9d4811daf5f0d9635ffe23e14e959aa5fab4e9d17c477992d673590deb790a95

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
Size

677KB
MD5

cfefb97ddc161f242b4be0e0bfa8fa3d
SHA1

4f23edf479475a5ba2f42be0199036035e0c2c05
SHA256

9d4811daf5f0d9635ffe23e14e959aa5fab4e9d17c477992d673590deb790a95
SHA512

68afdaa64afa4c8675d193553efb27c7fe74b639bc7d164c776d0dd22b1241d61ce1c0839e735b1e402058bdceb023919abf937d1ab5b8e07dd89d7b11579cec
SSDEEP

12288:IvXk1MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:sk1MsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3768	alg.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
2948	elevation_service.exe
936	elevation_service.exe
3472	maintenanceservice.exe
436	OSE.EXE
2260	fxssvc.exe
2024	msdtc.exe
1932	PerceptionSimulationService.exe
3388	perfhost.exe
1880	locator.exe
2040	SensorDataService.exe
3492	snmptrap.exe
3232	spectrum.exe
2984	ssh-agent.exe
1984	TieringEngineService.exe
4324	AgentService.exe
3260	vds.exe
1936	vssvc.exe
2056	wbengine.exe
3432	WmiApSrv.exe
2816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exe2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\47bef1d9d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b55f71afeadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f98e111bfeadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a705081bfeadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db1bdd1afeadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034e1e11afeadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000166aeb1afeadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c09ca1afeadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cf3f41afeadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe
2948	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	960	2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
Token: SeDebugPrivilege	3788	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2948	elevation_service.exe
Token: SeAuditPrivilege	2260	fxssvc.exe
Token: SeRestorePrivilege	1984	TieringEngineService.exe
Token: SeManageVolumePrivilege	1984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4324	AgentService.exe
Token: SeBackupPrivilege	1936	vssvc.exe
Token: SeRestorePrivilege	1936	vssvc.exe
Token: SeAuditPrivilege	1936	vssvc.exe
Token: SeBackupPrivilege	2056	wbengine.exe
Token: SeRestorePrivilege	2056	wbengine.exe
Token: SeSecurityPrivilege	2056	wbengine.exe
Token: 33	2816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2816	SearchIndexer.exe
Token: SeDebugPrivilege	2948	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2816 wrote to memory of 3612	2816	SearchIndexer.exe	SearchProtocolHost.exe
PID 2816 wrote to memory of 3612	2816	SearchIndexer.exe	SearchProtocolHost.exe
PID 2816 wrote to memory of 4312	2816	SearchIndexer.exe	SearchFilterHost.exe
PID 2816 wrote to memory of 4312	2816	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cfefb97ddc161f242b4be0e0bfa8fa3d_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:936

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4092

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2024

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2040

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3612

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
606e31d0382ec76f3cbbe17115b7c490

SHA1
436705e20a3df171203f3a0cafc3270fa8a87111

SHA256
9ae56c91506cee13d593fe64801c79cf504b0a3bf437e0f460018cd4fe00d871

SHA512
66f8ed1b20f3209b89fd666d90ef2ea6142fbc049827ec46d599004f6fbc6f6e20ec0e52c9157d15ceeb3750a7befa3d5c2c02cacbd4c733b46de9dbaa19dfcf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
d46ed42720058bb0e01c04fd2a5d27b0

SHA1
cc22644a32da31f8e421b99c497ec977d2faf0a2

SHA256
23f81919293fab4e34cdfe3d8188c7badc6e03e52b8900b289d8cacc5959695e

SHA512
cbcc2b58b8daca66b0f105b38e3298d98638d009720017b92c5ae0dfe962080a759a6403c750983df7d8d5468b9f9454c0e7b1c8bc613c0d14e91e07d4981cb8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
3ecf858f818b1c65905e6a086f44310f

SHA1
db989bf1c139c9a696dd9494c201fbd60bbde2e3

SHA256
b942a1b185e1831c71036c81be55b996460624931c6e1c69f09541263efe26fc

SHA512
98486752b2bd95fd71d8ca13f8720a4adf7e37519e5c7b40711113668d66821fe015c6096d691ec0185e544055ab0ebfb4d5b3d45e0933e72d896a129288f5c0

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
aface93aed0506c2dbda3753a7d82a57

SHA1
23d73b1bb33637c8837ff9641c90207e0818c5ed

SHA256
652df8912ace160ed70a49eca6e38ab352bb17d5ae521afda9cee77304852dff

SHA512
4f17cfdcf60e7339e9689f21577c06be11b2bc00608eee714dc37c9e599de09721c8600a28c00c68161c5c774bc629da376c84b0490a925139b9ef3b965457cc

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7337861ecf9fcf3f313a27aafeab463b

SHA1
b8ebf7901482484556580ca7dc736522b15a4619

SHA256
6eb78082b966a148ad6d2ddc30e46b01385cfc09a68adfe3eb74e08fc4c3d753

SHA512
0ed51473868654128ff7084c9762f74e054a0deacce642b470b6e2784f7cb5f5fc4604bec28907db6bf4370187c9f5dfd7de369403a2f83b795a4d93c960f5b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6c63c46206303f11cedca501a1c599ce

SHA1
d7278ffafe9cde6e514c2c4bd9b03c779c3ddab1

SHA256
00237008f8e1665a902c67bbaf9a578377bdc46eba3554b22ecdb25c94f60ea9

SHA512
ac66538be305bba2d79276c32f716242cf7f0cfa0847ff60c138454237573dac0bd1df8a5fa33ecc892c45f99a62204c62eea639b53b7b7fa336591397f9fd96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8cfb56a7dbdfb3df8034a7993c151cd4

SHA1
f4ca7ed3715a9a7a8553245d6d90123ff07ac5c2

SHA256
388b988c744acfa745960375725f687f73a9a85d23acb3d6a7e526131e692272

SHA512
f7d656b4a25fee92720b517efa960a9fe7b7c79ab5a52a5cea32c29a27feafe6183bf0cdce9e1f8d0697aaee7d9dbc7bacf277e44c291913a5245772f6f0658c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
888c80edb387d6a8219f91c8d1a9c4ee

SHA1
8bb89462b38923afc5699e07c9bf511d26d9698d

SHA256
e66b77151367ef04ac0cc7faa5f3c1fdcecaaaff7b30297e8af9c95ec7835630

SHA512
3029f042edc52bb206002cc871b8113aa84002ef4895414e2b08f680686fcb409d9d39cd17e9f64d135ef267d623f26ced5b72d00649b2d28fc0e4ab148f0443

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
cced0787351e041fcb3d7b0e01a964fe

SHA1
65ab9bec724a6c30d3b789538fc4c335c33663b9

SHA256
f7f7fa98a4ee0dc32ee47415e65c35bf67813572f81b0cbcce7ecbb2250792f8

SHA512
ec7aad9292bba5cf9a840d1d0c2acce8dfcd773298ebb7de0f430536bddb2d0b607bfcedea9f29d051d60f2cf267624971f413596d587128f10578d366a2cba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
03f8407f67253ebf8cb63f30670983b1

SHA1
15bb37a811211459494930ceb9531df679ecb50c

SHA256
f449321c19436e3d3623682227a43b0acf701004215897278a2885094a6ea2c6

SHA512
3475fec2729a4cac06c33b4a3a79dd0ff3b84dc52d88a1946e9bff4503704eb97f211723806a699a1abd913887eb9be330614765ccea2e4db7e793817e8c3ed1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b1357a48e46ecc6f89e97ff08554dc31

SHA1
ae18ae8eb16889ce9f2e95853b308244318ac455

SHA256
494cf10973f31eb1c4fdb856e1775045a8e5d660e20f73e894978f9d973144e1

SHA512
2fca4fbb7607728c55831bd7c3e8b8f3d83799f7e32303ce81b57e2934485e8dd15f54fe0670e1865b0bddbfef436021e3b3a5ce4a751a1ecbbe99cf39992c42

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f9b634f8f9ca22908aebdbe3f8d09b77

SHA1
879da9b71d6ad4160df1e96580eb2d137ea9759d

SHA256
d3440fb395bc9177f81a5935ed67c942ba8fed5b5839753ec63c4ee7f39ac0eb

SHA512
c1769f61d97b80677961497fad3b9154a3601cde22a8f5bd345f78ed79bfa1b0ce98fad14304641d104ab6b32db58f70738fa033504dd4f86d4e651b823b6ec8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
72d65941475d5ed2f25d66b29032f421

SHA1
aa9433fd6e80879ba6bae6b7a9452f5328cefd79

SHA256
03892a961bb988353c28a462aca153ac0cba60a677fd409bdcd7a52442245bd8

SHA512
efbd665ce42819cc52f363af08bd67cb8d4b2af5264acb4343e402f977931f4700293bcf4354e6384024ed5de93b6e02d1c2118bc69d4c8159e4b78c3415a966

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
60a56f9e74541f241db19f5b3e8f91b3

SHA1
f279fd6cab155b53fa24bf702006fbab228d76b5

SHA256
4e0029c3f9a3038ce35b8816eefdf7597ae8fb9a1d9cae3f6dfcbb47d1c02622

SHA512
3b4d91e8c14be7307d7385d4f865b94f0e35d766eef915a0428bc57f1845d286fbf2a145dbba9254900c185fed32ebe54c033ab86f4603c69445b11d3048412c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
3e3889c86ab0fd7c46436c3f793904f0

SHA1
de970fbfcc11266d3fc73568fa2ac61a4a5cedb9

SHA256
7c32cf34ba6ba9cbedc024e01facf7a27ec15b45016158c273bb5d29134d8006

SHA512
b04d9a7f8acdec51b4700221e71c1a2a2411e01bfd5f05589b18d0d0b202337f9ec2d51ad4b817803f07d3f4383939714d6e48ddeb0d586a9cdfd7f384406ed1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
313c6d87e79634eb2f8d85039f771aa1

SHA1
24bbced95954719a73e64cd6d9cc4ee77ac0fcb9

SHA256
a742ef3295a89eb77fcef00028018550ccb31b7bc4e85f3274d24aedb877e576

SHA512
1dbccd7eec20f3647e1926abb168ab5220f74a95feefdbb979991a81e6d8296fc9f41a0b9a84077b28df7294ddf077d3fbae481b568e66058cf4e2d8745d493e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
3440c9b374fd6c13fa1de5891df4f480

SHA1
40d0eacb5588e1203df60f113f92e0902a769573

SHA256
c74279008f3382710a458e906c842902ab4e42b75b3fae67d5cd091e54bdc1c7

SHA512
f4bb8af3c16d01f01bc3d5e3d8abe876b224fc49c181b231ddaca987909bc788499d3f96d5ec5c538d3ddf276b434cecafa672ba64d87690a9b4fdb220c62060

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
13fadab7d226a15a97c8e6a1f19c2e7e

SHA1
e8c5d1fa1e1a525ed1d37d1f11e9bcf219bfbcf1

SHA256
4c65ef054e87c61569cadb98ba8bd84b2eae5a62613c9455f37be7dde3cb85de

SHA512
0c1bed4388782c1af2b083ed2969ecfa33711f89a6015d62b311683131f71298dfe6f5579b7799a77cf2e75f97bf01ed7f42b1079c88965c88e3fea4c24dceb5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
4a9d00deca10a0340b33fc2914e9fbc2

SHA1
4517a42eff89b6e3ac4a7191929ab8fafa970005

SHA256
20c5b3ce889eef4e329fd3a3247d1e6693aa00094294465acfb467870d32ed89

SHA512
0ed9c7f9c041b82e1234064e2d5967df293479d9dbdb48d38cd61fde5e748131b24c64ba494ee5817589e74abe254c7e187af25a869960f076947f4fb0974927

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
4231991c674b5a46a547183707129e97

SHA1
b84f8179904a53eaa975dbd16fa46fb0cb4bcadd

SHA256
38d4f31c70e744e5bcee136ab7187698af6c9434a5ce266a08e3456bffe24264

SHA512
32ce5e761c1529efd6ce97bd5bccf8e4de4848077edc7c62145b99f923b59955eca1d122ba0c848a4da7fa19333e07d35b8cee4a4a0f2eee9aaac8f7272f6777

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
f45eee5a294bb5266f618a96c7e908e5

SHA1
483761d70b89db906005f6a0b105e3535a16aa12

SHA256
94a8be7a72efaba37de0a38ff83ce6dc4ea23443636a2c4db5f29822642d7af4

SHA512
8e75449586afd20308b17284c0657e82b42568079cfb82dd8b1706c57d528c7644df99910de4f30883dc12dbd82841cf62d974f3baae496e8b458b76e3c751ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
4827e1b960a8a3ca82da734e009d5dad

SHA1
3c87c881ef7f0e0462d9f70718b82deb594eb145

SHA256
9f4f8c121743a213ee50db0606bda18665cb7640561ad39b5cab1f8b9487a30c

SHA512
4823622ae20a56c89e94260342580283418d74bb49299a176ab14bb5f26b0847c1dbd424e26d6aab3e9443ecebb6e55fabc65d78382626b8f11264d705c71d90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
2a3fbb232d2ed4782cc66f1e165d145c

SHA1
2ce0c0a0c3abcb0d81d80b1ebadc4a5bd7b94474

SHA256
d98d1a9c027353481a6cc5395cf5ca9aeaeccec1007910854e81e01a90bf1375

SHA512
f4cb48c7116071e290fcfb1b024873b6c0e0e34587df709a1f6b0ddfece2a308fda8ccc655df9cb595d79e32807de4f3420da0c6927b268a025ebf56ca86fe2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
f0e662a61e58b47aaf3b73f9356f0412

SHA1
53ec82607279bd61c9d8f932d7d85e4b7d886a03

SHA256
94ef3edba90bd68a8a2eb9d491819571a63b43f04cd34941bbc9167094e588a3

SHA512
00e2dea624e2b2cbb946acd233ad15758d9726db60f33a60805446e8584aef6e387d949281a5843ffcf69ef56f27ada41fe90b6b501f6affac972e03935c5139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
da5decfa6e19f592de17a7da5f0d5400

SHA1
9b4664a001283af98f2e891d5548455ef0427697

SHA256
bccd210f49b16bca7323760273f097b86a4f666cab561aeb8a9a4248f26bbb7b

SHA512
6cd6b5ec7be0fe3ea1728593868316a6618de60a46de6996fc8c0bf182070527ef1d3c33d9a67ddffed159e556b49ca3404ae4d48b28528b04143a296d0580ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
b6134f729ee3098b7aa522ce73c3fd7c

SHA1
47d2b8ea6abb37ae55e3d2d95cf2065007b8f91b

SHA256
6825c9d08f05363e6b6a63de6538c01d1b0073e9bacd9c9558f12afa5c91e0e9

SHA512
b251cf630cdd3f71d4ad335cf7396af6621d720d57757cca34e0df9e4473932ae76c8d0290f79927b1e55a1d61f67c3dcc442005cb043d743c9241070e7aa218

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
11cd372ca915cceb28b14b5c9c77d8a0

SHA1
eaa2f8d16a000eacb45c21630c1770eadd1df1f3

SHA256
8a8e7e08d45678995c62efed74eee9c19fdac51c142feb1fefe4de451a7c45cc

SHA512
1ef895e418b166d5188fd689fe4b08cbe94b282c32dfe3fa6cf7d36c9e37036e2db5eb7831b3cac011d438fd98153592d5e6d52f17ec4863dd9a1f76876b0881

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
00b08a4084da5e7943263902599ad43d

SHA1
fb017bd239887e3ff10611a04d707e8a1be16314

SHA256
4da1052e31ba52ddd2f293335a6b6dcdb8f4998a7496a5d4a85859291c6bb254

SHA512
1706593e01e0035221469000b12e7e1ef7a4f905499a43c37b46c7d64e0cf1087c8c2bd4851c154e3771de4406283e0049cbb13f853c12c1cb2050c981e7e04c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
1a3c4c2afb891e86b78040658adbdf69

SHA1
f9c92b6306ef5e87cc9a0ffe0b8d4758c7f25d60

SHA256
20cdbb0abf8a555a24c790671f828099bf767c6a08139c42ef8935530c9f9eec

SHA512
4034e4ba5f7671b7dff0834a49eeee96a40d02a3728587fc5c1ec71d9ede40ffb638d2076b0164df48f65fa7421c5ee4a0874d4604b8d01a7a4aece2d26383e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
ab8c3a700de145770af4a0e5ba7b7955

SHA1
5d864e092138f23f674bb869a4858bdd76abf8d2

SHA256
88db401678f09de5d4c285abb707af3b67422c4c7679e75269f100c04b63cf58

SHA512
e6ffb76ece886151bc52715712ad6d9d2710874a33cc412f4d84eb5eff30805988737274297c27871e6d9af4c07118e67653b9abea85b9b0f282f1fbb1354a33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
cf741b262b91efb0544ba72a3a5e7163

SHA1
c571a9c39cbf35821a19fe76c0a413dcb7513f89

SHA256
98288c4e9a917f47f844f5fd8b7c8e1861b73b80ab140f9cfa6a8447aad59857

SHA512
a3224d38729abdd3c8c40c1b516506ac537e0adc8013ed536b8dc978561aa8ae7e4313d712a4ec6d2314ca2196f0e73c8abc8412ec5f2cff5f513c9fa27e6fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9cdd96da6d4b8ca19cdb1f69d6da9c46

SHA1
ad38c438822365d1c2477caeeb697de3279fd08f

SHA256
f4739769199342c3daa936d3fd5f6ca9e29452d892cbd07dd3dc5a7cb3c9a2c2

SHA512
0be8846fb04a9f0e07509be86aa95a4157200d503fba25b47c19fbd5686a8e64b6ccc6fdfd49ca64c07bae40699c00f64dba42bd9f5dc52c7788086d2c6a01a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
495e3aa6a902d823c565d0530003b7b2

SHA1
277a9b5ccca6dd9bc4f5752575e22bb07d132f4e

SHA256
5a08878847a30cb27a57e19e62aba7ded605a1e16e98748116d39abeedc7bab2

SHA512
0635ed6b1a976950390759bafd15b3a0d94169dba5775f3a34447e256618125f46f9312b77c9a1a26d326363b3bb20125fdd87f8efc0e86ad8ee7ef18248ab62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
57a4885b8b28d88deca2b18f13db99cf

SHA1
c2d981f7276b61fd8d4366648933c5d2eeed2e4c

SHA256
2b4067b8cc44a614b310681accfa6d0db46b43e4022dcb0c077bc9f9d3c8a99b

SHA512
14736be0aaf832ed64c321de225d8eb15be749f39df917ded00417dcfbe85623680130450a8233ff26ccd26d0efc34e3062a80c3efe38b6e02fa0aea6ade31f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ff26a73e7f3d75e7b288e0c0f664c42c

SHA1
31b4ce9f7f8b621325ff331f3e189673f7ea2a49

SHA256
c242f0a7fd6db7faf3a507fa4852d4a01f2f2d9d19325e78dcaf782cc6ecafc2

SHA512
63ddd3f34474ad2c0e25669bce927c5c66639bd79a1cba0ed8f7549d3bdc2465331d824dd7bb9b8d45d1e3f82b70d57dedf268ca3dc16d79842151a71627514a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
977e23e9b50162cc12eb6f03458dbc8c

SHA1
3896f5a1276b97479b7a8d337a05d4556341c3c7

SHA256
a52ba5b7286c515eef003392a8ede9683c3a345b19f71d9eb7856b40750cce9a

SHA512
831f60d5a7e8bb6322e16a647926b26c9248dafe9dc65892b503c69d2dc0279337b9b4ce07c002e9ee50c05db32ed219399798c53ba5ed0f0a526da8abc04d16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
47220c32105ece8c2e6dc79b808d881e

SHA1
4a3d1dd0b84f390c37fcfca0d849a3a19511bfc7

SHA256
9f1ae8beb572d149b47257df0bcbc3dbf115f878bf6a1fb4b807392d1d012204

SHA512
6328cd28215a26a675aa493f75640e791028147d325bc12891de0ebd41a03b74941128ad3a8138f90e6c8dc40a97b4bdc4a97e993c3c7f6378e0b14e13947acd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
653be28eb57cfa67e3c59b27af2e22a8

SHA1
e3b5157e41c90ef3ae9bd42816952d679d8521df

SHA256
b59c3bdf5e83e1ea8cac822dae73744787bbf53aac17c83febd11b4625b07ace

SHA512
760cb51b7843aca0125387ae278ba7a7e2ff8e6da3846a95da6178ae9b4a246d059ae782104c2301c784d22c01992b252aa6bf39b16f274eab734905b7ff7ade

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
e34c565da922ef173976a2f485124d2b

SHA1
85f47f9d30fe26422d60b771549e645bd7adfa96

SHA256
2a72c0e281950d10cde138dd36fc0193db3abfc6529425d3fe1a72e63c4897a6

SHA512
36a1c9ac3fcefc89248e2aabbfc0ea3ac2ca4ef0a5ee7bdcc67aa4a7557edafb7e722e55e22d10bc54becc89a60d478ce61b39de149f4d40bf63f516717f5af7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
8bdd43b99d5734ab8e101bbcd2af8ba4

SHA1
c91eba94888b5138e5c3ba29940aeb98c37128e4

SHA256
d6e3877936af3013b33bf638df1b56b16d999c9154e42991de8fe557ab757ab3

SHA512
ba3f5b41ec109988e667e4de708186eccd77a69375458a7eb811aa0318d4da5cfbf17517275b98e4d87bdeecb2fbc3c667129da6b074faf3b6413253d30e3506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
da0a815f29b9cc5b198a940497b2336d

SHA1
8f04ed2a62c4009106a49405665851053860cad2

SHA256
836b69a54e68d919e80ff32e065c7dad0876646eba5353d031e8338ea23eb41b

SHA512
8beadb7198b7e02fe45e007953187792a35a71a88238d470518f025ce3caffdde137616b8d722547237c5f56639c0c6cf4739b6dc00aac1c2e448943cbc37a82

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
345fc15ce714eee19265bae8939d3398

SHA1
6d051a89f8872790a61d510417fe2ec6315f701b

SHA256
dfcae691eea9c31ada97e904ac99c013dc462135d843662ab16ddf51f675b9ca

SHA512
314682f0bc8ec3ec97e5ad5a5082dadbe5f4fcc73037bbafa86bfb1eae4da9b734db19da6e894a31f0aecc03eaff741a4c056240e95cdb6339ad605ca40e022d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
98498fe9abaad922f507b6aa258e137d

SHA1
dd84074436add6adb4d1c7689b3f69d3a03d2727

SHA256
763a36973a8e99a16e482d7f31f5374f897cbcecff5d124a3d1798ab3fb0afba

SHA512
2660cd2981d0d7ed2468a67231f782716f1ac20b38cd86a8eab14b17fc305ba951f53fb643d9dc96f3c73cfc63bc79277595e90cfa39c0f133a6a3963dd1350c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
077b161664c9749bc84c82db76556336

SHA1
894e5798849eebbbca930441bd332de069e201f7

SHA256
4b35ce610c07eae3de0bae4cc5b9e3adab6929c795a843de000b8ad62e69bba8

SHA512
37133497dfe8b8e104a71e910c86128d9d8ed355d40437d6a89f4800ed453ee8a67309fa2b3f502c7752a2872a3ce143d0fb79b8104353594aefddf226cfea7f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cbac375a3a9cef2f6828a23c89e48ef1

SHA1
6275c99b3f9a4a4607880ca1ea73cb82c71bbbd6

SHA256
ab60046a8a69e3f32fa0cd3173a12d00b26caf6a1acd3ba7606a70530cac28bf

SHA512
dd81c5ed05695a2b71c9b039154675f98e62a9d324ebb5dea387d10f421c5a95a383214769e93392e9e2ec1addb91ffcdb03d38f469033a0e6563b8c604834ab

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
67c379e814f9e56a782367cb3d151184

SHA1
fd5b6eeb9caee94015960e15c6bd29ded40416e3

SHA256
c0be659beb428215f5c84351198093be6914b9d6dfca09883c2965f50d02d7e2

SHA512
7e73ce6636c28aa4dd446b22ebd60dd12de74ea3abee08fe2e4042cb01ee2f8d60e59829640477fcbb7b63f41e5abc4dbb64ce1da59ba26c31b523bc66cf31f4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d91b999450283b1b20c55f317efc4120

SHA1
625831fc5ea5c00dfad41e37c800a62aa9fc854e

SHA256
88572bf282db1b3a7a9e470ff77393ed797bd874f916e8dd08066b66c829f6d6

SHA512
29d05c8ea10945c2829e537c4fec758ff69468349c1cf9c20a917c6f90ad0228febea36abea3a0215d97f13fd0c45fe615881b446f54dc36eb53ebaaf754c3ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
51240e0af0cb9b4ee0d87816daa0a6ac

SHA1
2a812637751e7cf301c52975866c69c9707cd546

SHA256
9eeaee28ac6b69cd5a8b67c425141d4a235d13c2fa31222852d75b10a044c132

SHA512
403aecda8774892dd1f7a5bd60e3828f7d10c97fd3829aa5c91214971894b623e1e3d568cd6c508bfeacf08c333e631a9c3def73c0ba7ce518195206fa29feea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5e3e152a99c29731f63e7cffa1e9d283

SHA1
838238c70a3f8c193e091a7d4ea2683bf2b29edc

SHA256
f8cd9166b6f599d25e124a545f7aa611d21b6226d13856e4ed8a8f0b5034c868

SHA512
a0ce0399a6259426bd532d935e3628347262fa6d21660acfe2e63aaa02ca3693eefede0d8150741e5677d9c8e9142eca023a8959f5e5ffa8a808e4cbbbcca6a0

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
26357d20b4e66423f6bcf8fe12f8ff0a

SHA1
c4b28ce36a2caf9d2678a03260ea1bc7bfcdd7cf

SHA256
7ac213d62b0658c076767d77c9dd116e6b8856588efef9e188537b9505e3b742

SHA512
ab0d7dd48c54a190e35c6f8e85eec84ff97a7630401f0344a1ea9d18ec6692e4698bd1a18809d63c933a3f7866e50e925fc749cdfd75c6bb964c2d9264cbe7ea

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
84597caf2565984b4672f31556bcd0fd

SHA1
c4ff06a12f49752e22289a579425531767e986d2

SHA256
a2fced86aa6628dad33a247082c89dffea972934594c21c3ef8741b4d94cc2ee

SHA512
fc6ec5750b16c03eb0e47faa8ee94dc2ec574be0f18a4507d1c6bbf40ae78625b32d585493e576a08d15cccabd1690cbbb7bfe849190c9fcbbf8c096f4aa885f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5d9b94e031c00de9e3978e423bd72aa1

SHA1
a1cea83e3967bb75e58eea83982140e8f822a25c

SHA256
b2517f514cab292fc29a7d9a4b0d4f1e39e51218471b7a71d556ef0949ed7f0a

SHA512
e185ba1dcc6696006efdb1158beb5b6b907265bf097947a2f50c480a08f86863d1cbc6959d9a69a3025ca1a5ccf5d70157b1da1c6880a721b874d950392e3984

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e72e5cc7378db55f55573291723d253d

SHA1
fae6970a592df4349fd8602f9d78f4f51a38665e

SHA256
a8f1da36f76de164b596b041a60e975a681c63ec0ff45d9e75d88cabc248f59e

SHA512
1b1087661a3e746485e53b832130dfc0f9ce11eaefc1fee2ee8b157043ec9a45b472847459170d128ce224033d635f4716dca9f3b7b864c90e20d7e23adfd00b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
e2c5d1560d4fa23e6d8628b9677ffbd0

SHA1
3ea1627d19d9c9001cdf3526cc14c6b1f482c32c

SHA256
f64ace52684fbd62a56860fe3658f33d456d6370c431a4c59f2f15f060a02c1b

SHA512
03a3036ff0d3f9e392f37f98584a0147b160581ce4e8745a5865dcfe577944be3e27e3e5e75e551cfb52f903ea652bee0fad559763a96ff5ad9697071f762020

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
4a3b31ed6ae2019d8370435d6ebbbd46

SHA1
63e7b718439445a0a2c1e9a5a94284a496582cac

SHA256
8528acd9eb787dff7ab08c0f175e7cf61cc2e859a962a54c5f81871c486bb257

SHA512
33998e2bfd9d9cd60c29fcec161cde6fdbb644544c165181d914610c09485dc7a9f13e08600b81b01ecec93250d1728359a155bfee841ba402ec1cf7d956aa3c

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
106ba6d6cb3ecb2c3e081aff0102914d

SHA1
cc3d2506a0781140237d096c2ea1ffd402b85953

SHA256
f3dece4949dbf868304f964cd05aa45eeca4d2df73ab1486c07a770e588989ae

SHA512
0fa8e4c2e8d76018c6ce9f47091cad78da8b5c83916a439ac672ecb7780c53752439db3dc38966615d80974518e407515722b1df54a16a9af5b027db4e549486

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e66d9659e2fbfc525a42c132c468eb86

SHA1
9f05cb1f1748bcc84fefedb578fe73153fa8b065

SHA256
bd404246f65dd5e18fe9e9b05a722b5abc0d74f259915954c8fc03f68db0e022

SHA512
9426b4e97f55bfd15b4bb800ffd2aaccd89f7024f23e6ab4a47e2991855f0a1591009a65bf0b2ef25d50906698ea3101b48d5d8132bd40a4a84abcc34f9f3452

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
fb593fffbd43769ae53d1d0d10ef3177

SHA1
cd1923eac84107121adc04533c634b1e93fa6b6b

SHA256
2bbab776f37f685f7450d995a48a6df4180c4dbd6b5440c5473fea98fae1d5a9

SHA512
81d6437f5805c4b95bad59f8c1652057b0ad457c465e1b8b25b20d488daedb2ff5deffed3b41049b294f4ea21a590e11c0854f14521e75e2d067151cefc7b40d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
d008a8b73fd20b21e56862bd0b42aa2d

SHA1
7ed4dd50e228c0d1ddf9229cdcbfd5aac27d1f06

SHA256
731dc06c46f2056f1ad8ecd7baf226d54c7140b86e9f68e10f655f7dd0d29850

SHA512
64f272c1452184c3d19a622bfb30c7361f0c323f874bd02c6242d1b017c3962361c2456bc1ad9a9e1eb05fdf2c06841c3b88a1206c601fcd39e8c4742dadd4e3

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
41590a48fb7c7cdc236da9a84bd945e6

SHA1
fc87b24c3ba76ed7aa24956442bbce214c6b5ac7

SHA256
44d7acc6997d9638d0aad441f66da36e2bf4144a47430e0f64319b95d9dee6db

SHA512
cfa25db92b34b05eece3b822f2fbddeacdb7b03a2ebaacfae5d441d4277a2b095f3ca7be8cc3d054cc8af003eeb085d8b839f8b23fae4d721c8661e564a7c498

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
acf61a619a72dd833e6cb705f542b3ef

SHA1
29740f1242ad360ab3722d96c7ae69468fd85932

SHA256
61a28258bd71e463070751bb718aa497afd0122685d387bb5cc2223574c087d2

SHA512
d467f2d70842cd0ea748f3209065b0be9824bb893b7240e0a0d46131931754d99783408f7cdfd16c7b65e90d1a496b9b9a1da4b0f7fbc6681aff0a9f1f13db64

Download Submit
memory/436-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/436-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/436-70-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/436-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/936-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/936-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/936-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/936-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/960-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/960-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/960-1-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/960-6-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/1880-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1880-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1932-259-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1932-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1932-261-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1932-267-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1936-503-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1936-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1984-499-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1984-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2024-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2024-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2040-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2040-497-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2040-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2056-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2056-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2260-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2260-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2816-506-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2816-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2948-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2948-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2948-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2948-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2948-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2984-498-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2984-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3232-496-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3232-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3260-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3260-502-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3388-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3388-271-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3388-278-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3432-505-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3432-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3472-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3472-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3472-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3472-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3472-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3492-289-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3768-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3768-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3788-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3788-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3788-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3788-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4324-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4324-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download