03e82ed87fa381afefea61c3b6472caeecb08c5ecc72c51000b10189945abfed

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
Size

677KB
MD5

2c0f1cf3e17e31084bcef9a80896b871
SHA1

dff4754c732ddefbfd3246826e49a299794bedb2
SHA256

03e82ed87fa381afefea61c3b6472caeecb08c5ecc72c51000b10189945abfed
SHA512

e75d4c02927131d1dfa32d035391b7e4b6597e738a1e2eaea171af4988fcb8e3e9753e001f7a7b5f1d89544343999f1470522f0b73c407d75ad8c36b33af2547
SSDEEP

12288:OvXk1TJKQ1uBeAMlwesHU8wqy2VYCIbvpOBlU1RlgIDMCZgjtGlxHZ9/I:yk1Q1SwPHU8X31PfU17DhZy0lxHZ9/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4232	alg.exe
544	DiagnosticsHub.StandardCollector.Service.exe
1184	elevation_service.exe
2744	fxssvc.exe
4812	elevation_service.exe
4616	maintenanceservice.exe
1824	OSE.EXE
2616	msdtc.exe
516	PerceptionSimulationService.exe
3916	perfhost.exe
2224	locator.exe
4656	SensorDataService.exe
4640	snmptrap.exe
4116	spectrum.exe
4348	ssh-agent.exe
1716	TieringEngineService.exe
1436	AgentService.exe
3216	vds.exe
4904	vssvc.exe
2300	wbengine.exe
980	WmiApSrv.exe
4332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\959760777489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018876681119eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038771581119eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d2ae880119eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004106a380119eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e67c480119eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008817f480119eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072419e80119eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
1184	elevation_service.exe
1184	elevation_service.exe
1184	elevation_service.exe
1184	elevation_service.exe
1184	elevation_service.exe
1184	elevation_service.exe
1184	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4172	2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
Token: SeAuditPrivilege	2744	fxssvc.exe
Token: SeDebugPrivilege	544	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1184	elevation_service.exe
Token: SeRestorePrivilege	1716	TieringEngineService.exe
Token: SeManageVolumePrivilege	1716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1436	AgentService.exe
Token: SeBackupPrivilege	4904	vssvc.exe
Token: SeRestorePrivilege	4904	vssvc.exe
Token: SeAuditPrivilege	4904	vssvc.exe
Token: SeBackupPrivilege	2300	wbengine.exe
Token: SeRestorePrivilege	2300	wbengine.exe
Token: SeSecurityPrivilege	2300	wbengine.exe
Token: 33	4332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4332	SearchIndexer.exe
Token: SeDebugPrivilege	1184	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4840	4332	SearchIndexer.exe	129
PID 4332 wrote to memory of 4840	4332	SearchIndexer.exe	129
PID 4332 wrote to memory of 1944	4332	SearchIndexer.exe	130
PID 4332 wrote to memory of 1944	4332	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_2c0f1cf3e17e31084bcef9a80896b871_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2400

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2616

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4656

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4840
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
639ce1741491d8d4dd1c66f65190f693

SHA1
0f63178a3bf765a9eb14161bdfa3a6247b44e1c3

SHA256
94642ebb5634ecc8aabc9a8de4d6ee65aecabfd7280c11402f2ff4665dd89134

SHA512
71f5b232b0279f5243f32af9ce24e81f443f57233294047bc7ded0e109f1ae2913abf5d25badfdc11c0fc13bd1a30f4fc2d6178cf1194f29621d38c7445eee6e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
85b68522335780abdbbc9309e42beae5

SHA1
16c36795d54411e54ffa47dbfc0f8f5261085bda

SHA256
0e15f49f97a07d407e3bf0224071150f6ca7400e20663824e03cfe3ab388fb61

SHA512
1ed310521b691159c63c9022ac1c3296b4735e133d11d3a510061248fe256311f7acf687c50bff2caa9675dbfe66a872b99148da5917300141dcf7f148be2e75

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
54cd45b11b18b1466dc82e3d90a90492

SHA1
d5e4c7efe4f7e95092912d5123c356554c3a795c

SHA256
ad8ed90258e8ffcfd09afa87fdb7f43c76a0b8169e23cea5c81a85b46ce3f2e2

SHA512
d1ea193999028153f6460f507f128375d718c0edc7bd310cd42dd57215147371c914460006a82bdaf88d253533de4e48db093ab3243b308155bb9f797cb3ea47

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9e3a3e179ed8ce210fce4e04058db5ad

SHA1
70e727892195e66e15ddf772653cb5f8f557d66c

SHA256
d677ec4e6ee03af24ef7f375e9c77b3f1c8d3dd1fb1c9bda914c328c8ce1260b

SHA512
560538d104917d3e4133494cc284265d0c267ff29f0e58377c6220e4de75151e265de5c9d0ac8f1edfc21af3043d4ca2abccd64648fd80346b85abfc0bfe3518

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
659dafef090b0da88cf650b72324fb26

SHA1
dc119a4b3d9888b0f1c0ee5377800a0d607399fa

SHA256
23c231fc773e69aeffd973d6823567f8342e270b97b6a4104e22fdb5569baf17

SHA512
18ea6d201697eb8e8f23ae1cc32cbec502fe19be9c7bbcda7f285095f9d855ede0ddc408b12648cffe20b5d7e436c0d84616992b419bb46b1f8a447979c0c273

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
eb5043c7f87053726737f2cfb6aba8d7

SHA1
e276fd9f694b6312c53f3aa44ac623915dfc1b43

SHA256
ecbab1cfb46006e75582fae058fb0b5b44976cd28a4673f33416b440f7503149

SHA512
5270ecad0a06cd00ae4cd1eeab5db5ee7c59433170d998e22aea1b28ca4b900bbfe18c456ef003791fe4f1db308888b9f6e00274d45619d17a20c6adc53ec51d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
12dd2f139f3531bbc376906f31bd913d

SHA1
8832b108ffa0a49d71b0d0b19e68dd30cf6a1802

SHA256
7b3c133a4f47ed3a64cc114b9d75436b14824f67770a7af72d1b02ac9857203d

SHA512
bdf40d94c46aa2eaae45cfe2ed185a87b8e8355e85a27fcf9296d1b50f6b0ce9a03706332c2258d242992ea3b7db8e4095622b8c5f4b7c1b80c95b405db8d7b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
10ddc24d240833d7b77ded6bb3e344ec

SHA1
757d3243dfa7158a6f6f990ccdee6851e4890eb6

SHA256
0c5645a5e64616d918fbf40ed9677a74948faff3a8d4196a237d668a7674b01e

SHA512
bde8bffc52d6eb2b149edffab50c1cdbafb17da2e01d1454859983ed250599e4029512aa15e3cb3cc3ebcec5bb5d36ca2731d3738645e96d10d65b344ccdfcdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
092cde1f30bfe287c08116bc9b8813fa

SHA1
126db723c4972738fef970917b1cebd3396d1531

SHA256
875d71115f09401327e5a7e527b3984e6893a14b400f73c36b7f8d71d8f4fc72

SHA512
c967f6235758daf31b9f4d84fafebb8d2d151d901a806c93bb4d07a5ed65df21b97df2e599f56241d307a32f9cb7fd8169588dfa603390f9ce9ec2a6505b22f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
824a18e4cccb468d8dbce28dce4a5846

SHA1
062d89bd500e769f1cc27666838664ad814ccccf

SHA256
2fa4afe9cd168b03881bf2785a58797177070dcfb50cf8a9e5a73370e28b04ac

SHA512
c2cad05e91f23f45b5cbfc1639936f5612b5d9760de5e7223af97c2167c53322a705cdf20157de179edf5b8a680923eebb7313d71a92c20be42ee15779917dcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cfd411323a768872c68ee386bc6cb854

SHA1
44c9784deede5d2c28bb74595c7da86fa5a0092f

SHA256
25e3d1592ca8e8ed669dcaf8eecbd9cc93fb6b967861e8d3b325587373fece40

SHA512
b43084611dd54a1defa30a9f40d8301cdf9868922ead854fb589f1e5716108ff5d0e2536abd7ca94c2a920904bb6f781f14d7c54fb27bedd41707b7c2ade9f36

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ab9319a96ff83a9a9517ca460428ce53

SHA1
5a8b05cdbea826e3d4567763c35f558e2fd04144

SHA256
94e1e2e6a4138767904e86cb7cc9d8f3f2ee316b292c30e03163c95da556ef7c

SHA512
dd903bfdcf813914b8473ad251d36a0269823e2b8749c8293f71702c04930634c37ce6637510d5e80da737dd7ae7a7ee47108370965158f05b2fd33eb74a4ce6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
85daa784add3b88b8b590e9e888fe366

SHA1
a979c324f242ac41b1c191c0d1ac7c571662614c

SHA256
dbe42035b81cf592e02dae4b2a9e4575d6751a25517775f318fbccd1707f4791

SHA512
dd712ae5ee2fed38d4fca3c18e3b20f28b1e5d6542f7d693334b8152ac5d36d7f9f234e32b30e068ed6544bc792a9abf1d45891390578ec3b2e9133c56533ec1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
15410c4d576a285e8dcc2a5195ba26d0

SHA1
ff7a347021dc63d8c0aaf2a915b7cf59bafb9f79

SHA256
cffa0defac5ec3ce7b8821ff411c639134a53909cec155d5b6d736797b8e4d17

SHA512
eb088e1161503ea504c532845cc2ca3f9666377f0907c3035570fb560aa37b14a1dea66d87c69432cdd60404b9c55f4a22a3e056680b7e02e80022b768fa8ff0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
16586b41f34a42af36970f2760551d78

SHA1
5c9bbb784ff9a18683223bc061d307699cac394a

SHA256
df5cf4253c7736529d1c84511a148b10cc2557e9c07f346e102957a44e69791f

SHA512
5a152f27f5868b9b1e2a6bbfae9225e9bad0e054df4707b83be40805b5e588e907a03a099dc4760849ee6bd1ad6f6ce3043c068faf26af3e18027f7779c01c2d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f22fb3406b6e0b739ffccc896c6585c9

SHA1
d5db267a891aac6a68526e85e2432bc5a56765b1

SHA256
6fd22f4ef44b5fe72d69e47fb1e237a496f297240e21039fcc083c2041224049

SHA512
c26fadd8d36d027769f520d92c8cad3d7eda06e96b05bbe3243d89d0e90bde258c6a8172e7cac8b5fbd5645e26c4cde7528f6d4bb7428ab4f223a4da701c234b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
65736fb031766aefc4fdb51dc75f158f

SHA1
16a2d72e10daf50c0e06f7f44961373706c34ab1

SHA256
66f75f423b14aca6c0ce0aa8bc832f45ab1550d9931a9e8644c29e917d4754fd

SHA512
04c65684f0902c760574e17cd6739007f4a4b77686b96699e93f0371da28f70841d0c5bbbbbb333e59a7fb9b13d1072c85013360f29b9307383816ab5ba34ab5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
da8af1905acd755f993229ba61951abd

SHA1
e2b2d2d22aa4b8b0cbf68aeb95e719ea1119accb

SHA256
15ac3522dfc57285fbd12debfeaac5bc82fbfaf44d46ecca9edd03c2637aa777

SHA512
d0bb2418e66a7d5ade28117928d752924343d1a669d3645808a035705580e1ebcafcaae6aedaf112a92e4cb72c686f69b12f0f956d5c109c1152a535813da31f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
f91b9c9702d7fcd65c5d88362ee9fbf2

SHA1
972c33dab1b8c538c6fe309d57bf0dac1c624fc4

SHA256
979fafe5e3e0d419857883aa5ecc74a982ace2b927d2d55cc7dbcba2a814c1f5

SHA512
1afcf3dee3b3db777c2b8654718fe97f2b2fc1036c4c4a2e335b435bde0ad695fe5dd58f27e35c55e47b48dde786ad0aeb5d5ebb5bd29c3ca6479910546f3b6c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
5c280387f5d74066d835b5e5d22cd2e1

SHA1
db429890a904791e0f9a8101cf47c9e448baf79e

SHA256
f0510283be296ba49f8b5669d30dd2f6c6c8127debfaceb545ac88eb8b9ad5a2

SHA512
7b5f08ad6c05079f7c656942c553bc300a33b8e8d62867b1897ffdb0a92d7112c24f88bcda51490a564b81367eb1e1cf3e9194d97a103570a5cdd8ca53017805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
656292d25e83bb3feb764656b12797f6

SHA1
32601feab9b9bff120986d168f6d06f8031cb6a3

SHA256
bd73137cbfa75046bea91c397f270283789304819d0491e3bccb8974a94350d8

SHA512
f7ba476f316644cf8fc79a396133fce10003b9ae32842a53e59bc86da49eabb775dc3f6737963898a1cbfca8bd699f8d3d4c51348f03458d1d045fed12ec1d89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f47a16db610cf40c081b896b9a319c66

SHA1
906e8ee4cb8bf2559fe6a43fa6193c9727e1b55b

SHA256
9d528c9b5db28230b525f2f99a47a731ce7682fae9294c61b756199decb82da4

SHA512
a0d81b8780a4e8fc364c422227c3c1e126103d11de10fd525ca3be6764f2c5b62e1354f91f5e1061835198c8b33e82578c16d5f93e4926b947adf243739cde66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
55900d042aefaa5f2fe3d33a1a2043c6

SHA1
5cde08fa00e0a69b49f9916b304d5f5882c1e6de

SHA256
e3dc3ffcd802b8f87597568e97dc55ee0444495ce091847e1c690a14e9e52ae9

SHA512
dba36be474affb53dd139087fd7de5236ee099231fa7632a6770c4d2b2a9fbcab2b64516162af2b260ece6dd8cd4d0ce17539532edf99ea3153d828fe33aba82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b5b049d432cc5638ae97c6f3389a8a33

SHA1
cffd4369fc4fdea33ad8d98965f4140a23cb1073

SHA256
817a7b43ccd0a0d0c591871f7cd505165de3162e92d6d444d6a5cdde6fa14832

SHA512
2e4f9f892afa848ce2753d1eb8055eaf02eeb66990e7d31a3cc03efd75f0f1a831952b58fa8042cd8af3c0ba606ef5577a58d88839e062ed7b0e2949dfeef3eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
10e39f6c1fa6faef295f7482cce82842

SHA1
c42f52c9d4878b0f6b9e39c2a19fd281998335eb

SHA256
30c8951749f658ed4796c13174a0c5a928bc3c40652b00b937916f457a77355f

SHA512
545ebc649002707dce0532078ffa45b87351bc2e9170d3bffac42d0a3fc38685d0544f994a399585dcdf33d6a79abda543c9ba5f17e88d9a9fdcbea86b308dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
190e12aadd6d9449491fdc140fe187e2

SHA1
fe2ab012cf8c0507306dce76bb413c0fa6fb4e5f

SHA256
60b6da9a41308151342a95f42e93c9f7c2adefd43c3acced3f92dabd403b7c1c

SHA512
147d2d93f4e11166ee2f956f504fabc2ee08b7246f88808269d558d8b048325ac4a6bed7c4970b9b330f11436bc2eddea385c11a0e17532ec8e7e9652fe7fc12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ff180709980803dd18b366cb067a5a54

SHA1
fbe3689af2b7b70be131ce0f4dc8d4d9205dc8bd

SHA256
5582b2426ca61f96cf9c84ed4304719c8a2f2e503255d4beb85a3a584a13e901

SHA512
1e95304e71da16fa0910a9b3959fb78fc155fd0d202ae8986b3e4d6a1565e94cf17c72deb125e3f403c7a8d70ec4bac67f83140c0a189211219a0729d41c9462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a643e875764d4d6cedefb6856b588cb6

SHA1
0816ce95f8014f6de748a1bb9c587a9dc043d8de

SHA256
e30525f9850006c005c619f8dca5fa55cfc4fab4a438663273cbd4757944ce81

SHA512
cb3f409adbf2cb8e18cab15077b1bd6d2945b2cdaf95eb46426064970abaee68d2f51b8723e433763a23a6a3e6fa055513fdae5861021d775d491902ec2d7848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
501b20dcf494c1a61091583e2ceda1e8

SHA1
d4294f9e6f420c50331737e729ff7926286bbda6

SHA256
ba14aa17acca92186c485e52484e0905a936fc561150b64be0bfa7b60689b6b0

SHA512
04784e1e6d18eb08a0d1949753763d00ea2b75953c401ca6b7c7758955fc2343754eef6b74b297fbbebd92b3c122762e9980566927fad25beaca7415465e87ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f6410c8a41e38c67ee39797caaced43e

SHA1
3193f6864a9ffe01765d6463428ad069fcc6c28d

SHA256
50ca575749487a497c9db07e595d0ac177637076371d5b558393952c55c625fc

SHA512
59ef4e87db30626be590c96843cde9d9056d195776978f17a6d7e8aff62327849ce46bd7df71632a8c3b95dd276669331e98b8ef7b3227c2f1298d753cbeeca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
25af70ca962d18bcc6873da48ffbb0d2

SHA1
ffda73c9561d008124646fe397796384a79b46da

SHA256
e2fb49eaa180f61ceed3d671e1429e825cbbddbf3c0631bba8d1356038f78fa8

SHA512
47ad3783253cafba49cfdc50fc60ec4c8097072c9fe824d18f5ecfe92bdfa17a213f5ea154721f222ae4803f97b08c8754fa8a7a6f60c1304f39d90d6b4ec624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
aa0b8f0007ba857f4b84f61dcce7614b

SHA1
7536f1c4ebfa2a85b1a3a3f6e2bbaee866737857

SHA256
73c621e1a0660f3374111f130ee237893304614080199aed314e5b18ce5e5ea3

SHA512
b550aff015cadba5977b39d796548443809cace317e935cd4ce26a60a0c98e2ff6435988bc937c1b0aa7a6a110b131e760e3c96b4f40d805404db78575a45683

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c6bd461831551cc837eb1c88d1e77c86

SHA1
a7bef16d202eec4edd7c12daf1724038efd48445

SHA256
9eca189e43b6c0f2aca24a739d97d308e4ed90334b6ef92ca9e3d94abf4b576d

SHA512
732fe0fc9185666598d5bd1e3cf8466e3245356f1fd52d8cfae3e2d9e351945b6536fc9ee03d2431f595712225a363b24140a06cfe78e02e7ba1e07e2ca5d2d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
847e16f99c030caecbab91367787c74b

SHA1
9922bc8b8631e26e753f26bd7ea31f2b25c12f7f

SHA256
f72a573741d379f9522b3a93d3eb9bc69697bfa7acadeaa5741c0373f62ebbb5

SHA512
a5de15601ce95dd7f7245553153b0018b3f5282f559e92932e35b65a8096d5c6f1c3dfd4f7f15f4836b07a939af5e93b4a341210a73069b39d89cf7920d373b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
947f2b596f162076519eeb46b7f9c64b

SHA1
5d6c0d0cad034c770a8382971413a32c3609eaa9

SHA256
f943854410ccc5c8d29a481b790117d4b8c6afb2a1722d0f1be3a37d34a25aca

SHA512
c245e50f5d96298b5024012630dd0bd04e24c589393fc77e81b3eb7e312cf62b4477d569a8c9a2f37e2cbc2b76654bf7723eda80cfd08760dc2626f0377bd5da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c81e4e881662748b9ec2b5dea4d950a8

SHA1
a54ff018e6c624a4ea1b3da50c2361d26a6acc2c

SHA256
6c468852a527fda2aa7a974dcf621e7757b21021af7a86b0ca596f93645bddbe

SHA512
18124097f425d1c4025f725c2440c216e1c2cfd9bb4972d94c96b8fb3d1af653aa3fb857bd937df82880e2d1a34faa9da29941421d14f77cc9164c3d97fb304b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
4a5d94e019e34323707b8183f774938e

SHA1
5ef7852e302acb429bcf2fe34f19c0b0bc2df604

SHA256
e6045c7582cad70c430b45b76ba5a8feca70d696272e0b6c835ec19b1d2df9e1

SHA512
8044bc5eac2ee3a783a9febe16dfba9bd0326d1d6190cf64f1bf9e2aaa0d4cdba418783667ccd5f2a2b844b553813df811a99d6126d16cc1edbbcb6e84397eca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
b4fc403c2c10d015a66f39966354fa91

SHA1
49afdc46722ab7c95a4dbfe47af7457b3a632a92

SHA256
bcdfb993d15042d2d8413f599affc42b8d0e1921d654a7aa1c65f55100b5cf8d

SHA512
864a1a878fb46af426ede02c9e8f1b65ae9ba1551bdc45ce859760d819981e960b893ee0faf90657069255cf57b2807ebf6b1474e3e20d5e2d7f9602b8c77d9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
ce405f3d1a390554865e07b57d3a5593

SHA1
5ee7c856177bfd75852c74dc970a7b31f08d05e0

SHA256
3409caf5d339d36d0701ad7d95731a3e3bcee118f0368af8052c3ae8e25ab771

SHA512
91a6d821bbe78962793d25da80c34f62cb57a31677006952a38f6848d26a15e9c8562ef8ea4510a2afffc1036a00949ae4224537aca1a5910f80e17675aacf9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
3c4f2c66745c9274f120bad78b6c34c4

SHA1
171dc45875a6737f788f7276876971c91c1e9f53

SHA256
c2853bd1bba4fa101bb4e71442bedbf1568bb5247288a704f8320546db649b34

SHA512
bda193340286248a4bf2f9dcb3b75cdd7c39372e7e2248dd8e34e6490dd237978a3423932c726e3666ab0cf075e2e0d9038e7ea7cbf86456a090b6420f35c820

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
96fcc2d9d3c31326c962cb3a0dc5b59b

SHA1
807359bd4e152bdb107117253219aa9c75b68747

SHA256
422c1f399bceb084a3bdf197fec81f610733578f5f76d043b1f47dfd61a35662

SHA512
04a9b66b9c2f9f4b88ef2299e897ed099267f535d94d67a9f738e7bbc3ee7b183bc17daa5243fbfaced370940da0fe1186269a55701ebd2de1feabf436302607

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a2bf854f7a2ac382112ec50b6904ff2d

SHA1
0b6bba656083fcdc1b0721829dcc9f0ed1e6e9b1

SHA256
9b2e5ed8fd2aa2793f3416626c8b2e18ca724bbdaa52fe0d30adbadf53fe31f1

SHA512
90560a73ab92cfaf0b57eae3f1d39cdb018f023f7ef1a8650f572f82e3217562ea9fc642455cb163f35291edb17b0ad751e2687332e5041fc1b444e6cdf37e69

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27402e3bdf371cd0e05b8801788b9cb7

SHA1
f02e96264f7216a23569c185e2bbc292f8b06c68

SHA256
fb6a8afe27f7e76a3bfc6806faf2bca778a861cc94847b48c3671927740bb255

SHA512
5ed0e5f381d2727923c6763f827c1c77414f1e416593bb6384ad1dea2a84266827c0ab121c628c538e5dac5f713f5daa2116bbdd87b91e07b449f332f92b1e7b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
70f1eeebcb5c6f2a4820f4202fdbf173

SHA1
19525204b8770664157a3ae44c4ffeaf20450a45

SHA256
9b8754349d21d04916ef240fb0e546c53c9d11d6b8c859c37cba7dd6eb1a60c1

SHA512
4e022c476fcc4a091b997be7b07b93b266122c2fbb0c7ee62b48ebbfb19e379fc9aebe7c6cf0681c20b09d37cc7df4daad4efb70751146e288321308469195db

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
94ba8356f15f371225a7ef19b261f6c5

SHA1
cd5cdb43a7455cf1ecb7a08b4850074398ead8d8

SHA256
70b304ce6c13f7d66142fa644f2d79a4c7fee9305870f51d796417020f10f008

SHA512
a25371407f3c8ac17215be49e7d42236c2f4f240aebad917c2a0db250857131daab8649f6a4b2dba63142b497127884f72f5eb41a11d88a7d0dd52018f3a30ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
35248fe1bae2cfa1c44aee25169d952f

SHA1
48fd3af674e6e89cefccff75fac133349eb09a41

SHA256
49485064e893ba4db3267a2aba323f409b1961d8e95e93c2324dcb0d0ba76abc

SHA512
2e0538a5062ba3d98285f2fdea3a4a880bb14d2bc3d92b89a4c96d84e4211dd13562a80c8cadb02118897e432bd2eba74027c2aa49edbc620dcc7b6f59c5a592

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c21b0a1e974a282a4895d8d7b128080

SHA1
f4e7cebeac0a3fba7f17e29dfabb395d20015a71

SHA256
66d8e5958eb7538a5b34e8d748524196435f42051bb66ef330939cc0e5946a97

SHA512
c054e6800a3b14885f30b557951fd45ec5ae2a716093e8dc1d093f6e734edaa3b9e70c6460f585f20844e14af7811d81442ff45103f061a88101c90d70229c4d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fb75cac20822d88f27b9a233cce66bd1

SHA1
18c1ef6778195cb22f05eb1d78401e9e2669961d

SHA256
149812194b2207b59ba9b368db438e36e50e2dddbc9726aab515fd29c1193b15

SHA512
4b321d41d41d3f956058eaf0741d913467d8b19dda9779c5a2e3c5baa8e7e8ead7d4ef15eab5ceca2bc1d37a718def17e09565131920d94b14addbab688f0e14

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
325e9ba9cbcf7931f3c87c2111c7d736

SHA1
ce6450cacb8b8409e2326dfe0b53beddd603de2e

SHA256
e6d0d9a93e1dc8b43a7eef66e339dc500d1942e1ce2afb54906cde1178c88202

SHA512
3221b011442139d69df3a77710b54294301f16d24afd299d4cebf84c3e9b349d82e674f522b46af698f283008e15003442c88ac3e0f4e64344f572a8279f29eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d1a006020158432fea5e50fd780a718b

SHA1
66c1b2d383be4e1b3c95e7e6a23944288b04b76e

SHA256
b994796b9bdf7c36fb60a74b39cbbc3e30a138be965289ab9e237182bdd95144

SHA512
33bc23cc765231fd9ed947aa48871ea96832b0c8ce76ce35590648c27130d96e38a5850c9e65acf806ee4e681f60997a30b6bc1b888cdf6c452956827fd24795

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
aa5c0a76a56be3f3c7e67a80a134a581

SHA1
59436b8bbac650acbfb73be23e80e2bb697580d3

SHA256
b56b98f4a590b1a2d34e07b8d4af2bd4f255f02c2348d4e8ed6fe397bc9927a2

SHA512
6570eda2c52fcd6f194c3ede27cedd01934dfebbba5fe5d43c591e4df2a03e98f13411dbfe069abffa3572281c9960d8ff4bd301b62253a98ad989d83925fa47

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aa3555d849f26d1fe0527e39be4caebf

SHA1
55f0f650e0299b49437ea78cecdd94024c699b7d

SHA256
ee73f086ac075acc71fdf9cc66cd4254908673fc4d8a3a67eac802acf4d4bfb4

SHA512
b44fa7ff579b4fdc6d206cd1382a45fa5c6fbb2875a7866b0f1937757cf25e77630904f77872c49c7433e483bc63ecc67e8deb2ec34286120c97e5faba5cb496

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e8335d3d08acd336475047e37f453fbb

SHA1
36ed944f5da0ff7ebdc4f427bd78eed5092fd7cc

SHA256
fefd37a43bd320ea49aa524b372825be92dd3ee0f8670bd1256c7ee70fcf7cf3

SHA512
a0efbb2e7f15ab6b41d741bff5b02dfb3549426961302f3d34036a82b73d076eb1fc107b3935ebb6045feb9320e8b38ed0b16f0c04a2ab6de1b0262e251a510f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
080b730fe368268acc67929ebaf5b777

SHA1
b0fc326d4f1c58516d20bead9e10314d6a4c6115

SHA256
6ce73830d50d2453cd25c68babcdcd5dceaa8c7d5c2d496668a657b7d50f244e

SHA512
3a491706050ae48c900c642b48158bc996c527338c5c976467b0955554466322a6d100fbabc1b20f14589665e86b1d5eab946eea6f7a583a32305c2cacd348e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a7dcf503bee2e48ad1da8a7e1a663c24

SHA1
b00459067064e20a9544b8ea94ed0fcde4989b39

SHA256
a421a31dbc7a18240be85fc8e8dc664b613ad828bdcd653be2d0325a01156288

SHA512
cf12d582799f6232f39f472d10039745ad1b7d1ee6e18bf7a61593234acfe407490f4739bb5ae3b9fa97417a703f53b73f9cb0b6659801d1d9004e5eefcbd0dd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e1cbc13da2a9191ac66caccecd63c078

SHA1
a5494173cce37f371c3bba126f1d5bb1b04cf804

SHA256
7bd47de8ac54cedf6645adf202e408f3e70fa24373b9db31832ec659a188355f

SHA512
e1761a5b135bb0f0c0ba023ecd09210c6151a08b09fe047ac884de71efdd422c4cc39a1767c191af3bd23b13e4d5e3af83e493b73d0414a92e4eaa95dd825aad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6b5c02d6dc7e4dbc6bef5d96e9b8fac3

SHA1
e9c19691f6e3c3e7ad0c1baf6ff596f3c324bbde

SHA256
b558dff1541d1fbf0c3777904322a0382c128ff13009f89700cd7773c4b467d2

SHA512
7d047785be1919326d0b74734528f7d5015ae5ec8cb611b202ebcf2ea0804f619502b34b81dd8b5c6fe92388026cf0e7467a6ebe70221bc7a53bcda0d55bd908

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
46465a4fc5be21e7026b526aad7fdf36

SHA1
7a37807671db93d35540c66c94a5b40621aa14ef

SHA256
b4f3ab58bfbf9579663029e1dd3cff87c5310364eba712792da01433e7c8ed06

SHA512
3b8376b97873ec2270a7172c883940e0c275ab16cd2f990f64730efdbe857d159885d8e3b124efc9e1aca75a8e95bbd712e16fbe4b41775e3f9329cc9619c56c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
efc1861a8c7c4e5d404d2468bfcb1910

SHA1
83153742a88cb6958b061bf0b4c84e11df6f167a

SHA256
ab180c4f8c8f204043754f90ec351769202f51f989366f3ad1fdb3cbf00dc9f6

SHA512
1a24878118c60cee91b97df8c318cc6336e18403b80afafa6f31fef0924ab0f273aa1d1dde5e9c9d5195c05de089519ba146d5dc8092dbe2fbb928ced6fa3293

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
05ee9570d7435ca6ba58fe3c8ee909a3

SHA1
cc39ace299e3e17f7282c840ae2c2d2860f94ea1

SHA256
f19e91176ad89269416694b8158d06f7dbe0235cb9a1cd4bd9d7f37250202905

SHA512
9b9db4a31748bc58b4c7f9225250e608e7954e5b7cb2c258bfced0e2021e1f63aca417aecaed7e17b328a6912cb038bc6825da8c87892c32118b717355cd4816

Download Submit
memory/516-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/516-259-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/516-264-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/516-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/544-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/544-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/544-17-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/544-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/980-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/980-453-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1184-41-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1184-34-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1184-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1184-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1436-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1436-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-447-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1716-312-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1824-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1824-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1824-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2224-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2300-452-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2300-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2616-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2616-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2744-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2744-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3216-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3216-450-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3916-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3916-271-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3916-269-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4116-289-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4116-444-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4172-8-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/4172-1-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/4172-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4172-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4232-240-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4232-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4332-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4332-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-446-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4348-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4616-71-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4616-66-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4616-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4616-60-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4616-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4640-411-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4640-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4656-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4812-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4812-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4812-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4812-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4904-451-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4904-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download