3c6521f7fdc56455d93144bc3716447ea03a9510846326d6f199015c86f9925c

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
Size

677KB
MD5

2ce2275e80fdac209be7742d06e6384a
SHA1

fd92d9fe05822f8f5e9e7ee7169360bca9ff9135
SHA256

3c6521f7fdc56455d93144bc3716447ea03a9510846326d6f199015c86f9925c
SHA512

dac1559a5ec765ddb8aed9d491aa03757e1dae975cf83c529059064696e075216a3fc80dcd0e6a485075139f3f56a7899a355c3e4f794c78b3e5c2edc28a21d3
SSDEEP

12288:4vXk1LTduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcD:8k1LTduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4660	alg.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
4332	elevation_service.exe
2476	elevation_service.exe
2084	maintenanceservice.exe
3520	OSE.EXE
1396	fxssvc.exe
640	msdtc.exe
2420	PerceptionSimulationService.exe
3928	perfhost.exe
348	locator.exe
3140	SensorDataService.exe
1196	snmptrap.exe
5056	spectrum.exe
2624	ssh-agent.exe
5060	TieringEngineService.exe
1092	AgentService.exe
3884	vds.exe
4944	vssvc.exe
1620	wbengine.exe
1824	WmiApSrv.exe
1448	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\896748ab293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3fc76ea86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000751b92e986acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bb7aee986acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032d66fea86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000600744eb86acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fdeb5e986acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000077cb3e986acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000446a81e986acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1504	DiagnosticsHub.StandardCollector.Service.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
1504	DiagnosticsHub.StandardCollector.Service.exe
4332	elevation_service.exe
4332	elevation_service.exe
4332	elevation_service.exe
4332	elevation_service.exe
4332	elevation_service.exe
4332	elevation_service.exe
4332	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3108	2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
Token: SeDebugPrivilege	1504	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4332	elevation_service.exe
Token: SeAuditPrivilege	1396	fxssvc.exe
Token: SeRestorePrivilege	5060	TieringEngineService.exe
Token: SeManageVolumePrivilege	5060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1092	AgentService.exe
Token: SeBackupPrivilege	4944	vssvc.exe
Token: SeRestorePrivilege	4944	vssvc.exe
Token: SeAuditPrivilege	4944	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: 33	1448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeDebugPrivilege	4332	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1448 wrote to memory of 4612	1448	SearchIndexer.exe	SearchProtocolHost.exe
PID 1448 wrote to memory of 4612	1448	SearchIndexer.exe	SearchProtocolHost.exe
PID 1448 wrote to memory of 536	1448	SearchIndexer.exe	SearchFilterHost.exe
PID 1448 wrote to memory of 536	1448	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_2ce2275e80fdac209be7742d06e6384a_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4612

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
020e978a4b98ec32adbee462000af7b0

SHA1
8a2334171d38e81307c27a38e89ce6a61e7b2a3f

SHA256
9ae1a8136c069d4d73cb9976ca111171c021b42323c14adea40950e70b43d734

SHA512
411772f9deac2c0aade2af50c477096b94cc211932a6c2dc686d3affecbe3a11cfae54c3be20c23d00aa3ae7f691201a48c2abc96aa2003f34c62a4b4aa749bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
109896ddf5ef39e235fefacfd561cdf8

SHA1
b954773d2a6336a049f9d24441e065bb3e82efb8

SHA256
3f831be2c9c47017c2c1f69dba95e97322d3ba94b9a3726a50583eb7b2cc5421

SHA512
25d24a58ee5c0fd8bf976c0ef774d2ccb3930338ef83d8e07f28fa2258afe217f0767c7d4785631a56722f5d76dd7b85684baa906bb949c50def9e240c34a798

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
de8881ff1c2724b8e48924c406f536a7

SHA1
fecd35105451e76c52ef61cedcafce16621ea273

SHA256
eeddd975a8f7ce08f2519a0fb658b8c9f561360a370c06a315e62297363f1927

SHA512
0fd6e99ed9eafff5fed92c6845ea769cc8cfa65fa2e16ffad3ece29d7505cb0407c234eb76af42fb904fc2efc388dab6b6d40f9a5c7d1b7a7a49943e03d53df0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dd682c924c1c2efb49e9fa845a233f18

SHA1
40a99e14f9ff23239022060f8851095ec0117ac1

SHA256
06e498b2bfc2fc7fb563b7a3448970ceaeef10810968a8c9739a114d2c691a5e

SHA512
f802910a6f463cd364d32cf73232b8c3af2cfc5662fcb4d313d5744ebd1c32e31ecee0998cf910252748b055982978b629e391432a6710c10a8c97c16d123e77

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
34385b6d7a9a3e9e3c82208d96083cdb

SHA1
9a05ae26ec6c9c4c16bc3272e5696df6c1c92a55

SHA256
b04837e9fbb005843ee6afeda04345a87ffe5cdc138df07cee0e1a55d4f67bc3

SHA512
6f61de575a79a9f5c04ef0dbadb2dad42d3821aa36f3d4e53c1186f389173b598ed3cfd839d1b4a8b878866c95a9495a37a470cbb9c8f0c1df79a0fb6b25b907

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cd7074d3d61752871937c264f1cf70e6

SHA1
3f8bcb47291260dba9dcb18984318a802e51a79e

SHA256
32abc2f6da4e174c0145bc43a977257fcb531a471b4a6234c8c3200b6108922d

SHA512
9d173ab6505ce363720377cb9635b767bf4c2e46f993a432c12f0bf71538ea2f735ce1ab8eb05c5f7e2a7c443e4ed34ea44ad59f9952e34862a7579bb98b3cde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ba96bf381d1cb4151bb7dc9d84e08877

SHA1
b2587a80483a5b350cd8cfe142246ea6a07ed34d

SHA256
e4e613b215add6564054fe97693bc9022201f9ed0292eb6534de4ca1245bbd0e

SHA512
e5b845363aaaf921b50049180afe900a7a0bbeec0c13bca955fe8a163192f4ef6e6a02760fdfe48562382b5e4fc19cf2d4d9be3ba74b176106d1ceb0b8ba9068

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7abf43e64d8c5ec05c85b705bde3bde9

SHA1
7a55a59185394755ae12fdbd9d5b401029e0c428

SHA256
28fc77d3b3dbef5b0e6149a5d4e19c1779ff8f8b674b6a771f01ff86f338cf5c

SHA512
afc0db21a9fbb4941c822303e6c2f82c37a5a2eda141b1d777b350a92a3aad1cd38b330e5fe800cfa9a87c9c67e627fcb8437fdf64a2bfa7f3fe1bd77e50a264

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6e0e59cda2c0ace54744a1e58cc868cc

SHA1
aa335702aaedc562ff9d3da9c326d5f68011e78f

SHA256
8ee9337a794ff3b4af13d076d3074334b44ac08f21e93b43053fcdd2981b99af

SHA512
f005296ebadd2cd27616218bbf0b733eafe524ba1704952bbf287925c02ac7fe1756135ab39b96829232368cb4c79f5ebb58c73f92d2cd602529b26c2e50a258

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3300afc0846dc2d88999225b4fcf9dff

SHA1
2cfb762401b2aaee776fdca6bbdc1a19c3b177fa

SHA256
db508c952f0fd3f5dadcef9fc5e16fad8adbdf1b3327754bec180d6606537e6c

SHA512
410721c25f7b436865f226e2d067aa633fd5c4a157e2b173c947be1a8a7514f2299d06ccb8b8adbf02f4d9d7c06f6f329ec7962ac34c4e63d8b139bb2df80298

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8c26b657d2c0cc1600452e974c04c25f

SHA1
9a42e7fb2eaa9eb4a4339b7dcab43f6379e93436

SHA256
7559024f8f037f74798c1ca4a5270e32c100028b255f7e43bb81bb1faa567746

SHA512
a1a47b2d0eb1d58bbbd4ab81a5dcd5a39eb4c12708b9be628ef5bb8d78ff188cd0e379345337888c6888b8b0e087d2872ceab374c6e2fbd6a517db23f0e7ae4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
73df39fb5e91700c33c5a65d43222c8f

SHA1
5710d112b6ea24d6a2a05ea5901f7f94e2c37755

SHA256
4e970d0a58e263475ab7fa2b1252b9a3c50a719e342fc05bbaab8c24835d9598

SHA512
ccb40bf3aad1575cc548ae942298644a7d6ab362878704fd1e83343bc0b5136c7bbc8f92671669a0fa16afbe16883703a97e583138a500372169d2ea8f82c2b9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
328cf916294d91928c03705bba23f161

SHA1
4c402f64d1967a008376b399e4a4f3bdc56e9d7b

SHA256
960849b9f4bb3d99dba70c88d95fe1b59f9cf1b2f220708be99d2a2f1c06273a

SHA512
662d4b4797255e75599e8918d4d81edcce69086657e494bb9e6fa26a0189c53b4cfe9edebd5e6d380fd136167d0f8079667bff3221e786362f732acde42e8998

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cd3e69ff9ff371e9dc30bfcd7b39c0ec

SHA1
0fb390dc847c6341cc5ad9fee9033f876859008d

SHA256
25c77451498f1e9edfc63f39d04dd75ff3b06aabf3d63288be4b65dba6e3edcc

SHA512
d0d5ded4758fc7c2082be9ecc446ffbc5ea46fec84f6adc0a3a1c46dee63463eab5ec2c70c6902ba5e60187f2a9ee4b78017f66ddc865083abea27799be693d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
151bf03bcc468df3dcdb9254843d8daa

SHA1
cf0edde534d0cfbcb2ea6e0baffe5fd8b53895c4

SHA256
e257a10c89b59c78aed620187b3b9b3b6d45643c8e264c2ad0c473596a1002c3

SHA512
0b60918d3ad51264fb4f5486ee02f5ab08aa4213b3033be454caf8e7dcfdd2b654508d975f4fa005b09f3aeca25420f62ddfa04ada9a5248eeecdd29d711607b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
47ec347c555907758a29cfcde50efbf4

SHA1
902a0b2f4e39a7ccb3345210128ecf5cc5bf1f0b

SHA256
cec565516834f55669d018e757dc504db1a80db0d8867828b90ca8f5025d6980

SHA512
3f90674031c8f53a9135f282b82a0d0a2c9df20be3978dcd713e3a74b695fbf38d6e16ad0b3dd94ab984151da8f57b0c9c30f18bbdfd1aeff4a01fbf446be4e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5e536590e67e9511a0ec0c9a8245af13

SHA1
953385e9ff13293fc125d0a670fdf2cd13d94b8c

SHA256
69959b76cccc427a12710c7c3beb522c7a88b81744a3151928c86baf5d2c6a7e

SHA512
a67d7283558cf8f62ddbf26ec2bf20fe6612f69e5b9ca3bfb4f5c04fcd1eac144fa71a8b70ebf2b7e6b96cef4a3c789f635e658f05a17da4d24e82a1ea6bee59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0d21ca69236c7064a144aacadd11f356

SHA1
4b4034d0e230ae2318ea3c8271280ba488cebdab

SHA256
11dcfacd3d89b1a26338597d609a22ef2468109fb3b3fc89ad7f4f154b01760d

SHA512
9511f52f42e503cec3e2971f66d796f5f816a0a6d41f6c9490b924893f02df674df4318582d8717857b087a22ab7a6b336f7edac2e17877b9570b015e69fbd1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c5880a6a928f355f79a58b0c44eb1137

SHA1
583e0569be99c0567b76ff1d5b833f3feb4f7299

SHA256
c8ce3184a6fad5e6aaa4443f4fa40d631449b641f8dfd9e84605bf492a49edd6

SHA512
b92f9640974f1483fec11bc7a5f58851e654479e676bd50cfd8053927cad604907b1c80b62c13a88246d37ef850d9a4c9e3e06514c28d88a67bdf24836e2f369

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b2e77a35ff14a0121ebd21e5a5d769a0

SHA1
e534beae013f5890ebc93a2bc4348efc573e4698

SHA256
1b9273876163e48908724121d81ea6208e7477fe68638a55c89038553b5fbd2f

SHA512
c93d889f00c2f1e7174a916927c38439e9eeba92f07e534133c6945af02359b575d7fa8152b19e28f9a6f348e2e5c83f4bd45ea779c755902edf9da0835ce040

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
33c6b14d9c1ccb4661b6048a2ebdee16

SHA1
4f0567f683ea29a4fd52567bb90717bf8e083f14

SHA256
486cedc22e4c677f07175fad5a20197f6eebb89cf0300bda9ae01ddc3359a96a

SHA512
63275f959979c2018a4b0061363b5d1b2550d6a629fcf679a1a760912461d2c6e493b6b114e0ab201a85a9e79787ac76cd34ae25d0b876c22b94d83eca08242f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
54c54d77d2f6449e681279029a6ba10b

SHA1
268d37b617bb04a68dd7c7566024450b408f45dd

SHA256
f109c14f124169f78c21ec9cc8e4227081c808795af9c8f5200809b0c7c176bb

SHA512
7bf40f5386fbd99f6212591ac578ddb9bc3ee7167b800ce0e5ba2628bad31ba6880b0a2cf799b2650cb4a93f27701809427874f14d6590bd5b404d7233bfdb50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6864807244ab654ff52f206b9df39cad

SHA1
ffcbb7b04d8a6d249fb6291f188c55b43fce44b4

SHA256
c909658ad59e5371cafc20ed1751d8d01047ff80ff3b19061b72a6d67332c6b1

SHA512
e09cdca36803d79faddfe7630fb690a2e12042d018f31e28a070329cb2d0b1e08cd6742e29beaf6e3de54f4623a7f1562152142e065e463b2a8c0fd20848ca00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
71a263f35686bd1a090ae9dbd6f59940

SHA1
ac44c5d6ce89401a9cebc9f0e56a1c5c7412defa

SHA256
3b6078645d4ffe803d148815f0653caafcafff31a0b1e08c0085006246ac1918

SHA512
2959c5cccba4aedbc58f4a1196b3259ba4e8ef1a2970edd755022ead73221866b4f5d5812f0ddd07c67889f593882b5ff1901e849a0d3cd667d312a8163b2e81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6f5b08a449e2eda97fea19561e982509

SHA1
cc3c588e96f10f093402ef148f367dc0c6dcea5e

SHA256
4a53b224aad93fde8b1dd0803fccb68cde10608330b6419b087a306d40e9dbcb

SHA512
671d9edac7974b76411225f069ae527a994cdd46730634947b94f1ba9baf439ad106a46d9368c244a88b815f34662f0c5df031c108f9a64279913e63bcc24638

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1a103757d52f6f88a38bf6aec56691f9

SHA1
2fc56f51cfeda6ef91b2b3efa13c0c2f8c7fc629

SHA256
de58ef5d11f1a981da4d523e6ddd801bfa097d18dd6a1f49282c26e61a21317b

SHA512
9cfa59aa4de1bd4ef15053e7839b25223033f1182a40653fe4b902a1f7c817c9e907032066e92f730768cbf64d414893ae12d1c18b079bc21bfe98e208dd3613

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1251e88b4b7c066d11f8390f8d5908ec

SHA1
0eec16098ab97f920169c4310dc613906bf813a2

SHA256
8635eadd8d34afd44e57a8e024d9572b7ebd7aa20faa1c528e151f9e261356e8

SHA512
12e990ecd836de65e0574c426779830dfbfadbccc657c97978a99cade76217bc9ac27f8cbcced8b0ee60b2fd4c258d6add677f4fb56562fd3ccb0e3fb4d2b0ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
df966d402cbc8c99d6245adba7c6f6ae

SHA1
762f490bb42615c51be94980bd7ff34c42bf3584

SHA256
18595dd693db59a836287c481126b62a3c3e78dd479cfd51a506e25ae01dd7df

SHA512
57b1ad7381817c0d2b6496ef5fb27890c34aa892f90b9dc49e0ce7aa7eb77c58024f9ba8a7ce06b835fcd1ca1fd97f98f620887dad7f21239a36fbecfde4a6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a99831410f160b59fb8eb56fa58034da

SHA1
bddeb1098160ee13d9c1ce2b227fa80ec83e12cf

SHA256
5caf3edef6f13e5f4f241f02a629312d9e156e8911b6dbe53ba4502bfefe6fea

SHA512
c78ad987108b921f9fb046d60dfc10a5b0dba083de422fea18ce739a433e71ec22478b043733e85315dcdf3d7824a0dfb32ed1b60e30762f3699a42baea0d7dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d6395d1c3cab1c06db4507f5c7a3c6b3

SHA1
9239f69e7efcd0cd2d9570259f08ead0558b123c

SHA256
252b5a49490a1867bf0d667328fe691d10405f8aaf5eea59637680a8dea48dce

SHA512
75fec8a1477a9093cde0b0b66c8940f660e9602978415d1c7c1c18dde967e211e836fe8285d38a18742731e9074418385f7bd03568b6acc982079cb0e829d577

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b391378c3b852b722d692af3a8a1faff

SHA1
d95c9f30e39ce75ff0642204aa67f815304829c5

SHA256
fcf1b91a8f4706c7fcabbf7d2fc96bee3b7b578ea3a477da92ccd1e2e500370c

SHA512
26f962f49fb5499821062aa8ecd11813e0de66b3ad9f9236f618ac5c69a803df6231f94ac01e59e2452a09495f386aef28df25f29da0b21cee175467defea657

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a5ac4119bddfff4e3a53179539c89934

SHA1
40bb28c16003883ab916cc0ebd6b2924d6d15593

SHA256
cdc459a6c0aca12bc5277eb555f7df8ec3d9095772707906f003183d1135c1db

SHA512
cbf704e1d13f062ee6fdbd59eff350dc4d5173f39f8a9ae0f546d10e47d3b68040a77a6421b00dafd6b45c1020bae33ad2b727d74016fff13125cda3c9ff28e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a221b7bcd729ea7cd17708dce1b8023a

SHA1
d43e04cc4302a7eb85b5cb8c0fa75c5bec398316

SHA256
05a21459fce638edb7e3edd7f923479228b465cf924f58ec1ce0b3ad128b14bc

SHA512
cc24b1fd5ca890f8eecfd960975266728e1ecb8d7c786ddf8340449a9c7fb2e58c8ca11aef94ac2cf8d62f57e54b2779a063f40caaa2112afa7ffd9bea49bd0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d370c8587205a2deafe8cff0b04b5bd7

SHA1
7d29965c13bf2ec6c73c206fa3b42374d4165c0b

SHA256
19e6e50ce60e3020ad2d976dc5e63fbe2abb1cae0a2bfb502b692d1d45463af4

SHA512
2538793114f4057b1d40e88847518ce1d5cc8d4fd56069ddae1dc9bedec0d0916c8ed8ca3ec986eefd2b845b0d8ddf266df5e62c04c971fb76e5bbceccf80dba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2e7496cecf096302a3cc436b523f5753

SHA1
1823cab3eff3f6910a8c8afced64296b16125aa7

SHA256
22168fc7c4c282d66067daf58c790510f5b91f9536a1e52bb0a02dc0705be644

SHA512
f40736bc9d7e8efade164e1a1d0e6a4b128b17917fcd73fe1549e1c89845b66519f8e56acc28925f1c334ed70c830469d2e45d34eee86adc9e6e3a3379c7d4ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e5c6b2e04d6e2357b488cfaf9c1ed707

SHA1
b86b39a73a4afd640e9c432ca607eabe21b8731a

SHA256
d8cbb70b92c52bdab87cb6addba9ee1c505a6a753960165c635d7880664bf27e

SHA512
3cb75752a211c004f7706d99def8b7e036f507a1fbfe9ab5b12ff9c3951bc7487761bd069665b8e9b6f9ab2c52b37d06267eb0d0afc98a405bd6917aa7168d90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
01fd37bf61967079feefeb752cd9006a

SHA1
6d5c3a94ea86dd789db3020597557c3b5e75623f

SHA256
b531f8835754f0564467c583e20f98100e22e65db6d44f947614dd070536a280

SHA512
876c3da89754f91e864d4aa5bd7d4b602cb00dc3e5d4c6f8d0d937b3ae4818ac11f8b7e3ac880b6c38afa001e9222c1d422bb8df63f984bdd761cfb69cd644be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
9a1a97488073e8388f7a9c920bf11a1f

SHA1
243b1b2c05ce4cf32c4ffa444dcb5ac631ab87e9

SHA256
764e89658bbed0ebfd287c6a840ba744800e375fe4944ae2435b494c07edb060

SHA512
f1e4dbb3a008da7d85b6de554a7565b810efc29ec1f329384f922453e6052ee268fb0198adf9718335204b30e139cc21b7eae9a1ab14b27df14afda63fd6f306

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
dfef34f40c5710659a080aff05d6e045

SHA1
9de7420305411b5e56eb08c211566d59e7041193

SHA256
be54dd2e645e50d03ac7ee91c28b26ace276ac32779cc6a779936ac347a27d1f

SHA512
23b302201c034e75a76b8bf36239afb9e6e9ebae6da9f1f18caf4af71e5acaf68675c020ff4f9b7408221032f6bb6b57a3136dc97b06c56245840ad1a778f22b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
8fb9f150cbe8a68e300806200a86cbc1

SHA1
4e1e1d965f6f4876acafc72ea005188ee0dc5e4b

SHA256
e0c57d934cb302f26f3cd84d3b9d123f3b57c9c14bb283469ff0e519229673b6

SHA512
0a207d8ca89d4ab8a50e7ae74ec9ee48bf3cc8df835fdafbf4b4082c698530c987e42b32f95e7d74ec47c31c0c221140b1e4ba6c70838133a8352bb786ab0dc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
7fa375036af3fc6cdf175a7a93ea2e78

SHA1
73a4e4fe367ef5cdc1ddd77e75befcc18bacba5c

SHA256
e5a913cb7be182f9ae0b2f0f5417782cbfcaa400794cf316fbbb4b0c667979c3

SHA512
c4205ba2fcbdb072977505e1365b2035a1f9c95a26d65b4545349799df4783ea8aece8afe55142edca1ff3d8d37a3beb7fdeab91fb6265bf2c3d6ac064a39c00

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
11e3a1df02823929a41907dce02ec88b

SHA1
3667cb90127a4ff6408737fb1132639e5cd428c3

SHA256
c887a4415b70347720c2b69ab0ff5f9dd6299464201895c40905ae7223a2ee56

SHA512
8ca568701a8da3c0522f42944a4be9c8cd5847042da973a62a4eb7860314095cd78ad20855d7f6a6e985afcb1d3106a432498973e64dea68ae41dc645b5200a6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
dc784eb738a790557f67b1f0ea1b509a

SHA1
6644afc1e648e9cb2638d44b90185f313409d92f

SHA256
2da93274e8dda7db6be18c9f2fd52c3468a62e6ce146eb0646a0439050a8f0b1

SHA512
1012ad8233f6693c991fa3040cacb25aa7f4d53f3c5a2a407b9d71ddaa2065148507d45d6de102dbd79bd0824b0fda84ca34299fdf34af33016bdb753ce5af1c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4ad916c82c1bf7296174540f2d6ed739

SHA1
7d3eb10a928a6bd6ab81900fe80e2ae684f13cfa

SHA256
57e449e7e564da8cea1ffc1346bfa33cb22c75eb60e951ba30ab5ffeb0a538ab

SHA512
b1868376e3648f488fcdfc44b332784b6ba540adc5cfdf65bae0760088ca6e15dd5800043a54ab8b13ec6227ed1888cae775966085a740c4127349f770743446

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4637dee7b07037327ec207b3d3f72a85

SHA1
19d71031c488e1fed20e7878fdecbd900925d00b

SHA256
bf299d7eab68f398e005be68c938696b97248be19394bd45f61b3a289bc496c2

SHA512
1b90cec73b41f87449e3d8a85c15476d26017786d807393021b6bfadb093062bba2fc5fae5400740c7b9d16dec8d1aa52432593fa2fe66b87c9da11de93dcbe8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
db468bad98a038090eee7593957f01f3

SHA1
637fce437f9e7c2e73164685e0210b3da5c646ba

SHA256
a011672be436407685ffb2a752cfe9ae6cdc3b025372798e38b7ae2280e5ee46

SHA512
ff8f07b8a6eb3412170eeb8b556b1183ea81c4d4bf82d9c6663d74c958837359c4a4a2fabe8f383a4fd81f489ef5862a8d784648dc7afbc087b3032cd7010107

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
01ed29a97eef3cd023a28df3df42b103

SHA1
754bd6440e3ab29ebf1a57903a6779ace91069de

SHA256
29d4b55d4f9f65970a9a7ee425b1d44833b80059eb991ffecd41164c30165332

SHA512
d4d27c5ce5916c8ee8c2457cca974ce4ad7e024f860255f02cfb5bb7cb5457d1861599bb9e5a5322b6dcdce37fd5ea79c832eae125f98920170cae9a74032c9a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b405ec8189c6dd548a70cdd7ef03bedb

SHA1
dc6cc240e57584f906c2daf52271b584ad848f78

SHA256
c54097db2e0c18a3d6442be4ca1f2bf42a5c0c8b441a32bfd51bce1b53cad858

SHA512
356021d4c96145b95746a36eaf2b588ce709716de6bbf4a5679941d1db421628df7ff10147335a68cbb29c0f997b50db5054c2d46e3551aa94bccd5a1c0ea124

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e3f878a48c0d558d3853ecc6ab70e821

SHA1
b3674f1e2a4b0bf893c2baed30b5f216ad1d78b4

SHA256
7c9ae30e7058c7a861c9f8d24e2e0497d29f555c120b248732f9dd8dab318dad

SHA512
1f50a424c031964248c839ec8373500e675ef1d5e200e0bca358303bc743500996ffb1ad7f05731d8aaa625544911ab17e9a95235b52e85f3f715772fd3030cb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c65415ee74c52fe1a2e9e201c25d7237

SHA1
21310c91406f5703a071d4a2247e41dfc47b3356

SHA256
39386bf5d475a44d551b4990e4f3bf358a7c8c92e015d698847756b6b3353838

SHA512
65f0f51c6bcabe2a32dc8cad0fa74a8201e07129d4b5446a59c2d8af439e9704c1dc3ec1ab0623ca1295b1ceb5dd282e03f373a5d166a65f48063365cb7f28c3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01acd5e9f2d3323ccdcfd7ea5489c0b4

SHA1
c3b8c80698561dead1522c4f570ac54dce66a48c

SHA256
c7fa92b2261960bf6aa9c05c3a00e99d1353e4ac90de1dffe3236be1e162c264

SHA512
fb9407e3757b5f346837a1095e2d90ee8f49960f1b0902cd714e21ac04e0d4e7d61d7d00ebf4a194931ee8cfd249f3cc83d9f9f73c2472ec8073293768dba708

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2a319e36d702c97cba2ff8e9756aae5d

SHA1
838daf53ea2c51b961cd47ae2fa9d2deec23d8a8

SHA256
7541959a29fdd348886bd3426ac7c3fba5c138fef07d95e686fb1b23094034e6

SHA512
4ba8dbe752417253d9eee060ac23434d86f5b0d9a74feb20be2732fcdcdaac5befb0be4d112bbcae422c0bb4a65b8afdc1d72ce92163a81c0120cd98c4c37806

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2b27f2ec1459739cfe7c6695e4896b6d

SHA1
9c870a79adce602f91de01dc047470453a6f0254

SHA256
e44482b21d233646e6b5b81fe9eda8d627764516d5ac60dea56d779dda62ac45

SHA512
ccc31146659d6004afabf81dbc9153d893f1ff071ac1dcda04a0d15f54046864700488665ffe40286e119ceb58c6d01a5ac317949203bb9f00a1110ab9e0d624

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
268f53a4113541e9dff7d7599231c8ea

SHA1
38cbd61179adb9f5e226920959a4ecbc6cdc891a

SHA256
30b203e730f6ecab78687b1f56d4bd7e4f74470fb457cf0a255131504071d480

SHA512
d9735628f975ffb8c136cccee775484e95f76f4eeeb0382603080fb76c65f03112fe7349b428cf6d6f4b1a679bdf9a40c9ed8d85339ac675dbf7f9f265983080

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3ac693ca85983d464d400b569be0a7a4

SHA1
f00c96756c49bc6ff60013eeb6c5ab27ef36d1eb

SHA256
98d2a507fbdc782909441c02d541b3d76a5e422c8e36bd0d4629f2f817c9a76c

SHA512
c3386832426d0aa9b13e300b55a0d4027e964f3164be2b6a487e9b4ab10f4b0020ecbdaaa5440fb6225ae1887055558695c6022a4f3a9a4b175a98df2d7994d3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3a471d02945f8e3ab8094293afc3434b

SHA1
beb49f3bd29cdd426a1110adf1431449c046403f

SHA256
0bfd103299b96974d8530ca9f5f3d3d21408f105a629469c533e9906821c728f

SHA512
3be5e018b89866d2865f9b3ea1269aa4cb7c0ddeddc1eaef4cc69af474bc2e6f1df55b1da0f2f54813433abf58082192414f307646705522a26ccf70ee68e4a5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ce5561348a947dc992f6384edcea9ed5

SHA1
1241db1d12402e63f35b0ea4d1de160088cd147e

SHA256
cccc7320401b658eef1331d73b05268f65d4b079d34302f0bb7212d26798b1c7

SHA512
c411e129a5ac28f38b922f06eab21f7684617be913004f5e5d9e1266cb8e7982453b1f77f7a66370b09c08828e6712e5f8d8e4f851e34f67b5853835b49907a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0cbfb60f6942664e99e56e107f4127f0

SHA1
d4023a0685507c8c96d96e18b07b38818cfa09ea

SHA256
ab3826b362022ec179d94c24c2e04ad781b8573cc04dfbe0324d9b1bd1f9df77

SHA512
194a593e0b7789d4a165c75c2cac8e4f084f191f503f12735bbea511259e9dc2ad494752322130f3efb0accbab25d4406526ac958de34779401313d3ebc074b9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
98dfb3a28dc4290842e60973f322e2ae

SHA1
764d8e9e6439b846c088b9f8bbb985d726020967

SHA256
ecf6f2ad4f1d20b886b4ae3c3b70fb43527d7d5744f8ba22c2ca033889f83fe9

SHA512
30d18cfa17ceb35610429c5971dea4fb0b8f04c7052021e9cd80cc973c56487f77d36d4cb0cfdd9b8c13392a10b369a06ee446ad5c034f2979fb625448e5461e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5a415765c13ba1e4d13fdbad83bc94be

SHA1
cd48c2455c35b94041b217df4daebd481fec3110

SHA256
181760f458cb321227a2c5b5809b5e6387594526394f0373b4c302e6aba79887

SHA512
df38c0be61754516cc054ddd4b7f40ab3ad351b681ac656f8419b1d81f528e9d1a7416aae822ee26c9b509ff9a398e658e71e980084f9696903e57fbabd6981f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7b7609ca40b333e5813988ea37d2edce

SHA1
49f9485d6721662365b6c5a87ddc92bf8d2fd85f

SHA256
7e48ec52a6b5d07e2f898f3b0805242530f13ee8f15b44d4f31bbfb4326dd198

SHA512
c6acbff95d2a825803043284bff2938ef7ae9d91e28c7bb20ac59f07927f7ebe4f4431a07f7bd27dbee6e171931d6b6ac00da018bc89eb56da6c2d86989d9df5

Download Submit
memory/348-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/640-318-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/640-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1092-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1092-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1196-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1196-410-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1396-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1396-245-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1448-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1448-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1504-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1504-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1504-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1504-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1620-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1620-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1824-330-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1824-550-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2084-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2084-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2084-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2084-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2420-258-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2420-264-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2420-254-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2420-322-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2476-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2476-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2476-109-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2476-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2624-300-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2624-541-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3108-1-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/3108-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3108-6-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/3108-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3140-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3140-508-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3140-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3520-66-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3520-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3520-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3884-319-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3884-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3928-268-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/3928-273-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3928-326-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4332-38-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4332-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4332-32-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4332-108-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4660-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4660-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4944-548-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5056-288-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5056-481-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-311-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5060-544-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download