6b363b5c41a037e17d482712dffad58286cd0bf26d8476337b30980c51ed8f8f

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe
Size

1.3MB
MD5

c421c1796af25f5fc07b16336e46d2ba
SHA1

f53a6fc69290dadb1ede281eead2898bdd021f84
SHA256

6b363b5c41a037e17d482712dffad58286cd0bf26d8476337b30980c51ed8f8f
SHA512

bb47352f90b53e89b5bc9741fe168b630672c558ba7784869dd21e26d3f59c6c8384718b8d202d73e505d5b5f875b285c1af5cc643879907e6841f8486007778
SSDEEP

12288:6vXk1cxKXfxTHP5vDDtbxTezGwd7EM5dEfp5MkVK93P+SdkSS+C3/eoPdBvn:Wk1cxKvxTpDD6qrf3MkIkSFuv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4944	alg.exe
4860	elevation_service.exe
2064	elevation_service.exe
780	maintenanceservice.exe
2356	OSE.EXE
3096	DiagnosticsHub.StandardCollector.Service.exe
2020	fxssvc.exe
412	msdtc.exe
4564	PerceptionSimulationService.exe
3572	perfhost.exe
2236	locator.exe
3376	SensorDataService.exe
1104	snmptrap.exe
1548	spectrum.exe
2060	ssh-agent.exe
3624	TieringEngineService.exe
3820	AgentService.exe
856	vds.exe
3100	vssvc.exe
2352	wbengine.exe
2440	WmiApSrv.exe
1028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exemsdtc.exe2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f858ca0d293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5b1dc0717aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1a0aa0717aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012c9920717aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e678c20717aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bc04c0817aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000423be60717aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceebf60717aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d1fac0817aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000175000817aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016d35f0817aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe
4860	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4564	2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeDebugPrivilege	4944	alg.exe
Token: SeTakeOwnershipPrivilege	4860	elevation_service.exe
Token: SeAuditPrivilege	2020	fxssvc.exe
Token: SeRestorePrivilege	3624	TieringEngineService.exe
Token: SeManageVolumePrivilege	3624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3820	AgentService.exe
Token: SeBackupPrivilege	3100	vssvc.exe
Token: SeRestorePrivilege	3100	vssvc.exe
Token: SeAuditPrivilege	3100	vssvc.exe
Token: SeBackupPrivilege	2352	wbengine.exe
Token: SeRestorePrivilege	2352	wbengine.exe
Token: SeSecurityPrivilege	2352	wbengine.exe
Token: 33	1028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1028	SearchIndexer.exe
Token: SeDebugPrivilege	4860	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1028 wrote to memory of 3344	1028	SearchIndexer.exe	SearchProtocolHost.exe
PID 1028 wrote to memory of 3344	1028	SearchIndexer.exe	SearchProtocolHost.exe
PID 1028 wrote to memory of 2156	1028	SearchIndexer.exe	SearchFilterHost.exe
PID 1028 wrote to memory of 2156	1028	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_c421c1796af25f5fc07b16336e46d2ba_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1724

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3344

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ee0ab4e8524cb9356daf9c8565a164bd

SHA1
87b7f2934935dae0c6f330e0316ddb115a159741

SHA256
e4f779f8228b66ca1929fd25522c2bc966d30cb895da26e9cc977131675420e8

SHA512
aba59ed43d144627e46790fa93c05198169954368135f209dd6c06624ff3a8005f4f6a3bd7983be002eb7a844da7871b257a1ff03bbfac0d3ce222cfcbc1d1bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
ee8c3294a3472b7bcbb9cfcda230fbe9

SHA1
8a22d642310a1ed52685e140122048953b673878

SHA256
6475f2f0ef2ae9ad026ecedb369837e89c0bdba98faaba59354ba78130ef6e43

SHA512
93b8090b13e42e756c8536d7282d40bce5ae71c9bbd97d500e0f42da27e60aea746f8e4d7032819ec2acb461f76dbb494a2bccd4bbc500e5e9bcf16946df39d6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
0fac883e36be7badeb04711df3710a9a

SHA1
20c9f643a64f00824330c42fd8155e769d8fced7

SHA256
ce8ae0441212d5f644bb817f39228b50045c4d87ac1c0b2bd2acae1a6306d8ea

SHA512
770cfefac3ab5efb19348962b84f223b8f0a07fc2c331d5aa2b8b51d301771660bcf8acfef287e0b666afa50f7156ad82dfd9943bdc3f99cc31941dae37a623e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
eeccc0269f6366143d84403adeea728a

SHA1
8a5177d541a48d1bfc392f6dc21fe93e9cf15f4c

SHA256
3cc5d88d07a5560d4bc39b10c8e1fb55d28678e2bd85f2f490648d1f57211be1

SHA512
d456fee6c0b977938aee06987b4b748fb5dd7abdaea5a20c8a9266230f1370622c0433e0ce9c1829d940c1164a7cb9a646529517bfd24f0a8b05f87119092092

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
80b21c17e5f5f65e82832ce568a98aeb

SHA1
3a0de93ea4b110963f4472f10dec7e6385792bbb

SHA256
d15c3700b6f114f74bdc1fbdf54e937e6e4c881f46beff1a40561b1fa1edd606

SHA512
a8ed6db9930807ef1dddc0608c0f2895428cbf43e52fc154f3d91e16789298796b310b0044d66aae27f6df07d72ec421c62a0866b75c75184760ab7e78df6b80

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
31500f470c1710211cfd59cd7bc6a77f

SHA1
414be3afff2a52839b044f3d99bd09d21f891fd4

SHA256
a124742c2ea33e9df31222d89dd9efc5345b8437b28b2290858d427f5c246d35

SHA512
0711c5defe54820e27ead45e3c771127ed9ae0afdd1e6bb9bd3c6057abc405582a5e3798294ad8981e70051ab789c25f2df433fd64c23f2e4d6bcd79fd29927a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
59f1b7c9d016f0dea809552ccdd96370

SHA1
dae4cd46de73958968862ed7eb4c843d2dac87f7

SHA256
818314ec698d09a91bde6b0811c2ca2871087c92b8849cadd0ed30b4c9cb35a6

SHA512
feefc4e43ec4c4eff1e07066c4e5c188a52e8d92f752ee6e2e775d500abe9c0a460729f56e2771583e83685d16650630355f10da576a6ed46b27492ef86e1c28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
870eb8a4c4a2dc3eeed10aada345743b

SHA1
ca7157bf2633d1f62d0c86e083c0e5658dc10ed9

SHA256
47777d9d72ba386fb38b51efb34e20f00b234018ae601fed434cf075d56badff

SHA512
bee3aa772784961a2efa0c69a9ca314e7998c9c2240c8d150fef826c68c744f5978fa68abdc830a27ee6047e0ef5fb6796ba091d687dee28c7c5304f88926875

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
98855dbdc214815d96eeae5e437e7d78

SHA1
fbeedb00f9e4664e7ac5e5f85e48e2efa21babe1

SHA256
349cc4789dd2abcc78a108d16ded7035befff56af8cc1011ffaffaa0d1be039c

SHA512
784230e1b3753a691a4df207d2ba947caa455ab2932b55812d0d9e9e8b3100591d9ec11604c56c6459e62a4beb2607b1b50d73b77b08e37529ba03fe89d8599d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
da4d986065a1cf052bda4c368e6df037

SHA1
53a745aa35a2a4b39318204d7c4c3d012d2b8173

SHA256
78d78781f269b1cf48437959a1f90b7e1c4ad15ae902b7bdd1516d094439ead6

SHA512
9df923c58ba24f6eb35ae693b2eb862500ae7c3f16cca61233ef408c3d77334024b1fe71489222bec9d5b54b0a5d7c0a2d497379e1ce1a9ba843a78b49924420

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9761f6020cb9562102452893c093f06d

SHA1
8ef91c7a3a14f7e7635ec4078fb834e1d82eaf32

SHA256
67052143cadd0a8db007dbb94a42b72f5c85463a4bf96378e577ca528c7987ce

SHA512
6d070b429145a378799acfb5cc63f490bfc84e3b90e4b7fa6d0fffa94283b064e6c0ebe3eb47143b0a3ad6f44a354a975a055eb19fa7ef974deb2c0b4f56b121

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7c367cfb50f05de6b139c626686a7109

SHA1
b98db0c4cf3e8cf3511479add5b2c8f0f21578c0

SHA256
d8a8fcd90f2fd1a3b38657fabddb4553fbb68387575e72b32b01a0164f29d16f

SHA512
e86a135b3a747ea76d44969261d134c17a63ca7dc3beb8f8acc12e5dde48038deb1de491a78fdf83a2f94264a325b8c3c5000cfe203a33a850d3dd3a37628512

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
907d01fba195ae29c7c5220950e5c1c4

SHA1
ecadc16d51e0713604a691765818317724962d66

SHA256
caefd2fdf29f7203cbdf58187900a23c8eb8cca5450b555e370d849d2817407c

SHA512
8f14a441d51479296434b5bbf4e1c29ed602660953128612b2037c7d12a059afeb9c67f487892af17202f7e444346c4cb803b9521375afef59aa28fa04731cc4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
8e70fcc57549f719e0a0eb4738423b3b

SHA1
b77cd2fd4616412d58d2edd6f125da8c525e639c

SHA256
fa9dc321bb8bdd3dc6fdbad8bb6378ef6613390f4847f880ec7b179f9affb2da

SHA512
255a445ae4160069ec2007d8ddb481d3e3559062ff4ca83ac46589c2d8440bc24078a2e008f3521b6b525f7a1b21ac7d795c42ec5a81f5a6a005ea7135424bf3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e3ba7f4eaaa7229f1645ed2327abcf4c

SHA1
006ecbac3385b30b7fbb5083f61af8afdc0f1d72

SHA256
8addd1b4e2342455446d1ba4b8e61f15b19e1ead2c5f2a8900ee1c63c44fa7d4

SHA512
de788c8c3c4abc326d150961e53b7d5da58af3af2f9e856b236262ba34ef2882b31e86af43ee5a4328ec80017c92d63a6a8a86aac111b7568b8d315d1c3a2723

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
685aeac46e1acdbc30478f7731c1d978

SHA1
7381da545e2b41294b3efa4db02b7c276cd29958

SHA256
704171bac9689d2ca920dce3a9f1168afc3c6b9dd7aff564bea9f76c9b7f278b

SHA512
ac2fd642ac0ff16c3d4c18835d174890bb7e518c64eba36d35f977f4fee44f04c3c1d1786850f7bef46a0fe5956e207a9ca02f0dad00882f55ceaf1005498ef9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
840b52029028e7e5dc97e60295050d56

SHA1
4199c5ce30ef3a5df320dce7dad1f71081238214

SHA256
68b1198a9e02f166ec6d70e0327b4e8de22b26276a408fe3faf91ec8225fe11e

SHA512
e1bf6ed9ccbc3d1c6c41668f4f07bb7591aad4bdb2b28a07337a69b69da5281bf353c8bd07cb808f579d236dd5340600bdd7c1d6adf4439628e22278aa26117e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ccdba454d7fdcd9abc880a9c02513133

SHA1
c1fc5b74c9831410619ab92fa19ceba352eeb6a0

SHA256
16f28b940f3fb3d90038480b7eb1b370200199f6eb8cd5df40b81fdaa9027b9a

SHA512
36f4e505eaf6778b7d95e4d30ce7960591b058b5f38e18f831f29f17d439929df2e5220488f0d64c40317ffa8b7c3314cbaa653a418b0b597c292679baa82848

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
fb90b18d8ab2154b8c35bdf4490ddad7

SHA1
206168b38d6f48a182b1b853e89cea9a34327b03

SHA256
913ff9b9bfbd264809c03a0c06aa972612d89cb552946fa75ababe3f01888d43

SHA512
02a045116f36ae83fa4bbb3d5fa8fce83fe5439b5b1c2422bad72c4b5ad54cfb8266efaece5a7abf9ccb8c642ce12e9a78ad65a449bb6c8917ccde962218944d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
8d9e3fe9610763b2e31c669036958635

SHA1
e4fa2bf0572b293fd8b5e7e6cdaab11f239d8cfc

SHA256
77fecf69936158ee35faba93ab9553e02026fa8227b2ecb454bc035fbbafb090

SHA512
65b9870280b4a51b6bf0dc8ad7665090fb33447d50a0a07a47d1058f5fa441c6b07c142e396875435a08861a0bc2164db5b4dc9992e7fb48ee0faa46e982c7bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
1dafd4092fe7b193de9a6b89870a4631

SHA1
933fda8fbabefe0840da83fe33f9426c8531c05e

SHA256
b24eef92c9cb05d878a3f85adc09d9ad1111920cbfd3dcfdd4b354d7790ba8f2

SHA512
ec5d489a5e53308866e75fa8093e7d2867edfc0a2d60339c0773a978b7105cda9b620bc1e7ebca183c81cea69c4205668bb120a3f8bc652c1e09b774ca0e0a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
0824bc410fce198b693d2579dec83774

SHA1
6dcd3570443d7619e621d1ed3e4677abf7c459b8

SHA256
9225716872f920ac4da1c81c568c5183394142ad87a38f5115dfbc73329175e2

SHA512
eaac274cb106a0ca99a931e45d007e1fd8ea98f8c1c7f6e9ebc0a05ff98f066cec25e53942ccf43d0292613218fc9b23a658d44f4b9c4fbc470e1abc7596c5ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
fd7f2cd31fa82a2e85da78c7285c0f25

SHA1
e2c337c3606c092f2ecc1883e5d83a7b3a74298c

SHA256
03ef5241c61bd723a02ae2bc95dabe143590f2d6c6109fa1c39d8eb89a24a986

SHA512
3e8fb5f2dd71889005d843a322a6f038896566404142e28f73f4dbf0745a29b52c1976cf211d579cf3611a3c99b91b3de002ca65bd9396778660bc1d900bda6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
04a189e480838006999607d9cc450d8c

SHA1
ca917813a2957f4fad2022f8f9a6588a56d97ccd

SHA256
4b761efaae07f0a1ed3e9739aaae7d2e8a79edd112dad9fd2bc44dd97be47c6a

SHA512
2b4c9d668e628bdfba5b5ed640215bf3cb6eedffe97c9163d13a0c44ca439f5b57f4f2ad99844401feea4c2e7a5767e25fad22e650ae8fa02de3febf954d205c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
7ba3a88e060aa3e9624b66f4d121316b

SHA1
bbd38932f532ee36d2638c567d82dca1a2ac04a5

SHA256
21bc70b3c541ef19cad82d9b9051de13e333e9993938af390bfe653c358d501e

SHA512
f22de97e0be8c331ef7bdca5deb98ec271da8b24ad8961e864aa94597506b81a5e39a294b2c7d1e4b240561e987d8255d8fe6c84fe77bd02a4089d03acffe84d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
3dee10b39398ae5539d455cc77b07d9d

SHA1
a7d998dbe5c944f16f38952258a6b8e0dc02abab

SHA256
9491a0f75905433a0de449db9ad485f75545fdd302a5e7baeda50030577fc9bc

SHA512
f92180710df3d2f263058abf6b7be66ebeda8d087ccecd6013cceab1f50f88e8aa9a5989f2b8eb0918126b632067100d25f8de31ccbe9da7366ee7e4317c482f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
693fdebb93ce90876ba3df25c7537ae7

SHA1
57c29170529e1f7599290ea6a8b9387dd2edae65

SHA256
786f47fe167c110ce4a180a467c87e9693313b5de58eb43893750fb655964d27

SHA512
91ce32e273091af29cedec05e1513c6174b47af2644a1291d5c4068cc0d7100e6e14b315738694f2fc672f249ee24afde60a20507896719c9e84c5b0ab9533b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
1ed2f6ffa3827359179ea8430c23dfe8

SHA1
875d7ece8a1c329cd7f855b6bc5ff8bf93255178

SHA256
b0e49654fbb79e153c0e0ace80464d85fc6749176f2ebb3a359aa065d136f97c

SHA512
d6137a87e87096485196e045465bab07db25d0248738c7bc71b6869a31d701821929cea1f3ae4bb1e67ffc59853cd0a9033bb6de766c18693141a3e30881a3fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
3f599e495a1b071d78360eb102288885

SHA1
d092d90a6a3204cf9d3ae9f05f33b13bf9b7e0bf

SHA256
35f0d1b54b4bdf4982edacdb6e332757016d7ccf2e8faf52d8423c764807c3f2

SHA512
d95c6f8ed846d253de199ae5abc6229c7fba3eff2613409b27dd68f9be7d5be02eb78ebce0d8f509b1fd7c4637445a9e562485be6aa57495066294746e95377a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
838702d27a252e6158aca7d76b90907d

SHA1
ff741f04cce9ea45327c46fba8a6aa013d8fb18f

SHA256
759a594537fb782c03a8a6149bf45458d09cf9196787835e64c07e92a65fc3cb

SHA512
9a0ee47bcfb57a447f8a858862fd6feb1c7ee711d4567f71da1e6f94853822e661929fe5b85fcf563c31ced0a4772090f09d645c85525cff6f93337ae6d8c664

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
ee19fa9d5d3f2f8a9024c35100fbd5cc

SHA1
a41421937333a734b698b6cae968ab81fd351fd7

SHA256
1f93fc49e1aea9801de1f01f106f9a847c274dea0d8133410bba2ea01d3a1798

SHA512
3b4c2d2e3bdca1163453b152266ea527bd921c7b8cc4202020c47755ee87e887f98add6002f15d553547d0d7f0c31c675402a23c9869df005e635dfc4546503f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
0e419b15b177ed6cd7af165a73043145

SHA1
0311709b2e019ff42a7572b1e03ead5a92b6daca

SHA256
9e887bb39bfff0e236e4def25df7c748ec2b8dcda111c30d2243942ee998a55f

SHA512
180f4714f6f88cc9e746374c99d2dbc3e7d881789b877752006605a990127d7a76e6486756fc07981de76ae468383ec4fa2d1437080ed79b54ef5d8982e4600a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
85d749c6fdf40278522310df9f9de20d

SHA1
a7b4a8a5d78cc91686e618e97ca9450b04d69ec1

SHA256
ffe2e44f73012bda24c3acaae96e7fc304c00ea11c99f900bd91bca3d309de24

SHA512
7c2942d70957e4617afc585dfbb2e8dd408acc069ccffb6e6230fb567beab404b856325323343e6924a8f8de0b3a17a26e97850f7ed495d7e0124a22e7b469e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
30d9b8794e6117db0270ee56df2ad089

SHA1
2dc7f75bb395ec381cb1dee684ebb35afdf07314

SHA256
552d9ce007d388547106ea05618efe05cf28f5c19006d3f13ce459daa6324d81

SHA512
070b8b496cd679af151faf99e62c2d0e49d8b5463139e4e72c7d316833c8b55f8c4cef4c826648618e4a89416b2bbe128db187e8aa71e4fc26fab6667869fa19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
373094a89a6a0566a26d8052e3ee0428

SHA1
dc6c0eda6a02cf4d33e6933fa6e0f7b9841f7006

SHA256
4a6ff1f3953489c00d5e9aba825cad8727676f2e678078401add7385d5137607

SHA512
df8c170bd302f88e8931ec5be583613fed34c2dd1b44b6f4d1fed9758e08cce94ca97a235087097f301130911a62fa1b234bf0b119a8cba5831f0381df09cc7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.6MB

MD5
aa8a52afef40a4ae1b9dc3f7ffe7a8c2

SHA1
543da8907046244534e9ab75057cbaf60e209299

SHA256
985e6018b84f4553a84b646a25929494aa85350b7212018238167dcef5568790

SHA512
a48a499068d7a4c6baba747a2f7fc48f9e88aedb5e2c15ad1afe6e208f66d53a0d5b1b75a93457f173dc7e16dda3b0c28b438a6a98b866eeaa632706b990d1ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
99d3507019b2cfccb934a02d9d595022

SHA1
425ec34393d80a6b8b7cdbe84eb3693b0d9f8ce0

SHA256
5c6272e02a6995a565d5fe8de082cfdae3b5f3c9dd066d2afdd17cd97dba43b3

SHA512
5f49716de3269646b8009defaba71ad32d1da3330f730944990db63bb8fd7484d7c9952a7439ecfc40d15d934a4cc9ab190e6ff31eee63ab58e921396909167b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.2MB

MD5
7ddd956b3e21d9c5c77110780ce0f7df

SHA1
458fb482cab7909361b4248a854d57fa917dfe97

SHA256
6df6e18c3baf79f7951fe83a0ff8d2bfccd0ffccfde2c4819cf63551885fd325

SHA512
ecf5ffd3072a29cf2fe4ca92dcabb45afbdb42e348438a1c1cf8a948fbbedfec8de47cc78b017d42720ebe91b1517a6d67aa91068fe992e26b886095abcfb350

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.2MB

MD5
d864572f41a3ef87e87f0f9ca8a66f8e

SHA1
6be7206a7c08d015f0764420ddfb90a2aa9cb66e

SHA256
e35f1dd858f74a17df4b429499ea0327e25c9f34f0b93717062da868dc66622e

SHA512
fafc38f67f1c0e2909d2cabb0df8371b50471a0bb9006fbe85850c5bc1e408a0514ee68a7c68058807341c3bbadbea8f269bf7eff1f48668a68c9256430ce1e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.2MB

MD5
70f31957633d152c0d1f95bcd737b946

SHA1
8a80d6e82eb30187ea8e9b0cf3923c88fca38021

SHA256
acf39633c4f3fb66db01d1a3ef9b5d5855a432d61a1a32c6ce2d1ced6f98925c

SHA512
a90f7ac9a4c83f079c783dbf190af09adfeb09087a99fdd17726f93963750788ad2c6bbf2863c6c247c3ece1d8dda8d64a232a94cc0a97ea7a3d6b1880a14ae6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.2MB

MD5
5029aa4017c74c171a57d05831f0050c

SHA1
41bb63dd74c7297677743c864a7061d866b1b1b4

SHA256
2caa253d76a10fad5de8f6d81473ada50af0da16b183ec5340785fe11b401641

SHA512
45985096dfb522e4259f17e18175d0e8834e7a9d853ac86aaf33aec23ace0b0e725d3fb144c6934b00762e0bd77c8e998be3391e4e4c787c72acc380b2945d8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.2MB

MD5
9b31f7a199ba7412de63c3c4e49a6c57

SHA1
98084c54616cb03e9b635599a16505c53628cc2e

SHA256
a7c4e965c1fb2134c708ee43065512a3d1e78599a91b27ed2c591f6244b8fb85

SHA512
42e50d3e7a20170f2d80b98305909d585130b46e153cd170a74c8d8e4bdbe3b124017a9270c3db7e913603ef9d2190e6cb0df19bfc35b5d2aa34d87660f76f22

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
4becb55045f218a44b0b9ac062be3fef

SHA1
e30bf2901c156d2858afc2943a3daed621b404c7

SHA256
f23cdd9493227396abeb7dd345e424c3c1dcc9108f778e4d8a97822c8af24107

SHA512
f873ad38ddda9af464944618df11795bcc1d37ea62c8fe5cad8038e21ce7f41ce0fb8e9c048bdfcd2879cf205157a618994feaff417ff8c0879f282bdfa22591

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
2c5e419ce9792c0debc57feacde008c8

SHA1
f26efaabb0c828bb21eb55d50edd0dab3a5ffd1c

SHA256
698fee70664062d79378e12d7efcaa75e440acf764e94bb62da340a7e1e50fea

SHA512
b9a07a41378c97a840606e0baa69d7b9bfa94aa89ec69af54839a0360472405d26cea4de304142d5c2d005ba438ed38ef61524bb46f0474175eee3834e69673f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
cd9f923f1963d03721a8cea98ce47e47

SHA1
00f82e9eb7a400b369edb39355a8b375d13608ae

SHA256
83b06c181a22b851942078f8a98e864b4c91e04cf08708658e2dd079df1ffe60

SHA512
30d7bfabdf1ad24b95414e6b6fa581080bf7faf773989cc73cf4b11a88bfab7a5795f22a015eb9c5d493498102d6e9bc20dcdc09c1f5c3ce10430413fbcb0299

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
2558e05e815718cf67772a606ccb8d99

SHA1
4c933fc18f075d6307c5772f3ae2093b9df4ff85

SHA256
aa04079ca177adcd34189114416159329346c59e14d023c5b6c67ac0ac1be67f

SHA512
3d38557ed1975521e7ec3edcd64445c666fbaac2a12f63c4cb11ba12b29e701a8a76e18582199b3db03052c6bd15c93ef97af492bb0200de965f133c57b97bfa

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7ab07df867ce482e99c86d935d379a84

SHA1
8fb4f809424c20181dfd8e46cc4d44c691dbbda0

SHA256
9ec46ee8bd126238b72d42f21205327b38cc09e41232414c2b8f11a012f1b4c1

SHA512
6ba0b922c21e62ff30bf1037957c5e1c72e5ae95b504a41f2d6f2bfc2a7586c984289135e0ccb9affc17da1cac26b33527c79802831350062ac27954a87a8955

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
63878317bda3a4f896476e792e495c3b

SHA1
de2a48fb6e0a068d4418acc4182a06d196fde483

SHA256
43858756a82f3e6210d23ad9476d2b8b2caf649ee1d970a8b31e020467744484

SHA512
f1c69ce55a96ed68dc98f4c876f7c99e4d478fd26e79166792af917cf3012dec00f46cc1b63db8b88ffc9392f975b126942d826cf8bd1c16fc4d5ba7568ebe5b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
0929e5f189a326ec673cb568a60108cd

SHA1
5b0b5afa9be405d78d0bc9d8209edd22e4d1c7fa

SHA256
8b91f59a54c7a5fb1198a10cd1034e639043c7a668b4bef77ba622bb78c47b9f

SHA512
d01b7e3c24c7b03ef4bb13b198009836eac43c07929919d1b5393399a2f8207750191a2bf9348222735cc3241af645c53e99185e027b4c4596a35b500012a7a6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
726f16d0b8ccd617063170b2037d1a35

SHA1
3e7488c1d4cc36b09f258aa8afbd729b9f3cbac2

SHA256
3069ee3b3e8c5c4f8636c34149b1d6ca70a65fa26bc1d5ffbed26078bf816b7f

SHA512
94b4a743eb7fa038d756ab70dce875b72018dbd0d21c73ba0fd6757eb3c16f1bc8b037fb7675c9f398b48ce7721e70262a1faddf93dcd6d21bfc24a7d41dc6bd

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4aada565a08cd5efd5c35ae9932ff391

SHA1
426c659d0b962a8a8497485145a2200dc4920e51

SHA256
7ddde6e91e9691fe33f491adb7e49ef3a58ecda905cc984841aa5cf24719b5c4

SHA512
78fe46731629665683733161dcb15d2a54f857dbbc03109c129b915f2ea6efc6aa0e7f56d642a4583c37774ed24fe0b0b861842359aa09099e7b3acebf7eed7d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b70d8f85225585eefcc9a15e0089146b

SHA1
d1d1bc4eb4b45a40d607326117010730d6f74a53

SHA256
7804865d89914c2f77ac4e2cf74d66f178e3dc793cd6a387c047dd0c98cf094e

SHA512
41493fb1be385dcaead45c45df2b3030c050d48770e3c4113ef97038d0549e67a74667b46f9989907b8843c49b5f1aafa5fe29325a3f5314b3473c0c4c0a40d3

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
01b080d8be15c73b21ce582a0aa840c1

SHA1
43d0ef4ef9d2de1299058a465015e9fa4d24459c

SHA256
db086c490d181ad0c4cdb02d937715b76f8ecf4b55a99c9dc4a30a098ba45f95

SHA512
8a0904916b6e793cfe406fdd2908ad406aa5c38bfccd05cb0a6f731ed2231243bf0b5da4891f73768a1987bf564db28e3dd0e89139df9bfd5db9332e0c27afff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
7fae6f078ec21dabeeb7b1ac6a8639f9

SHA1
3d69a4e94bbb6932ce84d5bd2b021b55b164ce80

SHA256
05aab229cd062b7a9de116a272927255d7e7ae0c016924ffe45401fed856f818

SHA512
c89c727e56c1fe76f8dfd8f808639ff5ab24ce2cfa98320e1741eb1755c86f54b3d5b94cfd71c6a81667b864057e2671d63568df4d2f78b1fe8779ed52c30450

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
bb02b1e8d6a9208b44ef7eb5f1dd06e3

SHA1
32f44f8da40c9bac7dedcab20e5e0e3455749b45

SHA256
b3edf1e83cfe253a5ce40bbe71305ab40a33f70f531a2f4aa9b7b0292bc017aa

SHA512
00702691e06f54c35c53506b0f0d829a55e7ddad4ec57b62cf9ad93e7857ac5e7e80d5619c101ae7f22869b95a00897f8e21b8991ee5a7f679e99cd06cf732af

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
4cd338448342969eff973496dfda3153

SHA1
2624bf63b7f93090c700b885f8b35d40d665d591

SHA256
49063b4bb7c8c89af5e0760dc09092dc048a9c64a4cd4add964fdb8ef976dd36

SHA512
c480eb77079e279839c040cfe0c28fa63b424eaec5dd9ce05554d1e5eb2fe621fe748a1f472e6ac1b4d81af696b6454ed3609da966f72ff2b2a346c4057cc397

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
39c0f054f37ac30dc5288c95f3a82bc4

SHA1
c241fe72e0ea5fa34aba3ddaa1b0a8ddd7fedc72

SHA256
6c74304e9fb92dc1c680b26543dce0e012870584a79bb5b685018862815ac566

SHA512
5e961ae37ab295398409435f29090e270ef3fd7e6b84858a28e101e845a694ab16b941bf96c2872bf0353357f9ea34ef92f772b5508bcb9ece75f88b1b32efd7

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
4979d6a2471a7f9522376391c705b064

SHA1
0ecc1c863fb87f6949bd08f7bcb2012257ac8b16

SHA256
a5d68a7b9030d4ed14c8dd1e94b8621e6a03d67b5f21e2291ed72427459f8889

SHA512
fff6a28915d8ac460a2998ba06686f0857a3d6e013a5130739be8df09c8c42d6b881b584ffc6e0a7640aaa3c390a6f563b7bb0cb8b38a8b48b25842a74535a13

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
16ae0280fe8b2bf84f01aaeb4d4668ff

SHA1
d531c899eceb51cd16c7d4b3c15dd3e379fd17af

SHA256
c08a93ded90330e108fe464ebbf0d8f02533bdde3afea4a178877deaf98e5291

SHA512
9a63860d811ab5f9c0796bf81b3d2167265c0cd883d22d8ce73764318d211469fea27749fec7d1555b5f560ab28e15a2328677d45d4f7e5cf6d6216851d278ec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
87dba6bd506919f929962a0a1a8351af

SHA1
7b5ea4b6b037bc3073bdf365acc05c66e812deba

SHA256
df69ccce2382e7ddedc764eaa96a8d5c72078e370a29b4f8b88291fce15c948f

SHA512
e65ce4fdb824bdade0d7fe9362d8950b6a5274996746622727388be1238aa2109ecac155f2739434c986bbcd303f4e028ceb45d39a033e5db1d21924427450a6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
50640a659c9b4e9bfc97bcabcd138b02

SHA1
9fbe4146f1b005a5cb31e93b962b02d6abe439d1

SHA256
4bf43cb5d9f4d43405733e371d461e3d6f472da20fcee9e84f3629be0fec0433

SHA512
ab4564981b4a8ecf856266fe915353f8c71515caa7f9611d823710944550cd42395fc4ce4f79402e33948a0c29232ae7748194556c10fb6095358ea52f5100e6

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
1406cc5ad82a4c9a577818140f0d44d4

SHA1
00249e75c0c35e23e59e2c28c0b07fdb4b7b4ef5

SHA256
5af74659bba5310fda05354daf1c665cc57aa9d4397511f46614939ca12df032

SHA512
c2bdacd1171fc97f1c1f92c3b7a5a595b481fcfee8c87556be14080056836c81ccb83943c02a31d5dc8dfe3723efc6d1aeee90f796d6ebc01a768bd684e8194e

Download Submit
memory/412-388-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/412-269-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/780-58-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/780-62-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/780-52-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/780-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/780-60-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/856-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/856-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1028-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1028-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1104-522-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1104-336-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1548-590-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2020-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2020-255-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2020-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2060-351-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2060-593-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2064-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2064-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2064-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2064-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-430-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2236-305-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2352-599-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2352-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2356-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2356-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2356-239-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2356-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2440-433-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2440-600-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3096-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3096-251-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3096-243-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3096-362-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3100-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3100-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3376-573-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3376-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3376-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3572-302-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3572-412-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3624-594-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3624-371-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3820-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3820-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-25-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4564-288-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4564-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4564-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4564-400-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4564-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4860-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4860-28-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4860-37-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4860-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4944-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4944-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4944-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4944-235-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download