a3b3dc1906e0ef76dfdd097ad9d47d975c59246b31a7eae386ae02a2fb1d8b09

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 12:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
Size

677KB
MD5

01f7c73c693feee5b3a79ebb99fac190
SHA1

de55dbc4ea81ca8f066d5cad10ea136193968244
SHA256

a3b3dc1906e0ef76dfdd097ad9d47d975c59246b31a7eae386ae02a2fb1d8b09
SHA512

8879c37a44efd93e4668dbb4dacd78efc1bed85f2a8a221ebe0e93299d82a26e2a4a3a589a1fc9ef26e7fb581821acb1e7506dbf49e1d686d677c47ce131a6b0
SSDEEP

12288:QvXk1cU5VFWwHiC4mxYr8PCAwQy3KVMsMWsYNv+0kHe/6eZ0hW4:Ek12wH/BYcCAwQEKesf/NmLeiTd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4572	alg.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
2720	elevation_service.exe
3708	elevation_service.exe
2740	maintenanceservice.exe
4504	OSE.EXE
2352	fxssvc.exe
3976	msdtc.exe
4372	PerceptionSimulationService.exe
3524	perfhost.exe
4896	locator.exe
3468	SensorDataService.exe
1852	snmptrap.exe
3272	spectrum.exe
2616	ssh-agent.exe
5020	TieringEngineService.exe
940	AgentService.exe
4824	vds.exe
3376	vssvc.exe
116	wbengine.exe
3656	WmiApSrv.exe
3792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a3ca2924c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000705b13c82eb0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c7bd4c82eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000086dcc72eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3219fc92eb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053bff6c72eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff3693c92eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a87e96c82eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
4828	DiagnosticsHub.StandardCollector.Service.exe
2720	elevation_service.exe
2720	elevation_service.exe
2720	elevation_service.exe
2720	elevation_service.exe
2720	elevation_service.exe
2720	elevation_service.exe
2720	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2692	2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
Token: SeDebugPrivilege	4828	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2720	elevation_service.exe
Token: SeAuditPrivilege	2352	fxssvc.exe
Token: SeRestorePrivilege	5020	TieringEngineService.exe
Token: SeManageVolumePrivilege	5020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	940	AgentService.exe
Token: SeBackupPrivilege	3376	vssvc.exe
Token: SeRestorePrivilege	3376	vssvc.exe
Token: SeAuditPrivilege	3376	vssvc.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: 33	3792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3792	SearchIndexer.exe
Token: SeDebugPrivilege	2720	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 5264	3792	SearchIndexer.exe	132
PID 3792 wrote to memory of 5264	3792	SearchIndexer.exe	132
PID 3792 wrote to memory of 5288	3792	SearchIndexer.exe	133
PID 3792 wrote to memory of 5288	3792	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_01f7c73c693feee5b3a79ebb99fac190_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1792

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2788

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
49ac0ddec0b9a8795dff78a3bf9e8813

SHA1
614bc0e8e5011cb2e9bc4e918909470a6df5edf9

SHA256
b82da3b8bd8c3e1b98de7e7c342321555673e161dc4f1b0f25eea5e100134120

SHA512
68287d01472d0e16940011b05ffe5a41e07fd77c995cd968168718104b780a803f09512e6e5ff299c023d7780312ac2ea3e81d2314e5d0bae85ccb68f6203513

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1fec9d14b4601110b2e62cc5de577c3a

SHA1
36d26cda7be6761653e1e5439c918585ca9ea1ce

SHA256
44cafc7ecf682a3c8296fdc3a4391b56ae519e7cf3299f6e08d2159f651abb6e

SHA512
0c6f241d30a78c6df87168b498299e6437254a5a6fc5bd2f046415f407e77862e1579ad8f7c948a1de3eedbe42264b47fd89683f1e6d02a4bfc087cc9aba88c6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3a5517b2e1982f159c3e39527add032d

SHA1
2cc5a54695b746bb90fdd279f0ffc0e1b5db4498

SHA256
3624f56c7d129ca90a7b9a1f2a5396c7443a06c3b1db3a877e7ee201409c78f8

SHA512
3df748759e18d1944016f731be3cc978cf8526085719eaf8029f4b3b5aa05d7b65a3460eb813de891a85010c470f3f92113dfbb7c6c5cfe137fd75fb3e4eac84

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dc07fd6f72b25ae9e669f0cda467a4b3

SHA1
f9e79d02f563c6e928f7575933e2292722ae9498

SHA256
e511bb806fac0d6413089525e7dc27b31e4f11ebc9860915efad3dae7d3baefb

SHA512
e384fc6c4ebc08e28bfbcd21129fa4509c954846c8d53d10f92ef60b6d7e1b4c6ad37957c22aeeccebcf3cf9257186d02940a33a69cbf345f16287209f31aa08

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c8832035b71af79a2cef4ac7b914026a

SHA1
08739c1e10ad9a4a0840c4aef12c56055c7e44ff

SHA256
ba0e47542764fb56bb876783b86f4040964aaa03b705bbe736a28cfaf216b04d

SHA512
ff5cf208841bd0a6ec4b0a669c4903b16fb531cc31267969bd964b05701aceedffa2f2e05f07917c3c9a5a9ad1a261b83000d8684ff16f4608d6e63f0504d3e2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
090ed00e6814ea88e91dc769b3a7c819

SHA1
5adb4934bbdd2151ac2c8f37acdbdb8709042093

SHA256
b565c25d7ad2a4246c7facf4ee99b0d4db980f3bd0e4537338bcd9794a32de34

SHA512
bab921f321ddbfa948d035216bedcf8446059101ebd500444892cf766730b904299eff58ba94cc36e83e02615f061d1fec4e2636f98bbc1e9283b4d69f7816c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
758d18b8e255c97f914511d37fb7d974

SHA1
dd5df13bca2129fec9cec7cde89ca41944c7da92

SHA256
1edaa2771d19d103ba3422dc67d90170f117aa64aae28a74202c7b7c808b6734

SHA512
179795e331a56dc2e82233b54c4b7ad20417addeab3a3076d485725ee3a90a07053c77d305265579daa18785b1767400f5475ba7bdd3280ab4c40025857f3768

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a62b4555a45d3e4ddfea55b9862cf44b

SHA1
b33a6f4da7b343354d80c3351c7dc23ddbbfbb96

SHA256
166d7a4327d7834cb3a9ecc7a6553e58efff6bb969ca7dcf8ddef4e1137d0825

SHA512
8ae7ecfbb9376733f96d327bd475154c1b00145546a0022f83db307047b44bce73368a7cedad9f920046b5aa1644acc1812584f7dae55ee0657f2094f422bd8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
cc656798aeea4a5d391dd2de802a42c2

SHA1
8f39c513a67af35b4e4660dce9606a9e8678227f

SHA256
ac73c280e93b04437980e08b3f955baf2327911e72f687aa4b984c35539b6e0b

SHA512
b7fda647415fb4fb229ca5dbced5765818842ade4aa554201c86bc75e0096619d290233108b6511f0660681ef775f20feafab68bf13ecdc75409766d7088ab89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0182c642477f6e2d69013bf7bef0f876

SHA1
a281927a18750c1c819516c00bc4a0b78df98e32

SHA256
27a360ee11f14c7a836a667079a89f709ccfb1288257fff7469cdc7d0f006456

SHA512
0de96ee7ce0e6179c7df30eaa4bfb9a201ca62d5a4e26caa390fef5c2055d5608ac2fdc8c5bab541499df20896b54b464b8b7242cdf7ff30a645b9941e5eeae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2acc977a5168cc2e3d01cf7c756326a9

SHA1
a205bc7f63b0d1aaab0ff8159b3f2065128413fb

SHA256
f187b4a2e6e69cd00c85af41f5bafc5438a01eaef428ddb47a662a732e83cdf1

SHA512
c3f1e6ea7c41bff4692221280b0c8230522fad8cc63f271d4cc1519ad8c5d1871555f31aa88b694e3533380131c81f56914aeead9625099eb62e8a2b38c41411

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4be414a79d3b061dc092170440f580ab

SHA1
c22f60f565048c55d598650c4902de6c61708789

SHA256
b1706a5a6afe1a64b6d7872a71bc372c7a7790708d98eb1ae8712bdab66164df

SHA512
fc41415ee6a2e17a31518d6449d1c3da1553802a6fc71eadda2e07d1eaa9f3aa2ce117d0d3c820120f7e9efc327839c2009a7da730a9f3bd666bb50d803f4fc8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d699cc1a0bc96174303601f161b323ab

SHA1
56c47cd0f998c06f6bb8ce20ee9eb3d8fb502e27

SHA256
771cadd43f1c44c87df088ddbd6adb01049bd99c92610fb301a30e2513337b62

SHA512
6e185719359c5928d8dbf107d282b958a1c6533839c216731f6caadf9464a2b27a5abe1ed9be94c7a8879150bcba6de605525d22a085e62384d0cfbac0f952be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2a0d6a658b62f416285b169c407b1d77

SHA1
9bc2eb310e451a443e86be18f7b83cebd8fc8851

SHA256
9fcc07e45535fa5922298da42788ccbf893997042c1434e6894b5aae8bf569c6

SHA512
a6f5a1466b1e43726c1a7375d30c3587b066d25ced695219c17b8f14ccd29ece6dfa588513ba297e106662a9a2c96c93a5ba6da78c881d729dba78a61345251e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
508f70f46ff2e766ea7a84ece3120798

SHA1
1cf59ea527a1c85912862af2aa4cb361f79ae9a7

SHA256
b78f7d659659db9438c5a64dd4141e481d59f4ebd8a134990f3409389e50256e

SHA512
c9069bd3e97d0377ab1abca3aa8cfc29c56bc8521815f80abf97669c570230e18e0675e46e39d5da04ec79757de63da81da3645c57951d339f61272c89d4225f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
da9c010f6c84fbe6ac5f88c105141e53

SHA1
948fe1fd2c8436101991d43900ed190d3578b237

SHA256
3420a987a5c62982bb292cdb848d5afb0ac1126630314274d20a2935b750a931

SHA512
2b49643593567f2a4d26d06b866936fbd2df6e09dabacd30c8a52f2afc2775b407ac640a0c0908a601660d384196ef879da58e4ff7a9298a6a72a98354556965

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
690e5d508930e4ad68725ef337cb6f02

SHA1
ab0f26c67b37db6ddff78dd2e39eb239e2819c57

SHA256
ff097720653a829a72735fbb4386116f69e4fb5611f999fe36d5a62fd2e8b7d1

SHA512
2268e3356b3501c8c9e780f879da240bd1ec1f2200c78c70ea4cce1bfcf12dd30bea5a675b6edf8636c38443a1683c43ee1afcce6de97c36e90445218e5102f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6ba0043492042b86669a606be1c461b7

SHA1
01458251784154ea7204d01a3693b6c427445db5

SHA256
10f783da35609a21352fe285c713ed39c60a3649a7f779780c65cef0dd38a07e

SHA512
392318589a0584f4d10b9f719c5079684974ce46e5807965faa5f93908b6799d9c756146dfba00611d0195332f7e1b8d3051f3add5e1f2ca63d2cade72dbf996

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ed97573d30fc75b075b125e41cec3853

SHA1
0ecbf28746d5da3ec55f39caa4d949ac69d4ff2e

SHA256
e0a59ccf04ab2c16130bfa0846c2e68b442a4855105c5fa70e154b55f1be5866

SHA512
9b39f3f6a1e13226ad58fce29731e1cd5e016a89b325bc0ea9dbd1e61aee2fea7e7d86bda32c30fd0e9872c1b3c212f5a067cf43daced3863694286dcafafdcc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
57fef40c88b91dbb9829862252c65b48

SHA1
3b47f27bc28f5a630b67339ac2f56b1d18bbdeae

SHA256
75b0e95edaef551c0a47e1176dd29b1cf846c467d460d0ecc63faa0bc744e1c6

SHA512
ca857c6dc431c9d0074c2e22f3c573bfb13c305e6167a162d0a647ad9acea7d13de233e3157b827a9d0462cc4fb0f493a8f30a5aaa18467edf03d3929be5cfc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3202220a32987bab05ba9fc79429ade4

SHA1
69598002b871cf4406e473764c18f8ad2725beff

SHA256
e31542559823955843f1187a75807a5685f9290cd7abc0ca53e6b32d749db756

SHA512
9d2d39dbbb54c60190ce9c5c02cf4292e90440b1cd448eb1778c7b770a21529deb690fecbea4502c0e6f61eb2567a41849093b636f4b39b58e40e991b957fc4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c043161dbfedc35058fc9fdaf891fd0c

SHA1
46e0dd6e270b5beb89d825846bef3492b8a67421

SHA256
78dd53531c1bb7a6ba81b2dfff1859997f0d20806c722c5b7c3b20a76b2d55e2

SHA512
54084fceed704837978ec9b80d3c2837d841a629eafc5155b40435dfad61b690650e541de0da3e0b773e88e40fae7f67142bd7f51a168c8bd0f60191a17f3409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a16ebc3bccdd5a89f0a2c574436be3b1

SHA1
8768ea3504977d142329ed2f379be89a51e5e6f0

SHA256
a8ad0f5bd2519b57c23f613fb9b01a93b9e55296fb5906eb6445cf7c3c1c07de

SHA512
bb2d86a9d02b25bc9830c26c984516bed1e97f40591acf0e97e5906a5ba7b174911baae1f725ce8cb0f9c3b121fc866f94dead21169174d37da71d6a37141e6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b3524fbac2b9427c39c549c188574882

SHA1
eb408598981c8f4969da9da94e18f2d4932a8b23

SHA256
1a9cf01620aba156d3637df23033e0e0c0cc32773bbe1913e80f13936d242937

SHA512
a3409d273dd94e73c8bae017a40dc37648180640fccb4d8d4186a3d8ae7da511e28ef11555087d4e4547c44ce554edcfa81083c0453605054753723e94c3d95d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e66da87bf223012382a8d3f1a1cb4043

SHA1
1eab7f453695f85f610421a324c98c9bc38ffa35

SHA256
5fa3a6b9d46260762eb0b26509618d76b5ec5aab75ca2fa923be5a786aacdbd1

SHA512
8cb1c06f2cde824ede1bb19dde3ec65d6e7dd36aeb48df47f6afb62c109416ee8530d0f6c91e642db2e222ed198ed2b50218e4c153edeb087f713b021a4c0062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
269a442ac563f3538b2ca6751c7b8bbd

SHA1
497f72016a5c07756cec35bbca1efc0356e3f211

SHA256
5c1024ab83111fcce645dbe2f8d5335783e4ffb4a3e97f2b47d14d5479d3d907

SHA512
7c765527b524b0b5aca364a95fd69e1a11a60b13232be65f2d8d5f67511f4c78e935fed890ec7004ac636a2c3875a3f99957c84132876a29cbeb5d92890cd139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
92891f7dc32ab590d116dfbd08bd3630

SHA1
a196cc0175e5b0c628cb0356bb40304bea6e612c

SHA256
1fa635644f38ef930b8fb6b2fbf47cab614c3d4d3f2072206072e2ec847fcc32

SHA512
7c361a4f570747d428e2b91f12408d0403459a1e15193ac21aba439b0ea1ac8ba48f29f4d5b541a1a42826728104f91cb6b8722a01f317112848ba90fc4e0ac7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c2171473f5fcd18bb69e6c75225ed0b4

SHA1
bfbc258e5da983d5eb2452ba8dc4c3ed21190b0c

SHA256
86b3469271c6c8f7fddf7fc70a9dd18d76db1dcc4f65963ca7a9b5b5a6d5e195

SHA512
bdd93736e403ca9d9dd31c46d65aa86daf43ac903472a4594820337e0581a2dcd3da8beb359772dbe28c86756e9c65ff72283ee8f3ced824b8fe5ce4349d2414

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7f30579c3c327c2b8040e732d2b46ba8

SHA1
ac3eb15ba9091cac1d7f53e06c3d2a325f979ba1

SHA256
ddf950b0cd11138b24b7a279403bf0b7357ef1d312183c6b002436fe2ce69efa

SHA512
897cc9ba4198eb5cfcdd4bbbd37a1037235312b37644dbb62fb8b04ff009357fe6150e9f83dad29f3ab247854c7c8acc8c289e32457a0bc78b0489e624011ed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
516c318026ca7e9cd0785e36f4dede85

SHA1
c8f7bc72bed767423f9899b0a34fabc887a7f971

SHA256
8be32e266b29d7efd7b89601a050d4a91c846f5fa163a9f8a974f68a4c2ddb3f

SHA512
7eda92237320b94dcc20203ee6efb8fcc45df42ca6dc025e91855cecbf32bade334ec09e597ad4f3b8001e15a50976f30e9b5bb98474c6f40acafd11cc9f2b0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0e509fdd843cc49447e25f2c99a875c8

SHA1
855a356438c0f61c9f2161c1926fb3b1f852e9f1

SHA256
40aa5ffc28cc0d6e67810e67b52865f8868ab0691dbf797d2a12feb327f221e3

SHA512
4c0a81a91f0b9520eb691e7ce11324919e5ec847f55870612003fe9a4c40eef2ad4c0a9c330d9577f4eb406e501b00778bdb114187ef400b3c523579542def34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c20e523e57a51b172f8cbc1d28d87ca5

SHA1
b02c1ce1d06bb5834bae56632f0ac1b42929e758

SHA256
64a424c7d4bb772d31c0f1bd8de6335f55653a11c7191414c2b62f3c0e587920

SHA512
9c609a8670a96127efa43f11ec44b7ba3aacc2c5288ad277c37fb47ba4d1a782b86ee61aba15fb034b555940049d8bae9f00f807886467bb0d31dbe04aca93e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4acf91e800f679c12282cb968f96bfd0

SHA1
d2805594d4ef5800309afb0b29a9adf10a3b6b96

SHA256
6de3a1d467217c538ec6c22a95f509a88e8170ec5e084c6d19c5599c455f0629

SHA512
059acc8639c970f41992a9094caa8929a8a4ce090dc80431db29f3e9fabd7e63d3da1e8e9e7494f78ad3208370e51d71ee3688825b472ae1cd5dc38c9dc664a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cf7d9500868356c3d92ff372344a1b64

SHA1
313dcdc403ea3a9dbd3d195e0bd326681c4629b8

SHA256
abfce3dcb487f1cd128df6ea5bb9d46a2b96698fc8611ec5a8f2f7e006a50b97

SHA512
08e536fb1d3c895fb429ec64198625b5d631b402e3ed3a028329525f4c014f1f73cfaaa92c056c0d0fa0152bbc1f05d2006d8e1b24d9ce6d78b32d9c72797b92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4b32ce0b96e8a9f32dbcdde3c5972e3f

SHA1
1f66288e4238ca228076faee6f807f6d451524b0

SHA256
df2565f9214361c8ac6d1a773269de53a2ac6c4654533aebe7c3db343993b5d9

SHA512
d8aec7c27697a0a2ad7456e53a30d68b45d4a43d618ba852169ed731e718030b174db27064bc6aab36ec96bac4f62c338c4cd32d64f424a483f9ae4c092a2b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ffbad6885dba1663c6e60c7e2e40e165

SHA1
d6ae63bf1b53a80045f665c3b021a7889ebfaebb

SHA256
1852558d2ec4d513ccb9840c08a0cbdd52be2f4bffb4d5942162c622eb5ed1d3

SHA512
3568af9e3665e8d9a84a32bdf42eb92c6c54fea5b4b1d8872b60f4934dfcc2a64056485c04012adfe52a43fd35903e6bbbe8020293a9f8fd9f47d40e7c263c05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
325233c9eb484fd94b09c82b6c46f88c

SHA1
cfc41b3ada54f096f934eebcb10d9917faa2f02f

SHA256
3fd8e72fb776b1e014b5c45e82b7d32c152bc6b5989ea402428875dadaf9f828

SHA512
78e5bd75baffb411a86aa8a351266954980761da9f3da3705bdc22f55c8ca38215ab2aeb1a9c33409bfc509d137b1b790e03ec37e4d69e2f587806f794fa3472

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
02af18851d2b9063337fcd615266b45b

SHA1
910753bea184bba9415fb1b00efe27c4f235ac59

SHA256
ffa137ba2a869f974e69e602836dcc36721157341ff2760f949a4bf020feed42

SHA512
20aba662f484ad828463124f8f4cca6608fac9ccf656b4531f6dfcc398f90ade7e17529df7ee92ec490b972a9a7aaa921dfc63b834e548b817268f55a3bf47fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6793ccb52b9a1d91dcef2e1b64fbc83b

SHA1
f889b73ee53593535093e87a6b341f086b8b9191

SHA256
2cea1bc86a6cef7e94ae5222478aa2a7ce03d41ae32ef8c997d9074692a982b2

SHA512
9a3c561b1dbba966cd0dc4b8697f2c4991d8a6d4606696921113b3470a7310eb267c608abefa84c9c54527a137fc2845c0a1b196b2c550654b9e878bf2345925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
a10752fdeed129ac7a79b15fd2067076

SHA1
ca5af38c8c4becfd88ea07a7f7fdffcc035123f4

SHA256
4b64a22aa1fc42d54775c7ae201b3dd759431048524cbc19e39d281b317d359e

SHA512
4074ac797673e347142bf8162b8faf51c5fbf39f4ee492bbcf92b7f05ef046a5bfd673b0335b13260575599b082a77e0ff4c89a314d39752fbe7d3364108728b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
8256f7e8391856319da49b3fe8c1c2fd

SHA1
b4591371297dc64a794311d07a373065a86e158c

SHA256
688d42823990e48c1ebd9e98b2f9716a38b998a82cee6cfa58f72d1f13b2acdd

SHA512
f4201fb7c6fa4bbf0122938377058cc475fed7647205c643ad8a2d896fa39ca7631289f4295594a22f1be81bef8513d7d98d1b9739ccd933a65c7ee510ee20c4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6a14d0e96f538f57c433f9d7a73dd1fb

SHA1
24fcbd938a49a2339ed93f069af53ccbda097d29

SHA256
3a0f669b13c825044f06769885e6861b4f2782f8c2f0a970b3218be669780b72

SHA512
0dce0f0c8d2c3b0cec109a4e09bb3c29ba83ebfee63be8114a91ca572f4328affa410c69bbdc7e536eee928fa3cf9f0e3ecb31a6ae4810c893b7b36cc408f6b5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e665e692bac2bd1aefeaaf1c1407dd32

SHA1
5045cc5ef84fa707bf09cd4a568a3a5a6a61a3b7

SHA256
b5eb2b4a349459523074b49604cf0d678d8d5a59c28106b761e65b9c94e84c4c

SHA512
9156610e6a1e7aedbe18c52b921cce4e731263a6e95bc3833061c632ee404039655816adc95b6d637d7bdff3e8dd2d3c302743aebea5ecff2f7910fae573cfd8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
52aade32321a2977a4e883ef8f64afe5

SHA1
3b2797f448a64e76ff3becb1d02c8c23d0ce85a3

SHA256
8afae882a5b7f1301d0eaaea813424f7f49fe643bd953217fbc5a53929ecc820

SHA512
6c5deb731e6e538967fd30754b7fc777fcbde8d6f6ae18899372c9e82f9ec3127a15298aefca513d9e1610640fa48e17a8f214b10376ec30de87e64679bfe721

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7adb3f083182c245d1328f2347fe72ba

SHA1
a814e0f8b4be0a4713dc8c98cfa3f59f05040691

SHA256
d92f3dea4bd3d934d2d9e44e644d5920658c79fcde4cf881d2203f6b0e1e48cf

SHA512
b62c33d26b6c01eabae022461349e598f61276f94bfa606d773dfd32b65ab661264a3cca6539ec54c4a2da13256a10a9279c84a2567c79a8b107961c980b6236

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f9964222541308e2780f49fcf7fab0a

SHA1
072e1ecb0562069cdbafe74d9dad6d853b2995cb

SHA256
4b35a9517ffeb968fe4532c9f7ef6b22626adaadd96ac6f36926b53e2412180f

SHA512
5aad76c2114f66dc6ab4a637eaac0d6998d7586d69fc8d14ba62ab19e53c655ab192d42baeec4969447a71caaf28e34bb89f27c7be569cb73ff71d9298f9a4f5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e13b474061dc4244e7924ef3b29c0eb8

SHA1
d48cb3cfb4439dc0eeabc561b7efe27fddcd152e

SHA256
3fe065b9afa5f8a6c8c98ac19337c61bbbe4e1dc9bb8cf29a51a6ee443f3bbf1

SHA512
e96a3fc6ab906f9247b1c1eeb68f60b9087e8a51e91619d310a037019b906b208cc13072fb3ed7e7b52fb664ce419db5d2c9a1455f6f8bcaab8458641434a92c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7ae308d8f0a987a29d38233daf40fab1

SHA1
fecbf77d2cc01f8acdf61c908a0ee1bbc8b775be

SHA256
3f46d1ef00d4eb175b021f9869f190451e1ea98dcfc47ff36477166c694f8eec

SHA512
408f853cac660f2f3797434508a70374b377ed283f7c354dfc005d775c611789344d9d3be2198bd9c3c051dbc0cb828f7b820dfa5f4286621da96f46a92a8345

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bafc2059624427129c9ae5ed1d61a340

SHA1
75fc7d5e87d4f1687e11313169d31490c777e225

SHA256
a8ae617914b6113ba616d758d713da045686d891be3458bfecf93f04dc8f8746

SHA512
e74629229d1d799874c8ea46165c382c90b42f29ab0856943479360688eb0788bb61e2e19aa357d0136bd0ebb55bb9cb087a4d401e7be760e345bb1b0ea2c303

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
36de6c5be0fe17be0a4e9712c4db72f4

SHA1
ca409d6637b93403eac2886d933ea4a6311d22cb

SHA256
acd1aed9166ecb2697c7a59f8ef6b948ad581688cc6d91926c0833d53a11cf49

SHA512
723047dc3d2dd807359fb9f9dad0489528496987d515a6d38de91a998305ba53df7b58c17b742f303b69765b5b9069b29a90638d4ae35afc055e5d6652db8893

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3b169c3f163e832cb4aa553ed8aba14

SHA1
fd8ed4396b1d60d4875934e49fec94d1a85fb30d

SHA256
24c7df29d4a8287cc92c7a7906fe20f94d1ab31a72a9339f2dfa292197925979

SHA512
5a92865223fd8daec751cb17aae3325040127aac24119a7f084b11677d6cbad0b39240b914bc821a19e93fef63b53b8c894387de1c12c1f86e60c6aebf361ed1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
93dff06fef836a8dd867af6bc60af583

SHA1
f6d79b837db26f24ea147088a16f1c2760021f70

SHA256
3afa0d3674380b385c3ed1fa423c49468f4de0161762b517608ef632a1f9514e

SHA512
f5beaf9b4cc1bdbf4bfe2c0de59a297dc9904e815ad2c76a2477b6e4e7b0f4f99fd763789b12814b92b43c5265d603c7d0790b6b8e1646d9690b44efa71c6cea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5beb98b9fc13135a7d540e7803d6d671

SHA1
8d393af632a292961e849fecc8e07ca31575ceea

SHA256
09b60ce719ea45615709b0f3a6414c4bbc6f8274285e266fc2cb8e9905ba1c2e

SHA512
2998c6aa30f07cdb650764ef1118a2c3142cdeb3684a8a35f766e0357aef9895eb0d3226e7b4fc9ca64780cd82d21819088b86d330d429a2cf26db9c956cf1d7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7eff6b879b71312dbc74af59b2f665af

SHA1
ff1dc1ffeaee5327d70bd67ef8de6ea60a68904a

SHA256
d284c3b7423b3399a008b74bcb8d102adc8229d2d8d8406d4c97785cc825934a

SHA512
adbbdb36960036cb4d888af70862bc024be99d438faaca74aafeae7d081dff13ad526b39c627ed5a69d3b48b50256ef7cfcaafa18ea2680dbeb198f7d56f133c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c89389eba6d1d70222b31eea05f69ee5

SHA1
e6cd48c94470a34d1f277f15d227141ad7b628fe

SHA256
1836579d7002cc930050d1b5347c5f7baabca3b41785813e96dcc744c990ee24

SHA512
0c4aafb9d204d9bc4e660d3c04b3bbf7f719ac42164a9f591913371b4ed4e9518627d8b21d30ece0aed701022dee7c38df1657214a0ab9622cb24e654a155c02

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3d80f916f75944d10c26d7d85178f213

SHA1
7bdb8a37c1f4b6fbcebbbc71af2335fcc52f5e22

SHA256
4feb4a8c3e0fc663e1dd6b77afed717f55153f67af8639f035b4dbdc93848df9

SHA512
440b74377e3a6daf1c95a7a9561dfbcd9a0548804cb3d03d25eb8211894b9a49a06f01edd06506a19810dee8ee89fadf7a2a7b19e2be13899df2fcff2e5f1279

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0b5839e2982368d40c158f912ac5b1c4

SHA1
2851bd0582120cf8b89dbaed1751ca5c8883cd7d

SHA256
c4b60f22094c9b4a04ede0d3b7c8b0bad3f07c8e8f7d6a001209c4b4dd4c5824

SHA512
514ff156a27e3e2995f200c3acec56ccdd43f66e3d6ae2d2a717e6320c47e67e8778e2122c552e66621bcdf5ede28c038c184ceb69a7d0765ef0bc98b20fe5db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
24bd4fd844deeaabcb2f779b59960e75

SHA1
a9be3781b0abb7752806f3175704b9582c14be16

SHA256
d14c36617c89b9901fb9a9f322de2ab5f36d0f63e2679e95dceb2d5abcdf2b25

SHA512
cfbe0ae088ceedf58b87a8d92124f6e0d8458ed94fd641558d04c6e0855e86216fac89e208b39a52b051060d5543bd586bdd3b6b4fa8f9440ffd76be480ca1eb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
abb05c9cf653cdb51e5858f4ba12ba73

SHA1
82fe3703955dd2b9fbb7e70d7feb27dac674bae9

SHA256
8451040d40ac199b7aa91c58016b51da95f91dcb9e938974936b2e1f5269bd80

SHA512
66491c518ab70dd297f1db3c407da203569c12835d1828bc9c777d5da971b6ceebc1c5cef49bc7e6723bde919d70bb64313003d6980633e1d127955c2d682771

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5dfd982c30dcf430bfb0bcf05ce59f54

SHA1
151f3a3557aa35b50fbf84dbd2fae89d16499751

SHA256
d07e8c89c7ae85c7d1956a3af084c427504c51c811a2a4b32738b57e604024db

SHA512
c6da87653d23b81857b9817edabe674558ea67605d8d9419f8f5a30af04eb212870943e7e10f42ea06535ebc246890e29a1394a758091fb5e6a209e4ac840a07

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
011f9855c150f4d88f1d055af83781e8

SHA1
5aec18a6faee035de2fe6ca1e40433ea813b487a

SHA256
cd88edd9a1da0d862c154f5c01e3d4e714b21d777ac7c75581eefd9153de3e89

SHA512
819deb4e71c02c256f94a3314d0ca878e6e582bbf64402c84cd5389ab909f1015a2f5c4dfbdc9f36f894c20483d44039cef04e117078018bfaea7e19c3850041

Download Submit
memory/116-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/116-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/940-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/940-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1852-416-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1852-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2352-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2352-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2616-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2616-515-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2692-1-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/2692-8-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/2692-25-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2692-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2720-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2720-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2720-34-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2720-40-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2740-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2740-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2740-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2740-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2740-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3272-497-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3272-298-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3376-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3376-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3468-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3524-278-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3524-271-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/3524-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3656-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3656-524-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3708-242-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3708-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3708-53-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3708-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3792-526-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3792-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3976-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3976-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4372-264-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4372-258-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4372-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4372-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4504-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4504-67-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4504-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4504-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4572-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4572-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4824-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4824-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4828-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4828-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4828-28-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4828-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4896-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4896-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5020-516-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5020-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download