d56a1b84464a4763bcbe77c765e68c9d5feeec95ec43418dda6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
d84262e7282238ffd20672e1b760dc6b

SHA1
db6bc67286ee6460e2cbdf9c298142712c407d02

SHA256
fc5beb9a0f94f6009fe83b32cf481d0b15badb9894fec15bb11c67d0b3a5cce5

SHA512
331d2a5da7c2e63601fa624016045a26dd6a5019b071096d9ca2ca0ed20e0afcdb567851923a6143e7e8b1d7b802dd6caaa83397b281126bd6122296426f2568

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
90e253cc264a08d8882502dbe6d1795f

SHA1
dad536fa6b27820608f611f38ad635d73c603588

SHA256
daf4119346d2c83af6ac650cba6c703aac05e845a327ae1b3abdbd3a0ee42a33

SHA512
76d93193707d15c4bb75d620ebdc24ac34fa4f65c325a670b088db47d27ffa56e8361c8fdb087e20e4274126dbf353f84ea9b46918abc84d6be31206333307b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
f808049185095b4104df5f7090edbb4a

SHA1
d278921692d1cf250419937e8773b5b28f5e4a58

SHA256
571a46a82baa487716a750376432106edb871e51ebe0b002a4a09edfb66058bb

SHA512
71f9ad784fa829e63b427acbd62cb9527f82cde60c445e88b756710fd7a2889a59489633258b993c4cc4bbe104a48e7296cd1bce720ad1ae8d135f1da66f1b28

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
5ee86f9b9a3691d27278086dba175212

SHA1
02af455020a4c826dc1800d2140a5de97df63117

SHA256
d992b7b811cea596956e9f076945fab0999e56aeb44a01e102759aa9e6b05ece

SHA512
01bc35e3658e6ebb087d992189cc55238f2cd4a9aadb2a6260d83b81daabf94dad3c020d69cb9bd8fb07d7a84d311d7b65ced9419f29331dcfd066a1fb647315

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
34e136bc9e7fc072cb5485e889e5a613

SHA1
c4898a64fc80c12215db72a5273e1edc0f378ef3

SHA256
db6e43064c3636bd5eaf079a91a11c5c4c155f6d591334f0082c8a03afbecb90

SHA512
65c308970b2636f1b262322b692a8bcc67e0d83cd5ccaf88b9174ffc9eb448b51662482ab9a198227db9b5b1d8b21073b793ea1550426bb073485a2217c8faf7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c6665c4a1e46e73e3f0d7a4b3d68b499

SHA1
866e3132e5f6f228de0ba72b24e696724aca1dfa

SHA256
6529616bc42ab85a1e9b9863dd94d10d15bbbcd5abb07370daab6ac3ee4631cb

SHA512
1502fd87c39574ea31aa104bd2c348a0528acf78be03e4a75c26fb8c0b749d98af39525c808a6fc89ce2e6d088064544866024f9fcf5cc40f10e92ed463f4a6f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4ab6c307a3483259101df145794220f5

SHA1
5c61dfbbad28bd2f632c470a0fbdca78c53b44af

SHA256
ba41869b85691105ad9c9e138f7882ed7bdae351fcd897761d3fc5e6cd23e37b

SHA512
ed20d59f94ba88c28838d3ccc5d0f4869b0d19f35da0a6051f67ff0a94d077ca98263896a31541670b0089266be89729f450c2a3a9ef22fcd2f4dbc064a034d5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
20e91d194a0a4434ab49c63d26e11988

SHA1
ca6ce9c8f4156c3982e0d294f6bd747b2ad75e72

SHA256
a6b2309f73a01998ff009712a82e9aece5498503af40226cff08c0569d131a29

SHA512
c8e429c2b56aef7ee279b87325cb45d9432d1dab9e1e6a6b901c88d79514355d2bac8056de84c489bcfbcf0b3633eb2b17f328ccb79a313d3140d00a3bfc747d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
02ec71c65a18974dec47512bef1f90cf

SHA1
54c0cf2061ca3a8ef317a6523c47b0785ee64f29

SHA256
9ce1bcdd27626e8986e2a1126c181bf234bfa50cbee245ba027bc7978e7290af

SHA512
300913c94814e21db540de80551cd2f73fa19b77f9466593089a245b620e446adbd6b633e41f80833bb79f698cea16fe8725be7bd8fed2eaa78c6d21cb658a75

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
ca0649b7e4eb8584575603b48c8fb0bb

SHA1
594333fa4a0a33b84670315c955e84f453dfb8cb

SHA256
258cb837f3d7b0a8efda3d7429c3ce3d6fbc5989c844b615877c47eda00c8698

SHA512
2b3221317a0db93fdddefbe15b7918c11625c43fb4be32dc2daa62d79bc3cfd33d4f543f87ed3db9450c5983cf813f2ca8f8bb10fc222db31fb51e5911be743e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
8d640c3c46e893293a380a601136e153

SHA1
dbc4e64d9d1f8b79edd0f13383682d767e4eb7fd

SHA256
2ed12509a8d710c0ddea4d248bd7cff9db45e5daffeea70db2fba5c53331b132

SHA512
505a516fb680be6aab2b20b894001c10a8ebd41ffe4877b3940f1aa4f0d85ba08d2be568778b710cada502c23928194e66413caec0155924148f09c16196ee11

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
903b807ec34edc890ca77001d9cb603a

SHA1
ea946454f32adfd5a18a8fedaeca41f0e41d359e

SHA256
02447f09587fc35c43b12b371e916665a18f48c4cb6d87d4716a25c1931844da

SHA512
59e844b3083158ffed65eade3f94c2906977387f1a0616a2234423f18816d206d93196bf90ef8db2c5dc8b960838920c4b3f0c386e39ec2ffce45bc2d38b47f9

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b06ec762b57b7e0fe0dfc58c97bc073f

SHA1
6fa7a1a56c5c01fb42e4974d897bd73529fa9c4a

SHA256
6ec061ad0dce1018704c7663d017a59ab8e3cdafa4a1678ad8032edb8d44ab93

SHA512
ece16fa9d9af8faa7a18623ca056f990d4402cd42322d3a5c83129e3b8a00ee8491bb20848650a1d0b41a98b30cbc4b7eddf6752131688abf5c33127e71a694e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
9e58c142ccd19b004de9613de3aa0b60

SHA1
6512668729c225893180448276cb7a5f41f6a406

SHA256
2393b54661155607223fa70ef6043e76d21a997c8d9573043580d76ead13dd4c

SHA512
5e810f1b91c03c7a69c1206f9885df5d39b4628a5ed2083a2abce6f4039a9c65b03053c46d4902ecde22c52fb0de7622812a40bcfabbe1e4ff66682eb63e1e11

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
280f5d5deae589000859bd624c3f7786

SHA1
a6b8050abb9b769073e2e2d4bf7c28c0ba1eca9a

SHA256
621cbd329c556ac82d89e7960a51e44014f2f70fe12b0ea9a8287f0ad6a2c3a0

SHA512
86ededf0bffa59c347addc9cc5ce51c58767686d2d247530ff37d859c921325bb740a47c20b488c71d0337a63d6cd469f6afcb43ab826cc533737cc73e9bc373

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f5829b8e01eaf3fb471bb81133150c63

SHA1
efcbf38742240def764d774126d125da3c64350f

SHA256
14c64a034f5b32c2758de59a30f2822d87ed93632483b84f1497100cb3042293

SHA512
9960a1b03cdc8bcbc68b245e9840a1569313eb722eba5eee4428c05f12769a7aab0fce02ba6349b9812e8c16f464eb1f9078423b52036b69ec1165fa1504c69b

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
e5d2c3bfc92e92328808f1386e380bc5

SHA1
f2fca82705e95427db8ab58e3211d39c51e05cd2

SHA256
58eb1a31e2091eea67c12cdc1b05e81c8a3e182d65b7c8d04b642ffb2618ba0d

SHA512
c5a98da801f9849746edb95d96ab49d8b08f862972a21f11795f938dea4f0fdf64b86dbd8f75c19d612c1b5214edfc1838aa24b839c7d46bba8fa824f1ff5208

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
aa3b42df7ec07e54d08b0d13f732e994

SHA1
f29739cab06ad69f23a9f4278fc26f188afe1eba

SHA256
9a15b2f7c3e475154961971311ab15a63f719c27906827cb8fba0a72567a056f

SHA512
b97cca9458f023c397eb319dd53cdc442f134b08cb3fbc282cf7ce0e51029f87c4cf8718a930e69391af5d73c4c2014aaac7a16add1dcc6d6a1e4b109dc77a36

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
09cf3b7f3b72ee5c049487ca6e955bbc

SHA1
de02fa2168a96542e18fb102cca251d2cf432a6e

SHA256
ed41718f0cb7a3b69c0abd6cc32b15fd917ab85281781896003fa2462acff56e

SHA512
bc6c6c7e4ea0ec46eebc24f67f3f058bf30ddf7cab850b80370ef719cfe6f0358a63f89cd42723f964174ed42f08b635bb4e7b3d903bf8f89f900627046e5c1c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e668032f69ab406a69113b18c669850d

SHA1
00e3c5078e89237e117165190f76aba73ac2e9b3

SHA256
46f12ea94a4e87e7bd7efeec222a3862c3bc79204fb88c86eb3d389db81400bb

SHA512
761ccec7211d2387600a69589f8d48537feff27a396698d13930b7269b890685085f1e37a1b9ca7f8af2c7ad0f8b10be3585eeac69b6013d42c56fa3885b72d0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
e402e93b6ea19f9a07ffcbb86cc588ae

SHA1
cc59eb62fc24d34e3b4159523ef831a1f88f6944

SHA256
9418acb1de2cf8af224d1d8cf7f86955d6b46a4b55346cb2de166841ce3c158a

SHA512
31035ba2346dd61d520fb48824db7dcf82b9c3a8eae191a50c7930e25542da38bd0bf60dfff4048eb431ab9bab96539f97aea3b7af5ab245d6c53a1275c738a4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f4393175a42b75a678c68bcb14766186

SHA1
1b25d12153f14e89d4746356f7c5b511fb403d10

SHA256
181cdc3ebd2c3c792fdfe3e31d9d0f3c8306fe3427a43ce09801d92e1e75d312

SHA512
7f8d155e32c38e8f700bceaf9137736239db3904cd615047f33e3b1b5f3e3093b9c4d07f442df02e01c971a99532014b4b3977ed4e047efdc58d77e9b4db64c4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
08a536171fee1c60b21e0604c7af6668

SHA1
6b2be91cde4aaa6f056a19bc765f08d7333fa118

SHA256
5289c9381d65ce1644afce99049ad981617feb2f922a5e85104a608cb0415a36

SHA512
f9835e12bd9919195b0a5c8d417526dfcb4ef96e6d9a35f43e0d53b0c553c61807673ad77bf4b41246cd22262db032836301c3f2aa538c2d3e367a1d057a94d1

Download Submit
memory/64-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/64-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/540-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/540-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/540-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1076-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1076-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1076-19-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1076-236-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1124-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1124-534-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1232-331-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1232-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1964-527-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1964-289-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2300-262-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2300-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2300-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2300-256-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2352-270-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2352-269-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2352-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2780-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2780-533-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2860-332-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2860-536-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2876-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2876-538-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2960-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2960-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2960-68-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3156-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3512-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3512-529-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3708-535-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3708-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3776-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3776-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4236-237-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4236-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4236-38-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4236-39-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4236-31-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4300-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-246-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-249-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4408-312-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4408-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4492-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4492-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4720-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4720-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4720-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4720-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4720-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4792-2-0x00000000021A0000-0x0000000002207000-memory.dmp

Filesize
412KB

Download
memory/4792-6-0x00000000021A0000-0x0000000002207000-memory.dmp

Filesize
412KB

Download
memory/4792-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4792-26-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download