400c524893ce36783ce8772a5ff6cb7575e82c567228579679ef26e86ad37dd1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
Size

677KB
MD5

8e9126474d3da93e100d9ae3310dc6d5
SHA1

9ca33250eab622c85f5b5002568a298128a6854e
SHA256

400c524893ce36783ce8772a5ff6cb7575e82c567228579679ef26e86ad37dd1
SHA512

44b0d80d9807848ac2ec81d7cd92ddde3b31b3f6e601638be847238fa01de411a3443ecf4adf303c637b8ca01ffda671f7a91e715b8eb41763b1d167faa71a71
SSDEEP

12288:4vXk1zvlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:8k17l11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4796	alg.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
1636	fxssvc.exe
4992	elevation_service.exe
4540	elevation_service.exe
1004	maintenanceservice.exe
2804	OSE.EXE
4604	msdtc.exe
3076	PerceptionSimulationService.exe
4352	perfhost.exe
3804	locator.exe
3700	SensorDataService.exe
1820	snmptrap.exe
1404	spectrum.exe
1128	ssh-agent.exe
2176	TieringEngineService.exe
4312	AgentService.exe
3872	vds.exe
5076	vssvc.exe
1040	wbengine.exe
428	WmiApSrv.exe
5084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4065789d92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a0cd546ffaada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d0e9746ffaada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f395de46ffaada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1685347ffaada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d95cc446ffaada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d572147ffaada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
2496	DiagnosticsHub.StandardCollector.Service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe
4992	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4848	2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
Token: SeAuditPrivilege	1636	fxssvc.exe
Token: SeDebugPrivilege	2496	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4992	elevation_service.exe
Token: SeRestorePrivilege	2176	TieringEngineService.exe
Token: SeManageVolumePrivilege	2176	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4312	AgentService.exe
Token: SeBackupPrivilege	5076	vssvc.exe
Token: SeRestorePrivilege	5076	vssvc.exe
Token: SeAuditPrivilege	5076	vssvc.exe
Token: SeBackupPrivilege	1040	wbengine.exe
Token: SeRestorePrivilege	1040	wbengine.exe
Token: SeSecurityPrivilege	1040	wbengine.exe
Token: 33	5084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeDebugPrivilege	4992	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4268	5084	SearchIndexer.exe	125
PID 5084 wrote to memory of 4268	5084	SearchIndexer.exe	125
PID 5084 wrote to memory of 3832	5084	SearchIndexer.exe	126
PID 5084 wrote to memory of 3832	5084	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_8e9126474d3da93e100d9ae3310dc6d5_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4268
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f8bced4e59f2195b83ce4b4088c34e8a

SHA1
4ac44deb06d65a90b8a5af584ed1dfe1047cddf8

SHA256
870d0ed9369a72e4feba4ecb158388fafed5c6243df15c64e3e326dd47fbe994

SHA512
fd17295a278e90793c85620c90075e37ae3cf694f6a83b885b8f3372d9aedbad010e5cf909bcb86a7c1d0481ed33d6deb2ef8ffba4e8a1721d06e2e98a828be8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
64423031ec69fba9ee5fdb1f25a1bdf6

SHA1
6bcfa4efb581814706750ef02e20301a17318669

SHA256
cad6523b7a4fc8e122c4c3a12da256cb987c311b3757f489afc2100c53531382

SHA512
9affd0ce90fe49dad3ae1026f3d36eb911ffa70192a71e02e4bca3b60b11f2301ffc8661f2d5b2008cdf51b12bc7ccf5e3ccdaede06613c1434ebd52621dd5b4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
72478a2e4044d5110683a40bbdf3c874

SHA1
0255eb9c3c94e23a64e51bd24ba0c885e8dd796a

SHA256
cc96151fa5a2d7b3ced101e63e712ae64ff3422c2e594c65bf3ae0cd65551a90

SHA512
e16ac316d30d64ca626644a951d0ca51eb247ab908141c6e342af8e46287b5f7cc254c169ae82721aa3a8a5a9236527565e8442dffbd7df2b2de7b56677f7815

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a05695c3aae58d82bd60afa4c67a441e

SHA1
e55d02e893e4d47f0bf0e2cefab2dae6f0ae49c6

SHA256
1e44832d22de47132b3d7a3b2357798db9fcb1878b2557231420316acd18849e

SHA512
8147055327c81b98035ff3c6e50c128ae31b37b4e5d4c805410a3d46d150ec591100e39035ad36ed73e8a32e05f5e1b206dbbc1de0490b2a21fd481781a7d4a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d06a476fdd64435ce6f4a72987b6da11

SHA1
f5d83a85a7d6dc7e052340f9e6a55d1f78f96179

SHA256
b3a57da92ac81c6264c8e59c00c784afeb4c6ea405bd7736bb146d7f64f72acc

SHA512
5fbd17f82de1bdedd6838ef931ad4836c61a5582f43c34a8aec8b2cd242e5bc56869fc94168ba3ff736bd67d97f728918e9a163caead6383f4f678b9749a022f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4ebd7f75423be4cd9d531016290baf27

SHA1
00ac6bbcae5ad2cc8e51d2424f1332b44c0e6feb

SHA256
2558eea2e54566cc52dbb74bca772ce438f34c11f47c2622934a565badaea55a

SHA512
2215db3c8d9eaee32ffcff78993f15423ec2ac573aa7995846b937a79615bbed785e1aa173c9ececef1f8c49d0f086e18a6821a8d2e14b05a16f8116cd6cf1bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c42e3e549200149cbc45dbb0ea4cc9b2

SHA1
a937d0f172da0a850c5d7f4802ae3cb4968f54c0

SHA256
a67babdbe4c0240b72c87275fbf0d5584f2467bd647fcdb4353e671012e6b22d

SHA512
91e93bbfa7d1693e6007e8abd80eab579abc964e3bd54e4793e4bd765cc8709482c93627c76e51dd791d3913c8f309734aa4808cdd29d463470900bc5e15e1cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
14320a52529a704d5e9c53d144297c3e

SHA1
272a44d13be011ca3d04c1c5527e7ea359fcbd5b

SHA256
59f766477924099b174f7dafe9e66d8e431c806130e01688bb6f9bdc90178ade

SHA512
f7169692a28dbb32c817849e2f7210b539f375556da031f93a9abe8c08bff7c77ca158aaf7398504f5d687ac2df5cdd311b0fe5f9f626a6424c4a2cc9dda9e87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
431ed24428edcb2820cd8663c36c3527

SHA1
df8952c426760903bdc918160ca488fb6e3bcf08

SHA256
132319fc345cec7a40920a77c03d0eecf8e3de858eaf09597c50b51713b69275

SHA512
cd341f423005de80da9255b0bb6d537af5459b8ed13ab5f10b47024ac2ebe8ad48c9821de8873e6794faa84d6ee3e6794ac5aa317b2410e499a6be024f519ae5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5f431af3728a14509ca9ad2dbd71b220

SHA1
90245d390e117674c91258aaebfffe1fe2402a02

SHA256
396e4c838ff9d386f418b47cea39fac033f8d3cb0730054ef54620cb6a28f078

SHA512
3512e25f243619aae6f042ff8051563198d826ba0f77447d649af6e12f1897ad9c4c5163a3953cb30b9dcb98707940d14a90eecc0c9024355c8165c32d3c9e0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
88babb30ef0c74a4bc9dbc3534aaad65

SHA1
e6f0741f490e2509b6a77edd943f22f38f65f454

SHA256
401ccde18579a91d7dcb8d609a138dacc9104987aca4f58575e3722c592c1ad7

SHA512
2086494fbea6fbeb482a70847bf7c90daa58239f3e19af4bc7a013a6714af074fd7971ebc0ace619d272b0e8e1854faa6cdd02d3f80d9faf771f9a5f88ae1742

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b612dca4ed9512b3f771f01007b6c01

SHA1
bad84357058e17c3c1d6422e4e2cf3b03bda334d

SHA256
3b8e6857dda8ef397e7d646d591a166831ecf2f4c23ce04b1e984ce5fc9abdba

SHA512
e874e28aaf02710c2bf214ff20545a4c7bcebb2166f8d408cdacd357d19662c6275b74e87e79fd8c809ee19f69e216625367c242cbef4850cf56cc3cb4aa0a16

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
910c87bfd033cbff9593eeb36fc313ca

SHA1
4782e691bd86b8667ea9b1122a1aad2c86295dc2

SHA256
2958542234ba344e3e82f4767f0838c69febbd6443a8b60bbe05695dbafec86d

SHA512
0289d6d5530c22f4f2887a6de46ea2c49335a6e89159734a39b6b3d49dc3f51164eeba4a59b7ab2616791be751f9887f884162c4dee8cd79a03a053bde5f02d6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f9494624a15487dfc224a008a0456b34

SHA1
367464c642effc94e53f89f40073af6d081b5740

SHA256
80e12c3c29158fa8a068b5f218152e3a84db5d9559165462f9d4f372dcd65e15

SHA512
506ba9c63fcf145bcc4ce2adf39428be69694294cf26da786fdacb5e6e05e1c20cc70153670b9cfef725391a974531f2096bd828b7ceb5502c952b5e04ee3705

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
98b2514b8636ba7b17753ffcb67ff17f

SHA1
6a6f9342670cb84117d1e5098d09f8a55070854c

SHA256
eff2a31498921436f54b4ce82eb020cbd342d0592db95d6d58e6a0558e123f43

SHA512
229ef47dc2a99a623eb990c2b01564b810376f9be1a04aaac5cc3af7b4fd9acc153e257872d34515f885765d5f041e299212e68b9d2d8fd622f9dd6579244bdc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8173ace650be04f5f359fdeb89ba9326

SHA1
04d87ff4b6f43660010111885f0235890d97d4cb

SHA256
11eacfc93bb5bb88774f2e5dfbbda2defc5cc80118d9e951887c25cbf1509e0e

SHA512
904775f2d4a00d5d69e634cb3ab4d74e5097f02a7d561131e593af045b367687e0087b747d938c6551efccc06ee6ca267b92e1f1dc8f5a189b9b2b6be2b4af13

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c73c7cfcb09052b58dc798060d6fec05

SHA1
3174e4ce42cc653d08d03ae2a0806fac56e13461

SHA256
d54ffadc5647d8d53a298b9c871896810b48f497cffd4a0040d6a80777a852a8

SHA512
972759d66f8775040bf48ad341b1232d0f3bb82d956c782d22883dc0af50ab15a391f42a7ee9c33b779225690d1c57b857428228bd7e7e8e1849702adb377c41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3535e4749b4234b4e779d0f0820b7842

SHA1
f7a66b8ecb3ce3c2baadc7ba6e6a45bf2acd4013

SHA256
621bfd56a88fed88b835eaec1d3867ee614793597a8428950eaaec0ff40cd8e0

SHA512
03a586a676d0622e5cecc7b5683c1b4417c8890171e639ea07b4d54551cf5c116684a5bc03c1b7c2f5f24fb7e2ca04fe12672f0b5f01d5b26f39647ff9323cb8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b81af7be4b54dcade4d7ed63afca396e

SHA1
4bc5d58ff926bd872c73c18d62bd1c81289f33ab

SHA256
613ab7c8e012d94afb904712a27f22b196f08e249e0a5483fc81a58e248e3bd8

SHA512
5974a5b63cc88bbe35e1cfaf3e9dabe9ef9560a1bd30e409bafae2a7f807755346a2eedb48353229509b14e6433fae6176d53ca305f8ff246ed32ca9ac905c13

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3a682bbfd0bce3b0c2f9c7730e3127dd

SHA1
77f1a4b47684b3b47314380186779dd0fdc2a038

SHA256
d765c393235fde8f45cdd8498500913013289ee2e97d527300d903450794fc7f

SHA512
1c9320d6dd005fb09f04678fb7ffecbb43601f224aa7bb8956ff51023cb4ef405a2b7515b66598f2524d7188328e4aa45aaeaf59325b58b64c3040b8016c3685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cb1de49ef51f23ac30ea687520dfc7e7

SHA1
72628c1215be0207c75014fdc1332d9844dbf5aa

SHA256
45ffc3a37b3b93c4bc9d4c3b7931394908ca192c954e85a2efa862aad134d415

SHA512
3003803e7280b523f6f2cce49de0af86c4fbadd4955088a17b8dc5d5c601d101efd511c7715db009569abe3937ea6e87fdd85ca1829b371b4a2bd49155f16c0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
73942bb507315b32d6b4f22f99b89e19

SHA1
22b798f0e19340103ae47389512e02efc0a03202

SHA256
211c8c08c0307154db75cb2556f4adca0a05004e37eff615466882d8a7bb5da6

SHA512
0eb6d789dca72d05b67d4dcc396323c1fb22a07e6d8c189cfc035d79ab73a2d067b92c5e5bbaaa80c64fd14a4e9d7602f036ad72962d17f61cb3b31f9d0bcb2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6a1fc6d8a93e6b5a8b287310e8f4ae16

SHA1
9901a88214c544109ce90a7a5b5d4e773e624d6d

SHA256
a5eadf23d9235455eeb85581895f47385423c29c87741588d19fd525066ea428

SHA512
da177efdca5085f7566ff450f6c93a582c2d6b686a87853a5b604baff45a1d280bf725ef51d87901b0648b75c6530077c244bb2cef429a12bbaf8be5dee836ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
77d03dcfe61a71caecada5f369aad679

SHA1
2f995eedeafd1d7cec58e937c09aca1f4a59a06f

SHA256
275ec06c6cd4ac3b659e02099301924ae8cbc5b9f1793da4d79853010ac3b346

SHA512
496ba76f174d5e31bd48749adda5239dbc2d2d55242eb978bd2ef0165c63856232cf5f0eab1d216b83aab2a69625f92e561ef50a68675f1d55f487e003b84be1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ce7c0574a8c65f4abadf7938144dbfd8

SHA1
18c4d786ae5544ba44e92bc06f0742eca056d1d4

SHA256
3c59080f8606334f788b0168a724eadcc3ad17ac3ebcac1ea33d060ec4627153

SHA512
a1a284d03c92ec2f7bc552edfc1c9069b155653acb31130f00151ec6c8c3a80fc55f3d96e55dd6a6c74c8272a1f8290d17af98d201ea5b9b786b4399d0be5fcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9a66f1c313c44dd8e30a30537b77f819

SHA1
091bf1c22102454f0139af89f739292f97b68990

SHA256
fc12b436aefb16f1cc52ed36458703df7b2d466ad10ed5395f83e0abf019dd80

SHA512
2b77b920f3bdece1be50df60af448516bf7739b398dd233600549517e48c58847fbacf4c1107601f92ddb71a113ae721c5503d841bf1dd77bf909c6438de8434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6c625caf321d86e348025ac264894a88

SHA1
d2b20ff12a1338430755927c1fb326015daa05c6

SHA256
b7cb129a1ca8597cc153621d81c97f8aad7c0c4be65e3146d65de82dddc1c453

SHA512
58ae3ef3802038e375999e5b3653c0fff70d1c966b0f3253c053562303ac6231bb1c5c1668f945aa4080c2d215cf4792ced5b928ef25b175632dc891273b4e34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2a366793384eef8cdb4e3993aa442849

SHA1
3808ffedc4ff886b01d04a25e12c36df8fb53320

SHA256
1f651e033079c3cc17ab32575e65b858f42adac50ae14ee9f0e119e8defcc790

SHA512
93b5930f32e803921ca2ce5014a23e4449c3742be0089d38eeb0bb303a5e909dc89c7c3ad1f519abbc8c21d781cb2c15cd5f36e50d23e11c080d9a3b34f39cef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
af7ea9ffc62421c272edfa6646dfe11f

SHA1
99d01273d5098f6c1d0d1cec34631f1190e95d98

SHA256
4fd2a2300956a65b73dbd430694c043387e38ca3e5b4150346f990c58548c997

SHA512
2bd2233356511671b0e7b9fb0dc44284e1a0dda47394f4293f86995237b04013b939fb5a24607870a795118fd40cd201f8fa9776f0fc051a5598d9ee3a05d556

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0125cc46715a434fc95f6f5ac05b61ed

SHA1
e8c7bff4e831446c2b7b6368e0ce4b1d73485a13

SHA256
491b92adc82f6e8643a76af4f719f6883743a705e92732cad3470669909a7eca

SHA512
2724505421dd4033b789d130f83da7597905441c48616d60901e1e090ca6f7663ca4f865bd73e2f7793f892f3d8ec212b0186064c26a073a9c84f2402ac3c9fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
69ffe9d87f85391d4cce179d53294dc1

SHA1
da7e8d5b667ec357efde0ff4cdbfd18338f120fc

SHA256
e9ebac3a5518e4641b58f3e6507f125d27b2963384e89596514526177b2028fc

SHA512
3f0feb4bce9afd7ea048e94cb1b354c9cf48e1abadb972e5c312326e7e64b8603a187c6f4efadcecffc9be978e24096d4211dd82a3f02c07a71385a33dbed63d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
442e46670f9064c025cf0a37a314fb1b

SHA1
3d77edfa267df2319452e52f485c48bb2bbd908c

SHA256
4e1920d6515c46f509e3796a59c77f316eef07348500500f581cb988425f0de5

SHA512
632128c2ab65ee4ad37aa5396e2410136fe5a32006ea7b4e219f85abb3fae84ec7f05dae2374c5b6e799e7f1b9e85336bbdd1b1488b5915a818c98fd17ff5c18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
46bb485abeb7f00e1575265d7cdfe0ba

SHA1
53b7444fd98260cd12e3fd30256541190b4e1c58

SHA256
15a733d7aee5bc3dd04c4fc596496e13627337e655f0133605374b219c2d6845

SHA512
e1a37388f9182409d81c1172d65cc78087d0b977e8cba0c0955817b5f5f74231ee83811d1e12ffb113baf7af2f8ca2116fe86e7012277e2b9c7e4896f684a232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
aeff49c370ca55acc59d650ee441d025

SHA1
058db2230a5efc900674fbd2305e00daf1e1298d

SHA256
33e45859c683a4cff1b3923fff4f489cc63934a8febf235bb72fad5ca2976641

SHA512
dfcf6ab5bd493f21eaa5848ffcef5fc74fdf0d9e5346c0dc155234dd18a5296613ea7f28520336ba3becbe56eff953337b1b70d9c68b7b771de1b3b7ad8cdaa3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
95aa7291efe6ff1376387d39a10583bd

SHA1
d594487fe4ccd4a75ad9f49db474f308687bca10

SHA256
487f27e261decf6aae164caa5ddeec416600e7c149de99c682703ddd1bcbde3a

SHA512
f1ee7180f268c1b01a58e3752f22dadb3bb547146f7f7f85c2455e47ae01a70a5f68bca223a5e708d98d743b55ca3a82ce2aeb80d7bed3cd47a5bccd8bdc8771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fb2158820e7f3bae68ff766a9b8fc7b0

SHA1
ea85534c9fc05a753948544765839bb7c1e8a813

SHA256
2c83629df9a33e67c0a6492dbf1862a0b5b79491298738be72fb408ebf18df43

SHA512
e3f13e1b5fcb8dc37301c019c5abd7b2ba00c7ed8c289b7f73721d659083d51b187036569d2903476b3ec15a1594f171e51eb7b2e28b6d4f6269f2a2d93ba78f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
b1a7a3f1a40ac9e6f82e020d491038b4

SHA1
5e8896ccc68b9da95baed2057f019d2897ed6e0c

SHA256
44bcf9b1a6ada898319fb46525a792dc558d525566f1128c6f23004169e75eaa

SHA512
58949762955248965b0bcc06c7f8444c47e712ab9615d5ae94d1f8a77d8e06035e2c84229f9cb9a28fd986cf7bad13eb829ff85d289c04dbe33b8334faef6d4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
2a4b17615b7e3b20328f170cbc3c05c4

SHA1
55be4b53952e2bdf9b99cc01cffd8da36c678368

SHA256
c11483d1d55f479141f996afa37654650d3ac63d5a5956803aeecaa13246a976

SHA512
fa1b7206f3af513463daa7d4b03d4548a05705c9eb60087a676c6de4fec497d53a00fdad33345b0ed41410423699b547afeec8d5d0506db67ee5d4fde1df795a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
67647e7c04a9c19599ee1f97f31bfee2

SHA1
94ed4ebf523900dd49667e103709e77f3733ae6e

SHA256
b426c40cf84e68975b4226bc2d360ae68f6471ccb3b7bcfcd0bbcd47f0ad451e

SHA512
77f6113eaa264ed15bc489004a4548c19d694a0263c4b5c07c0e4fd88bfbbc175131eb6522839a4134be97ffea1c92f2885d7555992c83b59443df0f47be2cd5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5bfb5eb40c76f358cb6fe58725c0f0fa

SHA1
9561d3860e62c803b3271d950c1334a2274b1491

SHA256
8652f10f1a0669346e8f59660f5a007df59d1d1029796e0eed149d76a143e3e3

SHA512
c4a7f194223dcc18c61993d9c718b0b50e3746f4981c6e77e3649869961cc1a42c91b185e230f9f4debd548f11d8895f07fd0045798f429aa271eece6b8d33c9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
137245302fe0e889c2778bace80ab0a8

SHA1
ed1b6ec6871a3f899fe2c33a1a698f4f6c5ed31c

SHA256
fd3326c893f2f5c55d87763048ef8da3ed7e9044cac4ef6b9a2f505cb93dcc63

SHA512
3ab94914320ce488ba7365f1c6fef082efb8e8256b80397a196d31388e49ce754c328acb905a0adcbbfd7712aa17c7fc2305faee12a5aeba4e4744199ed6f8ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
92b60a4132adb068d4691a67e071e95b

SHA1
2e0e11fe2b45c830ff5393ebbe16721134c91ecb

SHA256
50f959110bc62586f55181cf6e27b227ac7b65ea47bb6be6eb50bec5c4e3f3eb

SHA512
0f2cd5abe82fb220a5381f35a82c79364ceb2eefc54e2f26f4b4c78b187dec681d93fa9172912857cebf7c0c7a9ad4d139054d00ffb654693404c0e50b8ca65f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fecfb31ee4dedc1f7da1dd949519fc77

SHA1
ec21360398efcb9ef0e7140b591ca42cc221171e

SHA256
1b2497398bcac7db5b59529c19720a0786137cd392200bcfbda3c1a10c5dc629

SHA512
607e992593314b4818e49c8e9cbfcb0c2949ef4f77d49e92274f808b73d4b8b716b1357a908cf6cdaaf56cb992d5b53afd43895a96522b5ac4d00a016470f7fd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0b1ca65eb4ed20ea3eda4953e5cf2f70

SHA1
dd09c08a072173ecec3f83bc5336bb122114bb81

SHA256
7061095520ed64294e754c0311d3b52c4c702580fdd374f93a46749251abea3f

SHA512
5c56b4152e2def038e2eb818f970a0273968cb74f124d49929d7292f5031f2045a8d0c24b705fdd18b4c485ef63d1c9fbe1b637c4b9b8e85ddda2c03c6c373f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9c9f700772abdc0d87ac213e8bc0998d

SHA1
9a9557ba34030359957165da8569063db8825ad0

SHA256
94bc56be29459b2015ddd0c62f8c0399bb9bcb02b59b030b9ed6134489612311

SHA512
e97ad2ea590c2ffdf2c50701f7a12d0d959e845746138abc1caf8fdfed7f53982f95a74c0251aeb37eef8c7ab869d3a04a9c9c3d09343a9810de7b7fda220557

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e3541dc41969a076c0b82efd437a9ce6

SHA1
10d2570e0f34951fbb749b8ac11ddfd9c5b2e733

SHA256
e487dbc8d4170eb4df51f844b957e0c5dc3c474ae7e0f4a16290405c3ebff02f

SHA512
6c3caa84239bbd4057298f84ed6c5af7f46021b196aa698a8288397e0c1665ef98d615d54ed1f358173df39343d5716939ded463d6f0abfb885f08ef62851117

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6a9b6c35f00962ba490b663f6d9c796b

SHA1
01a16d0162c7a8d2ac4998be9d5507a1bf80e586

SHA256
5cc28326043c2c8605f9de29adc3ebe4cd57877d7b2b3571a5811ce3929a1c41

SHA512
cfec632713f0a10985586ebaac2eb54ef11015ce0870f32f8111fb4d19217e6ef6195e281dfadfbb9abdcf657d39017f006b34d13a340bc2469d2f0326af3af9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0f94ac502daf0882a90beb18a026b323

SHA1
74a9c412cf70a3d1e86c59519bad9884764bb0c0

SHA256
6f857929def1697ebc318be4411a0ad2eb124238aec33fdcdf1d02711910e882

SHA512
1477f8bb0232f5c1d0753500de86f7d3ab7adccb6bc45c4aba4b2a6d8053853e6bb046d68eb03d6103971a6bb1b22d46d03bcc48a54e8de5275beccf4c58cb3b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e2557cd0d25ecedc63bc3b6a4fa758a2

SHA1
168fdf0704a9dad4f3089007bda849bc05d7d88d

SHA256
8ee29ee7bc1a35536de903ea6ebb7a13b8fe20c3619938d1e66348f9ab534297

SHA512
1b2d850f18b46ad1e09c4fe39d9672aa983dcf113c23c80f72b42e607cc6349b0d1eadc3c2eb0997722603a4b17a220f6210e59655dfaa58f86b514746f514b8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cda0ac3c74ade345bbc2d68ffea5b7d2

SHA1
376dbea39fe5177bc7c4394dbff284575b6dba4b

SHA256
e2be06ae00069a29563a6a1e7c1fd81db33e17ea19fe53420c632a5cbf5bb633

SHA512
ee34ffbeb0b89074fb83c66e0827a6674d97f45e7a88c18bfb5b0a35adaedd2a8a2693e3f7329ce7481101e41a32e3f5996563fa9cc0d99ed7d0f9a59b063c78

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
81e27c729e5465e1f947bca5c0379d60

SHA1
48c662c0f98cad428803e3f1848f062f927f7527

SHA256
90115d0a63ffdc8b707c27635f61ebf784447bcd7119353819c67e848340e3c2

SHA512
2a9fd4f5561a0b7b9e06ccfba408fa1fae3a1510d3c8766d8ca48592395a6ca35f356b8fd49d009de50b243db4d293b9f5a9ba075685fa138022fbc72e894f52

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c6c785b2622c04f5daaa146dbfca0713

SHA1
3e9156111a4a5a40f8285753caadb88accc5133a

SHA256
bcfc448dbfa63bccc692bb8b77a23a15c03040be78cfa495f767baae7618f354

SHA512
b5817daf843dc34f77e43e7ef075c97e7b491b8739b28f6fed0a2e168da79cebd3f3c2b9516cee68ac983ea549953087df2cd7a1265755928b471527ff47e37b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1a16df85a3819d1440bfb44736119744

SHA1
826c976e46b20acb48ba144c857bb4a8874a4cdd

SHA256
a6a11d9fb46c87aef68be3caf7faaee227dcb498ceaf18916f962089ae21fcee

SHA512
22edb75dbc4bf57ac7139c792c133fd4e924d176616d835aaeb373046847c192297667cec89a6d27b5c0729751a908a2be924d710c5581a72f9f95281e084fad

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5caa6546f2f31878ddaee5f0ac1252de

SHA1
4654b12bff7d38756d8de3571d49b34766ea1234

SHA256
4829563781dbe6d3e91251657dc56acf564d9d779e570a50e12615d57e015a98

SHA512
3855a6b578fa5959ad18a07d02547a86700d7c353b285f48d7b6cd31045459268af5f9c8154815d2880300124738a09c3efe3b66480219b0d5a86e7c09dbbb74

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
38707a4b27108612e4b4ba3c4e206aac

SHA1
4772cef97b7be23c023c1cbb5712f61fa9bbf662

SHA256
198ddd99b7dc685357e936bf9a9e6b87f3e965b2587917921ec44bef06ae74fd

SHA512
7fba7cc419b6dce73bdf690b2a0097a413b4e1f59ee6cc70bffdf95333471532f33e40f138d24230c78c2b10bdfdcc02cb1e6331317c242bb22ed934d68a7317

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4a8f43479235d1424528569f58acefc0

SHA1
6ddec953905af6c5dcfceeb17346a0e31807ec76

SHA256
421d9e4bc7b9681893469c15e25c552af69b7bda7d88ad2d45818159bd83d3e7

SHA512
a5cddc4735c4eee2a3cc03a13c3573d6473a197f38f4605ecf2bb7ee549e315fff36b7aa6e9e60be08daa4ca899b4e2e7daeccf3c28908ba46b567d796dce24b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2665a08cf1f6ce60b0414c32cb94bd94

SHA1
083106cb61ae2c608df3c61125215a7e4cb33e30

SHA256
cc92885a69556555080f4726e85ab1456f56292451072f4e005977c49181e7e6

SHA512
5b4938efd04f2e49cce016ce6e9ede8322da613b7f40ab9e6bf07afdbaee4c6f8232c473313085eeb54073fcaa3646d6fd226a53a2453302292ffc9ca31f4261

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
66c094b104d14d1fa17aad8f863bf37f

SHA1
b73016de5019f9825deb6c8bed694760ac825142

SHA256
e031e41c4d26e08c2dff0ab012ecdbf974a0289c213d6e06be50884e4d19e31b

SHA512
c4724e4ee942e05206b26e4efac3dabb04bfb369c8fd7ef59cbaa7807cf06b8f415ad29da1c79c3727dc9579b3e39997aa6b7cac18ebadb37653f5d71e9ef445

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0fd1b834dabf9428b354402894f1ff0a

SHA1
842e671761ce9ebf85aee51de7098aa2dfd44918

SHA256
0b2d8d27935ce3c28eb1f48077a5d5f67e71381f24e8e4a78d05ff6e1e56d910

SHA512
3cf06de99d2260216f1c956c17ca785f36408f8483dad5f17e8bbbc46f1be006510d9aa7f343194cca6eb936856ba8f1be203539a878ef21184b1d9666e3fbdf

Download Submit
memory/428-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/428-473-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1004-58-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1004-65-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1004-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1004-69-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1004-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1040-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1040-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1128-466-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1128-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1404-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1636-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1636-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-415-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1820-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2176-315-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2176-467-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2496-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2496-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2496-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2496-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2804-73-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2804-246-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2804-79-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2804-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3076-259-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3076-265-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3076-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3076-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3700-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3700-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3700-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3804-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3804-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3872-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3872-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4312-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4312-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4352-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4352-272-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/4352-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4540-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-55-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4604-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4604-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4796-240-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4796-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4848-6-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/4848-1-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/4848-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4848-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4992-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4992-43-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4992-36-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4992-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5076-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5084-475-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download