d482d32efac41c56a3e2e0c5e52adc2e6f9215596d0427d646efce2768e57ab2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
Size

677KB
MD5

9541c0864bc4be8b7444a94b74e64d0c
SHA1

c2e3c09feee2209588e7011315cec528f1ff25bc
SHA256

d482d32efac41c56a3e2e0c5e52adc2e6f9215596d0427d646efce2768e57ab2
SHA512

f017d5ea75f9420a8b968c731c5d762806f6853be83f7d4776aebbae9e7af127ca5d1282648a641adb8bb326969332cb57c78fcf9a16c22c01f85b8ce913c015
SSDEEP

12288:evXk1L/bxXyGH7XR2CAwEQki1I7wwY8DMkw5V7iP3sOZ9jDH3kTKE/aoJut8o2kL:ik1LF3B7zPkcowwtdwKzDXkDNJ4D2k

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3196	alg.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
1436	elevation_service.exe
4616	fxssvc.exe
2536	elevation_service.exe
3496	maintenanceservice.exe
4404	OSE.EXE
4884	msdtc.exe
4216	PerceptionSimulationService.exe
1976	perfhost.exe
3512	locator.exe
1320	SensorDataService.exe
3260	snmptrap.exe
3884	spectrum.exe
924	ssh-agent.exe
2780	TieringEngineService.exe
708	AgentService.exe
1464	vds.exe
4596	vssvc.exe
2128	wbengine.exe
2508	WmiApSrv.exe
4320	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41b6c21a7489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000400dff166599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b39346176599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071a397176599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000121f3166599da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f70b1e176599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d66bb176599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003699ca166599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0d4c5166599da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c5ecf166599da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe
1436	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4036	2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
Token: SeAuditPrivilege	4616	fxssvc.exe
Token: SeDebugPrivilege	4196	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1436	elevation_service.exe
Token: SeRestorePrivilege	2780	TieringEngineService.exe
Token: SeManageVolumePrivilege	2780	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	708	AgentService.exe
Token: SeBackupPrivilege	4596	vssvc.exe
Token: SeRestorePrivilege	4596	vssvc.exe
Token: SeAuditPrivilege	4596	vssvc.exe
Token: SeBackupPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	2128	wbengine.exe
Token: SeSecurityPrivilege	2128	wbengine.exe
Token: 33	4320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4320	SearchIndexer.exe
Token: SeDebugPrivilege	1436	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4320 wrote to memory of 2972	4320	SearchIndexer.exe	SearchProtocolHost.exe
PID 4320 wrote to memory of 2972	4320	SearchIndexer.exe	SearchProtocolHost.exe
PID 4320 wrote to memory of 3760	4320	SearchIndexer.exe	SearchFilterHost.exe
PID 4320 wrote to memory of 3760	4320	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_9541c0864bc4be8b7444a94b74e64d0c_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1904

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4128

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2972

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0d9caa4cf27527317411a63162d231e0

SHA1
5d83eabbcde6f9373ec00a827d0a304a5330cbe4

SHA256
3d198a06d727b4e1951e9fe4b6f58bd86ffe8061011cac3aa0538672214673d6

SHA512
913aed694c3da0981bf5f078fe3217c8cf8ce58a82a1c1e634b58f4c97e5b7050aa6f9a681ac7308e74b8d6e56a8c54dfc2e14e54737d9c9cb5c711744923c54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
b32d330d8b553ca8df28e3fde0f3fcf6

SHA1
00f9d878a4c2b16245c2188e0801618de65301a6

SHA256
f847d88dc5ab616afb77be445bc73e560259a17fbc0a5bffca22c5808addf728

SHA512
c8087c0a8570b85f780de6b709fef6ac153ed2570f03b8295a047c13e1ff4435717a4a37dfd4ea205046239a7f9357670aad0fab394ffc790cd5865839ea12b8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
05114cd321cb529ad61f90e79b78413c

SHA1
c4e749f61671378049de23446959793d46d0b439

SHA256
760d3118b359edf4c53f1a75fe9c7be25e4bb85014d9a2d8aff6b990814efd9f

SHA512
2a83a4bad58e0da7702dc456395ef546590b7d26f1ba942f0eea10d7dd3ec08b44541509adc669e14138613d644ccbffb752985e93686f328d537d03a19ac8f7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
89bfb2d64d90c3c1b274d316160ce74a

SHA1
89a3b354ffa50dbb1b9bb49735af16cfed937c65

SHA256
0d9a24c4e5f3c1344edf79c4041b32b2072a783d622bace597669b053f959c0f

SHA512
a0d914209f9a6c2e1ac497b55391526945835f6a94eae366b2c82e3c44972efdf49b6258031ba610ba421a562be0201ee1dc8136af195bc798868bf3f1eebb8a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b463c8f7cebddb0e8743205bd81e5ca

SHA1
f89d69dc2d924fa48319d82a350579dd78668137

SHA256
7e0e31eb252539306bbae149810ca6925b15c79449c97307b247f0488be37ee0

SHA512
166a0b7aa4b27d5ef79c932b763c54bc61d5a1b924c02336a7627d9e51190560f34bfb06e5468d9f365e7a0f9a2b0cf5afcb51c447303cd1f833b8b193e26d6e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ed69dfd5e453ed556cf2d20463ceb835

SHA1
237a77f1f8fd7a8727ca855c9b007b298a28a6a9

SHA256
689a5427c6a75b90d76a0b7fcabf5557436f2459938cae9894aec489a297af9f

SHA512
ad5977b7184d1f4fdfb8886f6dea9d636e3ba13875e1eb1d88f935ad1ddd1764d34c28737ec8a11b853a3d6813fbbb38771b129ea7d3183e6b7d9d45020a361c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
064260e955d151468698525aa1a0f351

SHA1
06dbf9621fa5ab190359bf5e1b8f3fbb11674b5f

SHA256
bbfd772fea1871d9e97f598ee338de875132d1a5fb199389594a6a5387442f1b

SHA512
3c671d75c978fc0f66feb7dbe79668a609db887e4e1504abf54eb1eaca47f99683266e023bb0157239de3136fdce0f884f9fea2d3002cfbc3dc9d3afe773e2a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6614d9e4e03ae8fba10c8aff84d7893d

SHA1
003a040a8975b7bc58029c6fa646e94af0a13b0a

SHA256
e63ecb1bb71b34ee0f31f1f45b00bac71588c67ba07986425bbdb84375298acd

SHA512
6cfa05579081b4d48ee3946f3b8036370ce124aec4bf8a523f82f72f5b2015cc2b6a10bf46a10ab1a8852f047d847c520490d57f7e105e033982445189cb497d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1341963de37fdefc82d62fa6b572bb28

SHA1
aa6a69915ebec0d84fa051aa054e90b52157ca75

SHA256
15dfd1ecb6fd5c30bf56f672414451be8ef9d8074e2d7de906b1b76f8f60f0d2

SHA512
4e41d6aaa96e8e0af665af6a49bcb472d2b97367ec79b8e2055d7459a67d280b858e934063d6ede7a8720b83eef3e6ad21010f8f7e0d0babb09cc461324a45f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d61d97e73f6f5c36f99c5f4a01088154

SHA1
19954ae0e6b6d86fd4fc52dc340744a8ca7a7b91

SHA256
16d074cccc41f4af8f5469cbdc118c91a4cd7af1030d7fd4472583de6ff8ae1d

SHA512
dd1fb8f57a8a4152ba753e698b5d41c1821da99133cec8921c68576437fa03fd73cffb07c99961cebeb0d236a8ef8f0affa1b2984bda7363a072d60ad8e6be51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8ad5df96700e8c7670030456e56f6cc9

SHA1
5739312d71bca58ab7e9426e0815192095a56d07

SHA256
a3482876fc7eaafdaf8f203e2ff3c0bff66d3db889290c4192b53e104db75e34

SHA512
7068ecf0aae49fcfb1efac863f90c1481a1f2f007995d4b9590de60c4a2c8ba684a141f0d97a440d1d8a69469e0c0855afce2d554e87d39ba2abff35b32d8eef

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b513b094c3a93c83cb636350e666587

SHA1
70edc1222ef1eb9023d67e7e79aaad0ac2bd7e63

SHA256
454c077fb7e4b82252afb8d20de9680e762547da0a53072c7c076c24a373d271

SHA512
75360751c97183053f0b7dad653ae22c29ecfbcb9cf0f5905da41fa67124a67e05c487f3bd899c7307d31d31c11236060d877eb4b3ee43c62d6222784a892db5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d6c9edd39d8054bc2520c0a92cce1cb0

SHA1
e8dd711480141498ca55c503ab031c50ee38991a

SHA256
8a78f106df961b3a30d887f07983491aa157b2fd96c10edcfb201fc2751f4bab

SHA512
b3ea0e76973eb6cd2c107fa0dfae8b5c9ce879be7fd11bcaed9b57ef99c7ade567186ba6a31dddf7e89be5aaea759c0a923a5159a00819adfbb0d79924087b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b1074e249036022261d570a5fd40ad59

SHA1
34a53a8f853d5a107a8a1fedb48e191ae561fe56

SHA256
8d2a2bb43736a5a8723bf5074eca846cdae2f8ab8047518d4734f3031aee7df2

SHA512
c61372096fdd041e9388e8bcfe2dae5aca71d703346fb4b242ec28f82c5459bf87354487691108e93a75300a2ca954ad0fa4ce05b7acbbfc2c5f75b83febd804

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c672a4009777446f7511fb5841765686

SHA1
6f18ea4e3e61aa20b36d1c5d621b23688e91db31

SHA256
9feab6842eea21c4adebcae3bdbd1464834565eea1b455c120821ce299aca787

SHA512
6fd5890cfc56c554d6702dc893bcad0ff9ee671f1f0d2b584a487b307fca508761ffcf871fede44e7c84f85017bbb6c25677032659cfff2ba10ce1fa6c143d59

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c6db8a2826fcd387719aabc5084753be

SHA1
4f105f16c805e948c7c2c057190c6c2169deb6c9

SHA256
9787a78aff7e15445aff2ab25fdeafb30d9cbe542535128d40a5bdd24bbe2e2e

SHA512
ef9f3a214406f7e1e8eadefdb3e47bb1b199b83a9935928e97919ff78eb471d8318c76ffa279ec5c3a138b3ba55b638be974ed39cdaaae917f8486bcaa57b2f6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5b8e7381d82b11358d8fa836afa393fb

SHA1
3eb5a8a4a642686627bef86406c77e2a1fb99518

SHA256
1fb954bd07844679bc0444b2148dce615d73375e5d3b13fdda070201f5be508c

SHA512
37c7187f8eb48b56143027668cddda9da1af03377fa1bced0f41da370e08402304427c97c5ba0ea233b5039f9b13843a5c3fb219876c73c78e43636332cad556

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
cd741aa5d47a0919503df645a4ef13c2

SHA1
5335abd0c45a3918212832b583b0aef0c7b81029

SHA256
352b5f540ef49a406c2eda397463479770da91c6671734d9a8f0839ab7f10a52

SHA512
f0ea2dc05b47a1a3f260c11f7855900a70eb13df32ae176f40edf9066162083f14db0c04fec4cf657cc2589841d77a567faa78f352340db0bc914c8b724507b3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c8afe4bafd1b4ce49c42bb74242d66ae

SHA1
79cb82580ee4125215bd0207038c59cee6f512cf

SHA256
31a0fe926218854f12055e2aabebb87e8a996ea5acd01c5e337c0dfb984540cb

SHA512
053ed7be1a5ea39bc61ed585dba85eae1d5f81d4e292465feb22820ea48d48be8a1f72c7b251f918be8230b08c10ed575b7a3cfb5e13db298fc2a22d2231ad52

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d53ecd546ef1a99f413ffc107cc0363f

SHA1
7c415089c7fc487fd56c0423fee606c06f3fd917

SHA256
606456df5c5828c92ac96cfa16f41544a5d7a9ea0bd45e5019a6c3b7d541131f

SHA512
9b2ce170f91be5daf296103063a7b2f81b49bac202759f38ffff3f0f126de8fa99905fa8efceae3812cb0f5d873934a868079e0bbe80bc5b065efe2ede085e83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
000419c1f195a6cee98acbe878baf7e0

SHA1
56cff2b1b016e0bcc851eda67c54f3254fb65e3f

SHA256
6557ebcf40ab3cdb8208f32ac7c73690ae07dbc03c3c08b0a3e7c315996c8fae

SHA512
dfbcce6f2ea082cc95dcc034948c8e17af7c3fe7db51e843c410dae1b17ee8aa87584ab4b1e778203f4e33bc70aad1c2cee43ebc6b9fd648076a1f1d6ff29cec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
43cfb8eb58d2245912db1e0cc65fc344

SHA1
451f2ea20401f990691bbcd8e985ba820ea3e970

SHA256
2a130d9c3b81e209881451b13cbdeaf5d3fd9c6f7d07c2872e512662ef73a13a

SHA512
166a27446b51569a89b4497d9446ff36b57c683c067ee5ea90f304113a35e6f72305ae9e6b84b968d6549a4e1cb41aaeaca831862ab0d66249a41430f7a0bc71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
350ced9cbbfefb8af016b26fba91ff1e

SHA1
11fcbfee2cd3751adbaea448b96321545a8362d7

SHA256
89f1d7c4db28640a1145c9ab53efedf9bc105f15ede07701e311199114a00775

SHA512
f42e703973bae07129cc25c664b6f287976dce62340bfebdbcd6c8d7bc659b9466a3492e8ec402a1d2f2a2f073026b44cc6d4d565cd88fd449e208fd83dff4e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a02a801ea33569fee3e7162b7fd26817

SHA1
9207b124d220b501c5f3a4289730200502bfc5bf

SHA256
8020936229c4b1d988866510e43376601fc3f2b3b59441e9e3f87ddba6543b18

SHA512
5c9ea257a45a4a517a9149f2fce8212d7e0b196030fa803ca7c21d4ec67939c2fa1bc782ed368e667456f8ccb6d2a11fe9e0c1e73cfbeff08a3da8938d209445

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c90ef27ebae2dc6056383a1f8e487773

SHA1
9bac7946cdea8bed3e638720b5915657379ec8f7

SHA256
78bc0f3907144be2c7599546561236a2ef55e4dd6bd42e34fd1e8a9bb381280d

SHA512
3b3ad531ab2812d93c7cda63230895a7dc1f689d93dcd3d0da1440862c92c76b485d9488a915a44aef6e1eb13314b2f4429ec56c223cf78190837ef8e1734247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d78c7a8ac090f91d937423f93b737eb0

SHA1
010d501aecf8887eebac76916265d9032a6f27c6

SHA256
9b2e62c5cfd6d5255a512160cfdb69ba637324281f0061f8c0485a2b31281e27

SHA512
4809af5be44eaf369e4a24d795b00573ce0f662e9d2a30a95237ac2b98d7c2b13b6450a44e7598c138d58364d1239ef2a0fbb96f0e32dcf09ce30c78d9ddb739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9aefeb8b08460c096577def949f85e16

SHA1
3eeaaf2d20cc394d662237f9846786e968ae58d7

SHA256
ad4cc32dc518041bef2f983ecacc52ef5e505975210f112b78f2f5ed5a91fb33

SHA512
cff6417d1aa050b92030dcd75a4870f805249160c88d12b8051768287e626daf921ba8ea98135ae2f3fb3d66610bdbb9772a1b9a9f529afe532425210302c8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
94307ce2be3d968113f86998a0611b78

SHA1
122608dd546dbe49d3f203cd0f88cf61b5d6b810

SHA256
9f90f830423c72ad94fced4b308c2a4e02b5576cd632752f7f221bf8d0f5f89d

SHA512
2827eaa9fe28f4e76bf8ebdffe697f8861fc2696e6a840e037d9370d1693ce768448cb73ba1b4277868c20d47705d98cf0ff55b1ff29ec811af4dc82ec7f5d9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
27f327c7fc1cb1424a36fd5c7a0f360c

SHA1
35a50a903526f2c38f11c8380751a86bac3e1a60

SHA256
2fc38b360cccc9fe758050ba29c2e0e17dd40477838e74466141e66628dd3eaa

SHA512
5cfc851c416dfcbe7459b240517c278a7ee9dbf08a163e7b598be5c9bd7558b6d37ebbba0c2b91603ad4bee586fbd5567160c2621a7820521432a8c8359f221f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
86522b1426bacd1633a90cb3183983f7

SHA1
030819ff8f8cbb65b110366455a185546f46de30

SHA256
dfc659c36b47c261351270c83393fc2c22ca8f688e35a85564436e2b16b6af39

SHA512
10fe2796935cf3b3a0d602d014b55a846e1a8efe1f65a28f063f19da77e70decd0ae4625cac8cc2445d82fc4b214959e8eaae9b19b797a2f815532b37b78dcd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bcb7b84472afe424a62f2e2af746c963

SHA1
6870f87898e65b74b78a85775e29073f61d1a0e4

SHA256
c59bbba893ba9b224c3bebeb28eda981c9e504f65912b6413d658d0cbe1a9437

SHA512
19f291d59c2fbbac2f59bbc30898675bc0fe884f69271ba6304e226a24b01b6c51429b0b7fab606dc24c9aae669b0eca8d79ad39d0602e6553b28cf943d5e551

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4b5e0cd2e0c0a35b37dbf3f81285e125

SHA1
100e244509dd6bfcd29053e127314cb4ee8b2e8a

SHA256
402449fce25d2436ce72abbb424b6b9f67df9f89bfad980bba4da13653474c02

SHA512
5136cc9bc95e1827fadf6ad29a038a3b1b2b34fc3f85c9f314d76dfa1d0b9b8eaf0450609df670844166d2ddd3efdb41f2718e6c1c6a41c599e1e9b037ea752d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b16ccf237edad3305d872d90e69972f4

SHA1
037163597fc024403111d0d570350504711539f2

SHA256
601d7467aaa3c938d0b71e197a5136f0808efc15109d6f622bb64c565f1c313f

SHA512
b0d5d656b1af43cc5df89b49483ba2f137c5a36c0c7432bc6fc85f23a86943eb80e7f98e09297fa0f3437cc71aed02b843cf89efff6fbfd45db687826024a6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b3c293cf26fc4d31131ce75f6d842362

SHA1
55fe1a17b2a6b5984b45f45b7bad3ad1fa73fb31

SHA256
7521f28fb31328343bd1ea74acdb6ebfda75cc1bfdf20c5611a6d243d7563c21

SHA512
7629e0792563a04c2aca823f568b85fd86600042eb8bbea6bb1be6d551baf5253fef0a55f7bbb095307947cdc6b3421dfc6898926fb05592dc97ee595399e38d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7b98fdbf1f5807639388aa7e727be5f3

SHA1
a03f782ffafb737094ca3d31b3326d507b0dd17e

SHA256
c4856641358939078d1f00eae066369ee86e6213245909d3bc49b316b67e4dbb

SHA512
a1ed903567d291ce21528716e8d5fbbbcf6611a5c776d27dd18166e3cc67f1eba96ba369db6ac2eade4f817df17b06fd1a87081af67a52586bc6de701e53bc22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
623ec27754b5f1e9b84e029c36791ff0

SHA1
6922f94995dac1777d998c5a3d2578f43dedd3a1

SHA256
aca84902336ca0e22e68ddff43320f167b6e7775d1c9df91e71738eef149125c

SHA512
fb55e6055d21b1a62cf43f64209265a3de694808fc161900333fb52a58242fc1ede606f70b31289452b96dedc5cfdadbc716484aebb64f388eac5c7540c5b605

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4e9f222e5fbb7036759eff28cdf54326

SHA1
5487ecf8d0ab26518530258742b3798289249397

SHA256
45604c1930c52bd4e9a47014f591c9c29a51ee87e0fed92149a6902a56b41149

SHA512
dc1bdf3cf50b8c13ba979fd8e26c211fff792e98284372248e28224703e6c20c9fa68c36c78423a6b08b5267a780d67aa2bffc50cb02df92340a0287516c6c4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
00581a1d278400c2d2c1a0ea623ab13e

SHA1
5c9c4f97626b2f732cf80efc01540dbed3cb3227

SHA256
f29d797276add3e367ad3410afd0f51e226eff7a85571cf93826bfdd3bd55211

SHA512
fb3683acf0b20240792adda6a9f2116810be35f5ed05e5bf220523c06f12274c3af4599def1997c8fc836fc85639385714418798cf551242c4510743749eae08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
1fa99b96752f3e8ea55aa948dc87d2d5

SHA1
046407af140a22749f72fb075fb5b651e1ff3f50

SHA256
ef3531d3f93e470a0c66d1ddae677df6aa436c58bff84237d6a4bfd54e10314e

SHA512
885fe05bbd6047f3410bab041f3be223ad2cd543cbb62ab77ca0fd9b3d3ce0e7b66bee9197f1a8e2c69bcd283994c28c48509bffeb0b56b3dcb780027e762836

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
929e9ee3de32802a8222a9056869aa24

SHA1
d175a55cacdbb5a6331eea7d62a182062557294f

SHA256
adaa4273a6ba385e16c420eecbffef7be3ed1c1e31ce3a96d995a38673a75faf

SHA512
33778c31ce740959eed8f5615431e3975abdb855182b7b441a271b0bcd6e286bc20d4c109aa63bff81a1221b14f61e3f33f241cc40d0aba790e0af2c8cd0f5a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
14e3324c66e3bb48e0f5382f499d3c7b

SHA1
0fffb05e096bc19bafd6746316e162436d218a0a

SHA256
c482a4342f84681b177c9af87dfd53872e5190b0fec7328b200a9c52f0b37bb5

SHA512
1fd58a516efdb6a5c0f22de1d11ce09fcf9c96bbc36bfc05358e5233b0119674e764d835f0e6b37730b821c73c4e321677ce745b918d999c510059789036d935

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
68b663c1fadee8ad41395e9b7ca4ea43

SHA1
4fc319cbebf986d5b4952478068f8c843d1b9fca

SHA256
18144a5c60f9b6946422e254dc6951e63d65bda8cb93f97fbfda0bc0364c88f2

SHA512
8654071b7af254f42be3a917eb7573584c7af30904900e0cabf35f3f4561bd3267510b94147fbeaa757e8b74e70df0fd2daae8e559baa620b2824f8b4d16224f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f19e0cb4eff593d121cad93a24729211

SHA1
bdaa6e71276274289f69a64073156c17514e00f8

SHA256
dbb624ba6de6aedb73560d9b49f0190a96494f9966f3b6995fac229bbd77e22b

SHA512
da8fd74e9250b24ee99c85a1513dd22e086c1602e08ebe00152ddcd30a1e1ee178f569dc3896fa6b858e55262e156dce770c5efdde745435d629671f1dc0abb6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fa957de80662aac428324e78dd74bca2

SHA1
314ef12325f241712aade2deeceeb4353100c8d3

SHA256
5f4cad84a7276f816fb1f45e4df4d887269bba7a968195973e367e582e9d3512

SHA512
5cd548b6e882a5c50f50856177b0bb86dc67d65d90c0af1390228cfbd12b52327fd2fe0e9b97c79b13a471e6f1922a2b066f05b43bfc6e163d411ea2d4fb3fbe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8522337a488efd25e9099c9574677043

SHA1
1916a83133c68490b0a005357ee09d4f0e7b0560

SHA256
d76eeb67b5d368ffd52b44a85175b12b63c9f0efe1871031fd5f5fc2520b640f

SHA512
07447e2d646472c2d79f04a6865633601ce11c298f1da1923540c52cefdc50645a12e50697ef9c106269f774860fcaa560f111dcc7083274a2b3c31e76c70db2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7936c3836111feac19f2f3b0ab4a8c7f

SHA1
2ba21287c6129d3fab5868728da2fc6e8fe59e44

SHA256
03990b20efc45be8b3795841b2a1ccaba428f74a135d5924e1ba001954d32b08

SHA512
8ad93f36a72937f8b154d7811105a821ed4bd0dac25e9a98faa9369e254c89173ec69b7ac84f5bd2ad3e8570eaa35ee6a9f6263e3975e2d0469991ed96a27cce

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cacb1e96fe1217376b57085c4bb2e39a

SHA1
0b67a242e84c3e0b1f470e3a75d7f3f700c533a5

SHA256
7b1339285f96bd30755931a99725169a9a3d53ad4bf93f42a54997f3036fd83d

SHA512
d943fbb233f547e994789fb3afdd143fdbd67d7eaefe4ec03123599a97d80f4d66685d9fe1dec9d9544f75a782899b9c8820475fd5c97f7ec5adbb867de0ce42

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0f6f50bcc24e0fac3c575ce76acd7954

SHA1
dd3ef8973fa36fdb00441663619d005ad4bcd6f6

SHA256
e0f080ea387d9e30c6d8bf6e38aa81f50d864ad2ce1deb185f15c9b0d502176c

SHA512
5dc5896c624b9abedde2926b4bd38b589a647e4e292b1422bb1729bfc61b7a41efe4f62248595127b49e64f75258dd20f35bd08b2417274d02255aae6a687cfc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a2d5dca27b7c89ac0348039c27b0814c

SHA1
6c02a254227fba2f8a6ada3b76088a0656f9fb3f

SHA256
c0c60b86c4fdfda092f320befe2c25b7d860ae253576e0d1f00b23d99cdc1d02

SHA512
27966cf0b08708ebb2dcd4da4fb7ac1e92316b973c0f1ff507fb7ed645915037a5174d1926f9582f5384083b0a93c3cecd7e29be743c34a67b131ed4819c73a4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e48cb12d81fd08f3c92167159b14ce83

SHA1
909f7bea54b8d892ae9f081b73ff78ca0d063e5c

SHA256
d5e60137bb95a1f4a7ccd9654f9afeff7275c24813598530f57e1151f3d19a6a

SHA512
d15716b81958427a545c80cf91c5ecb502dcaa55bd5086b7fbe42233f235f66c93baf48f9d9cf35ae273260cecbbd2dd7a6f15ad367811312b9ea604cf102026

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3ae72ec76ea67fa9e801422e992e6336

SHA1
7452d4c01d86dcc211d0c0fc1675940e30294541

SHA256
36d0efe9f42cd1dd8a53e12e1fa765ecc8401f19cdfc2d44b2364b7067182ff6

SHA512
b2caec6d961495b866c0a24af2eec814afba9093efcc96ac3d3ec74ac056c3f1e3b9a0a05fbbd3dc418f1cb55720d8878f93a04d6d1e98a8d8e37acf0bc8bf1e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b24e2a3539a50cfcbb3dc8fdc07a97bd

SHA1
ddbb3db42ce3a496c3af1644b1a6264395618d2f

SHA256
d557fbf61fa84851292e0bdd3503640b664745ea74e9cda0d796dcc5bfa2a7a0

SHA512
f4024909c23b572370f58de07d960368e785c86a543f1072f3132d0b42411640e1d17340378d9131b3b823c236363241a8bd50f33bf6ad4e7a18a9f40221bb2b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d2d1ecafc95ded244b93baf31fa57f55

SHA1
8389ec9aed454cdd7d27aec7eb0b5a55d9df1b25

SHA256
8c1fc174d2a76d8df1392407b79a374c96f555cbda16c279591b384402fdffa8

SHA512
198bab41b38013769603b97a1a783827cb01b91c08fd6b90f83b7f0c511a3f575e069cfa8665aa84495c778eafe926adf0c838aa58fd64f695dcf95058fd46ad

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fe1068563014aae9c8f792379b2e90e0

SHA1
d376b7d6c24efce0c00d84a3e1d6c9e34ef8a888

SHA256
6fdaf1be4f960f3da6b3e1712512052f93080141e86139fd7556064073a374b5

SHA512
ff1225dfec418006852125a25c249a70d8d0022cb322ac12012c731774eee5b6e2ec0d1d16307e2c24271b7717fd7588fb2ca58e4225f12c9970f2c9823a70ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f170c8a36c6a4da318b4bc6c4bdd3ef7

SHA1
5b1f22e11d57a5562b5856faea0da52f01da7164

SHA256
368bd6b3366a5073d78d52c2b396751352308b3090f421864802111aa408a0fb

SHA512
fa878c67e03c0eafc63b8d6144a62b7dea7d7ff0ea4a4a9c55e8499238bc9d347a350d781a494986c492b8c0d274b48940ff627180212ab47c38492b923381eb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0296321ab9a18c329ee933b514875971

SHA1
e0dc40717ea6ee7e4235eb7adecc51849d617c11

SHA256
635d22dc41d64c533e40cb1ba2c50f5ac8f935e11d54ef280c965e2faa8e189f

SHA512
098b9a82d204457be5edca5b1d4f66cee51e708fc10c8d67aa4820ed2539ca459b8fc0707c9ed34cddd169ded12f120f03eef22f79eabebd315f4bb6ad62c856

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
20f790593811a389f6486b799243098d

SHA1
eb9ef1d699eaf486306e29fb3a9d098ff29fcd4a

SHA256
7e5d0965c8ce0a702247fa68c6ef20efc2e88a69500fffd30fa389c74cee4455

SHA512
2fc09f9e8cd4ca523dc7cc187d473b1a5f8e1729827a34dc8434b7af657b8d4721e45644d9d4c79cbca14e5149af7b716c78e2ca49408b795fc5f7f5ec747da2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0b9d8999fc789c6e885b7e6a7ae822af

SHA1
de848ef76c338e48d26833a57d1694dec2ec6859

SHA256
f4417f7757e87fd1740cebbede50d1c553ead671b30ac3e9e2842f2e6c46a73e

SHA512
05a4b728a738243cc401a02cd91a1475e399bc541551a3f48e44fa9aa4fbcf466ad2d01721317c40b018a338724b13c6c9534ec927d853be3acccaf08b49bc44

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a87c50030d125ddda4e10b68d93a1ada

SHA1
875b2f13b9969707045e81468355ab6b90d9c7ab

SHA256
1a07243cd2d0ba34406f171296f96cf66d9875cb5ce63c3cb7877dc8ca8aaad4

SHA512
9a6a3115037a17d04dfbd1976baeef4611d7bfd921b83cbf3d224dae3bd2c36307d416b3de39c6a423d544e37dc088a8e479d7265296d37310a87362867d704c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8f3c03066c13d7f337952891a863dc9a

SHA1
1faa9d0f7d06ccf05ddf2d53aa3df341f40321f9

SHA256
1cfa78b91fef18763a74eb6e55070c77b22171e9e95467329d1815f3d553c0c8

SHA512
e2c9149f83b9e06087960bcd4862930568049e8a8a5d922061f7e6d0aae563db2fa21fc33509654775e4df2417354e18497390003744f50ab943ebc6a2c8e375

Download Submit
memory/708-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/708-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/924-514-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/924-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1320-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1320-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1320-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1436-44-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1436-43-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1436-35-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1436-243-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1464-518-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1464-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1976-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1976-272-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/1976-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2128-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2128-520-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2508-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2508-521-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2536-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2536-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2536-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2536-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2780-515-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2780-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3196-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3196-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3260-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3496-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3496-67-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3496-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3496-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3496-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3512-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3512-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3884-510-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4036-1-0x00000000020A0000-0x0000000002107000-memory.dmp

Filesize
412KB

Download
memory/4036-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4036-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4036-8-0x00000000020A0000-0x0000000002107000-memory.dmp

Filesize
412KB

Download
memory/4196-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4196-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4196-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4196-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4216-259-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4216-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4216-265-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4216-268-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4320-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4320-523-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4404-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4404-77-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4404-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4404-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4596-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4596-519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4884-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download