d81744afd9fe58167ef0b4ca4928e4dbed1181679061b71aaf5b9710c87ab931

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
Size

1.4MB
MD5

173d53064cb75e58e13c5089a5ece57e
SHA1

289ffc3254dcd02dcd2d68ee4669aaba1061766c
SHA256

d81744afd9fe58167ef0b4ca4928e4dbed1181679061b71aaf5b9710c87ab931
SHA512

d7b53224dca58e2fadb8fe0fd9b4640d8cb9f1eea99f260f6cf56dd049ac6fd2134f4aa2ce3357a1cf0c9794d79d03b513aa7a9ad3ef408da8bade5752e519af
SSDEEP

12288:gvXk11+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:0k1OMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1948	alg.exe
4560	elevation_service.exe
2116	elevation_service.exe
4492	maintenanceservice.exe
1220	OSE.EXE
1236	fxssvc.exe
1576	msdtc.exe
1596	PerceptionSimulationService.exe
2068	perfhost.exe
4880	locator.exe
1604	SensorDataService.exe
1648	snmptrap.exe
2844	spectrum.exe
816	ssh-agent.exe
4844	TieringEngineService.exe
2780	AgentService.exe
1560	vds.exe
1036	vssvc.exe
2748	wbengine.exe
3052	WmiApSrv.exe
4604	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

elevation_service.exe2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\10a5fccc4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c78a9170baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8f6e5160baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a59e8160baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006445f4160baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a9040170baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000681eed160baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ec95a170baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c512e5170baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000271a4a170baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4560	elevation_service.exe
4560	elevation_service.exe
4560	elevation_service.exe
4560	elevation_service.exe
4560	elevation_service.exe
4560	elevation_service.exe
4560	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2408	2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeDebugPrivilege	1948	alg.exe
Token: SeTakeOwnershipPrivilege	4560	elevation_service.exe
Token: SeAuditPrivilege	1236	fxssvc.exe
Token: SeRestorePrivilege	4844	TieringEngineService.exe
Token: SeManageVolumePrivilege	4844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2780	AgentService.exe
Token: SeBackupPrivilege	1036	vssvc.exe
Token: SeRestorePrivilege	1036	vssvc.exe
Token: SeAuditPrivilege	1036	vssvc.exe
Token: SeBackupPrivilege	2748	wbengine.exe
Token: SeRestorePrivilege	2748	wbengine.exe
Token: SeSecurityPrivilege	2748	wbengine.exe
Token: 33	4604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeDebugPrivilege	4560	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4604 wrote to memory of 3980	4604	SearchIndexer.exe	SearchProtocolHost.exe
PID 4604 wrote to memory of 3980	4604	SearchIndexer.exe	SearchProtocolHost.exe
PID 4604 wrote to memory of 3264	4604	SearchIndexer.exe	SearchFilterHost.exe
PID 4604 wrote to memory of 3264	4604	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_173d53064cb75e58e13c5089a5ece57e_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1604

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2844

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3980

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
eb7baaade7821c6e989b71c91fa514f1

SHA1
445f10b937cd814dd68ba71bdd08714b09d4e4b6

SHA256
98b10c531541d0cf7125a84745ddb382bd59c3fdb395f2dc7672803b838b39a4

SHA512
373ff379e97637e0457e04d3f5a9040ff78919285755e92f7c8f57ca47c363e698c95f1b8f552cbea9f1596e0f1574cd971c710f51b7bf970501a2050819b84a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
acd08183af421a934c627ff052fced02

SHA1
9a4c31c960ff5ac4128b803deeaa6e267eaca23a

SHA256
0c66029256657d3014d6fc08848414bad34d00301170fa1012bb380d5ff728ad

SHA512
9fd4e951f55a4369f625c405e2a726c30e9b2c2ddc78d8b878ccb9b36ff4c70a3a9cf66ef6271f309244633db733f63c4757808cc34cd9579c2bdd5048f02394

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
82d4cbb7ce05e00812f4e6b6ef1122aa

SHA1
8ae68363390f1b25603849e5788ad74d3763ea13

SHA256
334f0352c269815de29b8a7e7df15c01842286f06a1a9e899065830b6dc9c544

SHA512
d76a341063337677d5a08cfb49603b7ae60e23dd318d1afeeac1c6b89e1bf94dcdb1581a57501803d7b03db8001b7a1e462dbd181163c9cf7a8e0acfad813e7c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a5522208106c5935ebdadd4949568080

SHA1
378921586d96f4ccee754ae454d6ee4d241943ed

SHA256
62315490138f66785fb8d5a2d641a7795c41d75e9e067e40cdf003461a3f48b5

SHA512
c8ce4224d4be24c2efc59a85edf2f42dcb1660bcd53f54f8de5d80dbce2abd52e984905bf1345f8b9eb3973576c9eac1608603a76560deddaa14f75112d83cfc

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
6d8d6f2ab1c71712b4227d0d74dcff64

SHA1
e7a4b750bf78dc91a54c15a69229d1774200705e

SHA256
ffa3613f075584090700baa88baea29fabb57f47bb0b0f2b0b84ca8da4dc6a43

SHA512
5f020de9b92955a3df6d115e95acad47e9aea8ed39f8cad3cbf7f2180877643d47c96753147a5773a4eac7610279703084bfa2755262d2a04b173b6253286539

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
d0a4d66d62a4e8eba355bbdfb1640477

SHA1
df9a686fd62c07f9f3edc06a410e0cd5dfa2e110

SHA256
5b94a38ba9d95032d20e19e2937d51180b67a2f0a468e11c93bba92ee1e520ad

SHA512
0ae64cbfc667d02bba0bc17bcec8440e1fd5558a41ae144cc04cda985955bddaaa5fa42f72201f892b1df155e0b100b3b9273a353749c8a96ba577470fdb75fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
2b1d14716ffe7b8da07440b1d76954a3

SHA1
d938e9034e62b26b6a72a89a65158a0d3038dacb

SHA256
da2308af2bd618a6db5afde007f6ed63c0ae74b7b516a75d617206a1ef394c10

SHA512
a2bf52a3147315e89cb553017143d5e77be35e1359b72fdc2eee122ffd48e5c58035456273ea9e606c2fdbd5452d9a30255800b7b3157aeb2f76b3c79a29e04d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
8fc796b2790144d15752f8e7fa841fd1

SHA1
e2cb19a0c0f69c3cf4b248527f14bbf64160ef07

SHA256
e2f9cf002d98e528c5cbf93f8e4e12e4891de3a1d5e2e8608771282f1bfcefc0

SHA512
6fe4ee5208ea12f3518cb442f876c17c4ac54cedc064165fa76b51657aa521a1a121a1acb312ebdd1b92baabd288d254278becf1f625fa31dc9a42e7ced62449

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
febd10d550db11d6c9170f402fd23c2a

SHA1
0654108e1c0fbfe4830b03fb2a8671c3955442ba

SHA256
b8337cd5429d174b2b32d04b57e32455a5883775119eb314eee8c6fd84d52a57

SHA512
92416ab745b14ac111672c6a83c32e27114ba2d5867931062cdbcae3bf322edfe2999f01cd66d93304c9423397431615a83ecc96fd62e48f141c8954b2aa3a58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8294bc4f149248e2c1ea36c0ead47ed3

SHA1
c373431289d3445e64047be37135a48f22585d14

SHA256
3612f1c5e3d44b8d7ff6212cb7e35a4aaac62c0d8e626c6b52532a4ba8e73aa5

SHA512
4c21530220fa8340280e8ca0ea4cf1c384c197a0ce7b3ee2bd9959ccd3b49f198b8c89671e7ec3780b3b71dbc664ac5efa77a4769d7ba940c0f74382398886e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
52c6c8f98ebe99484c55a0d01935f743

SHA1
2fa9178fe48bd36c16bb03434837ca93e5f30671

SHA256
797fb0914ea6d5052a439b65d9ba216b73567348c15bbccb236211eb680b4a70

SHA512
4d8e0393621067759872ee6b911b79139d6400dee4cba19b2696cea87ade8347aca3c25bebd902d9a04453a503bc5e7b7cbb19074b561839bce5118c5d5c2457

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b74c8d3e082692f24efd31e81cbbbb02

SHA1
bb3e81da9d3bcee3b822ebfe0b4e328aee20d9c5

SHA256
f066f9ced9719fc0a36e3bac0bd1f5ef356b9647c6654ea8ca9a0aa4a7199456

SHA512
a95724c10d4fa0596b71f52ec5e71324ac14bd17ffe32c749a5cab9d92badf8ec9cf1fb8646e19ad9ad70c5ce398f82e6cb85869eccc76c3cc76ccde41e473fa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
24000c5b1133ec7c1699ad772c1d2169

SHA1
c1e484f5b9609c0d60ed14551d99ff85414ae113

SHA256
e0c407540bbe8592eef0871da4a837150cbe5688046efd0b5ec7c3062a23029d

SHA512
84031c3822e8e7059077782f18b6927f083b5687dd87743a0c52c5c150a95afbecf8156726b69de0a490983c98306a6d0611cf7dc45cdc2b764291e5878450d3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
81df378801be05a001f51a5fad545bf5

SHA1
a814e6426dbd2b4989b0d72a8150488c081bc8a4

SHA256
96967fd9957d54bc9ac908aafb202060afb91de4df073acc50acca0a3b7f1d08

SHA512
ae02cb08bc1d44bca271f5d22b7c6453a4a928776ed82c6fba6bf525d72ae6faed9ad0257097ec76ac3a2c14ae4dd20c37c50395f3b656ffb04d8d4863290ee6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
1f9be1142928d47237fe619f1fc92f27

SHA1
b3b473474101dc5d5babb08cb96e10ca22e60d71

SHA256
a7f5d90d984751f1887a9a0e73c71e250f882ec54b9ef8df753bc1aa9a27132d

SHA512
d644c0b03fb3b6865203c6813378a49b6b808096f790bb0bf11c4abbc5b6bbe028753033a14c6faa8a5a30a5b8a05b127a64b8daef15074c69678449de498a6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
c03a5f99610d1b1317e45e6775018b4f

SHA1
c47a634a025bad33ace7704896d7be3818190d6b

SHA256
1c35eb5e4cc4eb277e6402bc9b572df0f42cbb05defbda07ec0792d0c279fd49

SHA512
c16233e483270ec6e64ce871268617372cff0d1476858e9c2bd216939ffc76312bcc8d6b8b7ca1a50a408d875ceecb0f963a8ccef7e2b9cd5a3db4097bed8cbc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
50124492daacc32c015aaa9c8d4cf59f

SHA1
cb0c6562dd5e05fb7da40cfacf454d77b473393d

SHA256
d8f04eed647a3b545ab90d8c6019f4d1383fdd1f2ad4e117b69ca714c435244b

SHA512
e943972bdf855abcf92f3a91401bc705dcc2cfbdd322b691824e6d17ab108867d2814f10c19a4055c1aa7383e967c67cd74cd7ce71e818bac4e45e2ded8604a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
16db0aa7e2bd6964ceb2d6eaedfd4fc2

SHA1
71f02cd6dba72841e13b1c5d266cfb39ff905a1a

SHA256
4dafd063f4f70a70000a4bc8eda79a496282bb6d8e5cdc3b64e6fe3f79af9cf0

SHA512
d5b2efb4124ec0bfc2ec68321054ef5d4cea0e11808a1602929492f75f883bfdefecbeaab6aff6efcb69ceb62026d12a9403e6d09cd37bb292e694d2d1f083ce

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
012e71ac60ce6ef491e5a8578dc33212

SHA1
5b8a5c10377f417be0463e3536f6f9770eae9a58

SHA256
36df5feb5b8f3920a4a3bbfc357c05c0271bb25ea9e5acfa3fcfd40325e0d471

SHA512
5f56c223ba9202ba14d23c9c9c64baa28b359682065e0b4d41caef4624a6734f168602bd267329ae1f45eaf176ef328bf4fc581b213e70dee1c51052d589868d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
6f06b9aa0a211a17a6d5eae6babb7533

SHA1
88f5a7d7f7cf1cd19f05e5b149340e587a266056

SHA256
8b82ee8c466e9705b4fd330451a127edb6e554962d374a9767843d81488806f1

SHA512
9b8e26052d7f08733d22b91b9524978f7b1793429c19f573d061ce34a6b8120c63ce450346403fdf79bbe654097dba1907ef56dd4d321a684e9bf3dab428a698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
12fd0c2e2a33549a2d96ef461c297135

SHA1
a35b47e29b3b8b9288094bf4d421ac838887e227

SHA256
3205919cb7b51469e4605b1a0c75ac8f47448e1a4fbf2bd96c4765bb125a8f5f

SHA512
1899a77bdde0ff5f0bfef139f3a486c1f1fdd7214c8870c0fb93e9c994f1b83c7d862770d4373d8cc1b51f9f4131ddaae1976f3dba7e89d90c878891720c9747

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
667935b1d99011022d545e98157d2255

SHA1
ddf3a850c54bf89d977a1939ba7a110e4b304781

SHA256
eba65a01ef9eabaa8ee2b0fc17c9f2c565409501bf50b4305d55c4fde0e0f178

SHA512
4621c71ab7260792ef75726fde7ae968c4c8b7712969db8e68fb533775fb1aaa95a30e981bca6364e20b20079b74da35d2db2eceb7773d70819c36549eec16fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
5eec0fe2ff9f8d16c34bc69cd940709d

SHA1
a878b878315acf9b3ec82bb31aea634f913d8ec7

SHA256
2d4e22c2c059683607af3f13deb330b5ed6aaca2920e5f746a5fd442b0928a30

SHA512
38f097567fa14afdd5d153f975286f6401ed6d098edba1b5818ca7121e9803ca8133d25e22071d68593a23781c1d301bdb1ebd574907778254de147e47dd670d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
702e4f7dab6bd8077beb36ce63ce57c6

SHA1
d33ef364da8d915e57820ed54d6039aa46932640

SHA256
815161e58ea73b7d9f649af6127946ab149c6a047933e989e3cc3bafc90ff2a2

SHA512
9321ee1d47d95c9135e363bd6b724bf47188aa2f4a8dc8e591c974ee7170365b57b122d7b877c5b0a5edf3b9f2b934ae79297038ae76cac1fb876d4cc9806643

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
e2780b87a65efad4e025494543a3e225

SHA1
9a80268a0700b80a899acf086ef58bbff4a7840c

SHA256
1717a833ff9deb6e73658eb405ce0aa99682ce239a323a57abdc7b00ed48c757

SHA512
8da1959a9bb7582c23c48f282b895136d6b50aafbe4e33283b06f4d1e0e5039e521d7c6ffb1b5defa59f4bb0162065a086f5be220f95d7deddc490e36c44c05b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
5e3946be7e796b36f937e7497000c035

SHA1
36170e3483230ca39429032785325441c24fbe18

SHA256
73ad47bbb55dc1d237d04b9f7f282eb932eaca623168fa8b5b878de08cf966f7

SHA512
7cce30959f9be24186ea8170628584affe5b4b2cf49f97e1edf942b12a4e866434fffec385f469e98470ce1391c5d43dd86fd75a02fae1b9cc7b355479f09d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
3e1fcadeb096e4257c85be579af08395

SHA1
1e4f0ff22d6b95543bf918734ca3227cc794093f

SHA256
02ddccc68c21b62bbff0b2f1d4eb1738671e9700ec71a17c14c5a7766eee4a4d

SHA512
540755db779dea68ccb5f63d56c3a8127e6aa34de09a218834c064c8d4e7db7598681cc6690b273dc035798f7228b0adc3c2bea77d42385ed32be32f1aa6ec80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
d2e867bd2dcf3ac4d4f61c9a84782939

SHA1
8dfc7f3a9435fc7116f62399ddd1e9317fb5a891

SHA256
c46aaacf45e0a371f6f254489d753f52205a3159693d3880253f79b9da36ab22

SHA512
ad6cb501793b7968ba02a74d7e335363c6fec2bc957d02d0f14126bec90799b85ffae91431f9c9826aa1ac18d4a3f1812ece07dbf7b3b8f6a3933348618eebcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
9d78c8eee93bb5a5eb7922dd5ff3682d

SHA1
4a5aae7eb2768dae5695db3aaa5b8307afe827b7

SHA256
6b641dfcaad900c93ec633272ff9223175bc7708156a19f5b5b1c44166a87e31

SHA512
adc53a7c4d262e1e6976b52aba012fda1a6927a34c778dbacb82bf5b59bb8cf793c1c8a799ec2d36283ccbe254d0eea4c29c11bbc7f7c1a23ff895b444b675bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
e28ec6defa970976ef797a7528b7d07a

SHA1
adf2c73e2527cefedac8436398b6a2235f374bf6

SHA256
99bd3fb181d630553b73e282c01c6d6c939de10a4eabf89da460e15aa6f7eea1

SHA512
4244e77f563beeec4efa933bc9a07d4a40b4813fc7ec4e443590c14997972d6201255e04562966751dc2de1733858bf9bcc2268f6b9329c193d075c165058910

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
03a8038b33eb64497d01d521b75b12a1

SHA1
8fca63a4af1d1d2b8523aceeb19b1e4f554cc175

SHA256
7be53539ab84024e13fd2c743ca3a61da8caa07bb162094ff4b2a7bf6fd3660d

SHA512
ec01b25f4ca5c12918b321a4ec313f72b8c3b6f486e821f8c52866c4468eb431ea03fc3114cf036e5dd0043a8aea480a481a4d9aed399b4d05efc52155c54f82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
944ae3446276411885b5d8b339a5bd65

SHA1
add0c527b62faa40fc5542bf61de217a4b487cad

SHA256
c3ded78b7133a553476779640afdcd50beeb9077412a23c478b2a6ade607f196

SHA512
05c9a9bfe627b0378a0780d7c72473c082242a0c50df265a2b50fd4b4e2e050a8f495862b9b7ed1fc1348070f57cbcce20d00508581de29c48697c7aa29837ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
b18d199c5790c189cd3db9ec6f326ee5

SHA1
762ad6c454b933837039b3318a688582b76795e0

SHA256
5193d269c6ba1a12262b90a520730d4dfd6f8a56c59dddf964758d650a181def

SHA512
27b1428805e7627a6c5c88c91a6adfd599731778a8991aae944a00c4fa86f72eee50fd4fc306e0837f2c6f7e407a4ff6b04cbb576099bb90a65a16e987e1eff8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
c5831bf519f5a7e45c7cd4e22faf31d0

SHA1
7cd30029d990b898ad2280867f1972201672e484

SHA256
8b90cae70cb4efe549bf4f26c4aa67ef51d97fc71a06ca36479b45508a22f518

SHA512
22f31aef891ab78aa142915a8dc44baa015a39347597be0b637e3bab818ca7433f63b30580322b3e241fe3241948a42b22f7f04f0dec6b100f162fba040d96a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
2c3f11d9c586240bec4c7234a31f227f

SHA1
8f06c1e47f6f062a1f7cc067697b43ca7774f943

SHA256
da766644bf10eed9babee7bd3530d4977687b29c05895c4ded666a1b78fe6424

SHA512
5e5f863218ed89df92b15ab958aa82822c538f72cd425cd6a11c7dfbc7a0fd00420a4c9b6ba05e1e8cfee2c1e7145cc6d0487acd4b0b0e478fb1599727674095

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
9f31906da5f571639dc287ffa1f65e6e

SHA1
23605567b7808aecc2ee2164c21a0a5b0a03f0a2

SHA256
cb48f061ad16cf14537d7f7498ab03ff7b2318f0ff128267a205b5329dc38fb2

SHA512
1b0247f567bdcd0d89a3f3bc6c897df4fdf2463f002518fef1af4deef85ce9faef2563129eaae618fd273c4b333be1720c7f9f90fcab890341898213196e2fe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.3MB

MD5
01bb87e5f8393d59c345969828b6113b

SHA1
ad463dc5ca3352a9dec1ff7610e3b3bd825eba71

SHA256
f133d0ac6ec192352778a4d177d9555d9b88a326f596716d65374533b3cb6b88

SHA512
9605b4a2335f98487b954bb276358061a883023407510e40f4737b3445fcc8f032fc432e04394a10ba4fb0c6ddc560314f5b92622b4318bda9252a24f2a6015c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.3MB

MD5
7b3bbfa34f6d8fe2b3c0f649c3cb5412

SHA1
1382b9e6aef9ae933465d461de9d4ee8e36618a2

SHA256
e509efe396bc99d6b4bc0606866952562fe47340cf9023842ef70eb0a49eedda

SHA512
efc33af3a44ff34fe04bc484a697f2223a1ee0ba35a44fe206a8cb0874a38a7d0ffb5a661b00c9361974060899621fdb5b54154d8f430de0037e7db5e12e5718

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.3MB

MD5
5b6bad9aefc76e50e8eaf8a6347c6fb9

SHA1
57cb19efbca5f1b7693c65324f148caf50766c35

SHA256
94c1bf93b133c05f29fd2d814d739d275abf4e2efcfdaffdcf415491a6fe2126

SHA512
39bd4ba8f14a16e18471036e2d0cf48ba61fd3ec9a3e2a92a857aceebf15cf89e26f3d0d4175e58bd5b09017d26fddb0a033778b0a28fa643fcdb795616c91a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.3MB

MD5
0a475a78f3508ecd10405a9ab63d2a71

SHA1
fc03ecf41f632115ea66af1c41ea7b02370fd5c3

SHA256
caeba498bc14765606cbf9f0703865844044b110efa5c82d1ac3480625dac908

SHA512
daee22c08baf810d40d5e5416d7261bbffd457476d9b65ac253a7c3d457496ee891107f82c0285211a14b5f8c85b136d860f0e25591a15545f27c47d8826e77a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.3MB

MD5
1310c4824e4e7d763a99b1b87e81b4da

SHA1
1b21407e39f765d0ce112ce3ca3f392ec61ae22d

SHA256
1117bc0cde1eb37d8ffcf53afd939b6ed19d19ddff03ce5c256c2438474dfb4f

SHA512
de61ebf567cc66b01ee553a1c38f996d7b40c22f2e17d0f66a3de0808afe10768c3c1703dd016eb4e3db4518574e22f004951ec698beac960568d8c6e99e025b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.3MB

MD5
f4746ab4079564a90590da5f2b04c548

SHA1
5067d02a102664650a09a03bd33f37a8b4275485

SHA256
cd9be443fcb0261f88d2178ad6672a4197a87e7546fe49aedb30d6929196410e

SHA512
d5e6c93c29006470e110af64d0f40d0ef032367c744698e4146e4a46a0f73cf5b44c43f49b1b621353558746a60f7f68b0a20eac6b849e4c4cc0f52713666ffc

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
d1d8f75c265754ede73c93c4e062aed7

SHA1
053f21ddc154f19dcdb153bd1655ced79a499e12

SHA256
d527ee9af1958a981eb65a50ce6289204c1315cd2b17acde3e8ef417c040e13f

SHA512
8d9fae6d7e2fd0b8c2f3882966b604c21f66873a84d86b5953dd66cb32df45143fee62242a74729425b20f26d284c06d9efa39e1b0d2071e2ed011738cd86c03

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
d8b8ed8015c91355e8613a111f042e97

SHA1
5c46d7afdd4fa740712be598b45d9b9a2a1c9657

SHA256
8531c2f20ddb69c98d446911f9a20abb2a987f8cb7e71f715319c3d2088ed517

SHA512
267733faccdddf4de5fe2d227b59c7a61843fd2ebd63ba1ea82edcb1578dd5b836d233a6bdc8bba503bd05fd25759782f129c7ac6e8a0d8ed819f10074033b0c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b977377bcdb4cfa169ef4d55abd12dc5

SHA1
4a9b3590437587039db9a2531d9b5bb5e4a28e81

SHA256
50db3aea43fae8d1a1dfde9e321f6539277c64b2cadc40f2841bd68a79746af7

SHA512
ccd87a664df68abaedc94b276c002f8d2e83eb9045f755d1ac1d8011ac730cf1a393663f891378644171b0a41706f8b67d0076dcf5f92371cecb80dcedddc9b9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
4c409ffe66ee75df6ad7ee81d233bf2b

SHA1
6ce40b71119f5666b18313d537b6e479424493e6

SHA256
3b1215cc12c7d9e16bcf73b03c80322a05a9cca70e1317cd6ab6fe4515a5f408

SHA512
3a7befa8e76acf05cdec38a546412410f338ee74493baef50232cfc1cfc036ed5c76297f2dee838965a75a44fc8f38c157dfa7aa04a5040d82d153547863bf07

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
25790ef219dca2aa058fcd8f09dd9e3c

SHA1
06e2636cc22bf314cb07bff2aa5d38f5e49bd252

SHA256
b00c8bfd689281eb6f45622d0f8381eac8a37e23af78b1b37ef5414af43c4bbd

SHA512
24cb3ad4caf32ec097190f6456c2553889299731b1d988e0fe61f4405b355b51b94b40665e84fb98f9877d3ceac0e665d6fc06442e877f3b0d81b158c0f113ea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
a5d5aeb948285431d3ca1ae0613ecc1c

SHA1
eea16802a7ca4b6d8ea3f28257375330ef844802

SHA256
9cc4ccf11fc98cadf0ff55401b1267142e15bc31e8d3671b83e246041e4510f8

SHA512
b2bd3b0ca673f3c5a0dc30d89679aeaddf9e6e375bcd71e44ddcf9c7fd037fbcf22ede9ff288778453ad2d6a8edc799a173367a570a4d6696568da1489831e7b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
a0a2b96fb2dc58968a06acbf03a049a4

SHA1
4b526d26f772e833fc6975ed1579dc30534eb234

SHA256
85710c979d9cc3e0fa4efa471f7f29a51b1395796f9d4ef0060eaec5dd4711ba

SHA512
61998f198e512ed4947f0a49476300084ca52cfc3932c498d98d8e31016fd8bf1bf963c626c5e4f04b3261c24d4484156d56a1e2d6c9945ce1c125f35963cbd3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
013b061f5a3ac073f65e666043a3eeb0

SHA1
308bedcddb2e7977cb25be431c68f66f85339291

SHA256
b3a27366a8475f9668b6c99b9cd9cd696ae2afc6c1e318649931fee0c019317e

SHA512
3fc11fca94929ad2c57e272732c2ba3759f4b6460a628cdd3324ec640fa3a8fafb19c95436d06699882fb6e0083032a4255635eecd8c6f1f9fa7e4926c5a1234

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
31f7c219dd6f47981ba4dee4b3006a4f

SHA1
704ca28a56da6e11d4a2fef73c44bd7bb63fb9c5

SHA256
1c987cfec0dfb99fb6d89eeffac37f8600588f1517ebe92e38094983ff4abb49

SHA512
37f1fabfc16ef8c33037985198e2b5fcbb2dbb2a0428e896b8ac5b9ec70a422848e1823fa9a63990bb104e5826befc620f9bc647e00dd66be0afedaefd6ee9b6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6dd1ce9ced4f1d32421f4461aa0a2b34

SHA1
251836f7c740b1df337b04930277bb15c24c3864

SHA256
f8d1f56a43cf6b8e639d9beb7965fd14c873fef13221ea73e11745377528da2c

SHA512
ef4ef4f93e910bb47e6cddc69429cb853905e14bb00dcf0f7234b1d61f5e0bc3964939bacd4bc2026b2ba7f3470ea5a54ceaae00db2967d006c5b4d4cbe2ff13

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
808529871dafa62325bec3a8051c449a

SHA1
41b576dd6402d0c428a6210e4645d344deaa162c

SHA256
4beb7c8ad2c1605407dfc05a9aa306b97031acf2edb358c6e18b34d5ca24a85a

SHA512
f2cdbdceacc6852dca52c41aed6baf367676f9e1ecb85cfcad476aa80925a966692dd1bbdc49ca6e78cc786807cc2609079c114a02872bf137c7351832637fd9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
53678cb458dd7ae123eba6076330345e

SHA1
d4da172bdb1aeea4a465516b292fbe83532cc774

SHA256
0a2600a0842146e2b0978bc40b33ae03de13e036af960d29bc4bfd897f81afe4

SHA512
0560dcabd82ad1c95c0505d7e6701e06afba5450362f5aa23c2572f8b512fad8455ffa46a1f429f1b95ae52ad5ca3f090fe0266828e2718f946728d7bda16bf6

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
471d8e8f8697359c80f4c16eb1982aa0

SHA1
27aa1a84709d810b9f109991beb152fe412a2b98

SHA256
cc6ca3f3f5118b33662ebd721f822a45ecfbccc1cee09881b32a384af47e1079

SHA512
3ec35b26b72b8b221c72a254040b4c38f8be2ffbea0a62a15e627b4ca0c53f58d797d3757f04149b99bf287f8349bc14445502bddae4058ca881954086f4be09

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
01adc0e1e72ed1e78038fc9e5da8640b

SHA1
56677690c8ed1e0782402d99fd375953d76ebc7d

SHA256
9ee09dcf8acf5e6ab93c133e0489ee5c6636add9980b934098729dbf8ab038f1

SHA512
e5868ccfe70481f09a4481640188505daa6d1f9e28a721374535fd972ee14d47ac48fd1bb18cafbef18d6aa1f2c39f48723aca2ab0e41bfc83c437f2086aff24

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
0e09d1d53a0c6f65f2fb2f3171944af4

SHA1
d1a06c0726df05d5e4210defbb899141251bee32

SHA256
aba7bf34007273cd13e927f1c002e55d310239aa65941ec4c8df146117f3b132

SHA512
be8e7e60e27b06e8fc0ea4dc7070fd792ad7d08cb21453118c771ea6c142b5e9d46103a4b23ecc26dfbf0113dd3cf6cf2bd65664608d3d5f7769736508818dd1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0f4887212475a735682f2b1c4e9b08c4

SHA1
ddf67f4bbcd1b929be64d9307fc26dec7067f969

SHA256
335e932f345abd88a5a68d0a410b38a9ee4cbe0a5292eac2c080780f5c54be51

SHA512
0d1d8bf579dc305bb5cbd53fb2eefcadebfff74285a81a4b94897c3573ad264230832df89a61d10227d9d248151c320815bf8264a65929c4176cbbf5defb7941

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
4d98efe6146ad77bd42ca02e9baac629

SHA1
30e5671458befb8c481eae94606d3582b5b2ff85

SHA256
f34d1894b62e882d72f99b1c08a58f760ef5632a7445a86dfb421118bb845e60

SHA512
00900ae38141d7e0ee82e2c46331ce90469db4ca248f2693e90f58f63922f401157b4aa7eaaf8f2c5810a22a59abf71a6bf21ead3c40c5e97d60a715d61fabb4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
515b4352fbf6b827e45134802fcc5458

SHA1
75e98ed5d72d478e2bfc01438a8183e36ae57c8d

SHA256
735d933ac64378d83d917f4507fe0d1338298fe3f4716bf6ab22e9b08d4d8068

SHA512
f17f7a7daf905bb67ba91a5c143f7640c9cc80ce5d34cf3b849f55b2711fa939906cd7ed915c2d17e9d329105c85c41c965ed2f3113b5c83037c0ff903d4bd5e

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
de62e9f53287b00a56a719076c54187b

SHA1
d2622046fd5b3cdf175d5c31a5b66448763ec8f8

SHA256
7f13246fdefa741f240be6a5ca93585b67c8f69fbb0abd80dae33ecd343f71d4

SHA512
f0aa0baf0cd9b08f1fa8aee82687aba5e49bb7f501440206b1383f418674290f449ed0a3ba2efa8c5f17d2fb67e7d420dba3ae75462dca017c87a502b5c37d72

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
ad186714982cda8f2327fd06517a9d05

SHA1
f0c811f815bf1ee7527ca9091f2d70a507eaea50

SHA256
d1b6b66143aa21f1813987e15b20ded2386ae8fb6feb349c8f62f8c9fc9fdae8

SHA512
8d72848b78fd33c9eb483baa83f5bdaafcf3d373c5e15dbbaea4f4b2c3a06e974d7eb894c56ed0c04f923bb06b239c50d1f998d7c5711e91a0bdd2130f406a29

Download Submit
memory/816-343-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/816-671-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/1036-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1036-676-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1220-241-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1220-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1220-76-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1220-66-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1236-245-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1236-246-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1236-252-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1236-258-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1236-256-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1560-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1560-675-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-371-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/1576-260-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/1576-261-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1596-383-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1596-272-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1604-670-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-422-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-300-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-320-0x0000000140000000-0x00000001401FD000-memory.dmp

Filesize
2.0MB

Download
memory/1648-666-0x0000000140000000-0x00000001401FD000-memory.dmp

Filesize
2.0MB

Download
memory/1948-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1948-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1948-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1948-18-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1948-236-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/2068-287-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2116-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2116-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2116-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2116-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-0-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2408-8-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2408-5-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/2408-29-0x0000000000400000-0x0000000000617000-memory.dmp

Filesize
2.1MB

Download
memory/2748-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2748-677-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2780-369-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2780-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2844-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2844-667-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3052-415-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/3052-678-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/4492-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4492-54-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4492-74-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4492-77-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4492-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4560-32-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4560-33-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4560-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4560-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4604-428-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-680-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4844-672-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4844-352-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4880-406-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4880-289-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download