857ed870746a3bcd54d83d3be78d5f114af12b9e7444f3b9bb305a5df261347e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
Size

677KB
MD5

cab03efa8dcf6e57bb2e9844690b2b08
SHA1

a826b6117e4c2e325b0a4ae3815dc600533cc93f
SHA256

857ed870746a3bcd54d83d3be78d5f114af12b9e7444f3b9bb305a5df261347e
SHA512

b6ccc48d6add004fd78cfb632f890d01c035db6d40875b895a607cb017afebf4de3602b071ba754fc6b75ede977a27f5c94021ce04de54caf6d240cc7a84e5c5
SSDEEP

12288:uvXk15MyndwCg6/xjPHFFBwpRDftD7IBUgbScDQCSkb6wjfRMVviOvf7sibN3A1k:Sk15Me1g6p7HF/w/ftDsBUiScD7WGfWf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEfxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1116	alg.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
4756	elevation_service.exe
4516	elevation_service.exe
1756	maintenanceservice.exe
4000	OSE.EXE
1944	fxssvc.exe
4724	msdtc.exe
2996	PerceptionSimulationService.exe
3552	perfhost.exe
4872	locator.exe
4812	SensorDataService.exe
540	snmptrap.exe
4828	spectrum.exe
984	ssh-agent.exe
3956	TieringEngineService.exe
4528	AgentService.exe
2272	vds.exe
2576	vssvc.exe
4428	wbengine.exe
4956	WmiApSrv.exe
2676	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

elevation_service.exemsdtc.exe2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef1ebd24e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041930bc0e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e33109c0e5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cd1c8bfe5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001348bfbfe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c522b8bfe5adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009a9ffbfe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d51abc0e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008896aebfe5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
5048	DiagnosticsHub.StandardCollector.Service.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
5048	DiagnosticsHub.StandardCollector.Service.exe
4756	elevation_service.exe
4756	elevation_service.exe
4756	elevation_service.exe
4756	elevation_service.exe
4756	elevation_service.exe
4756	elevation_service.exe
4756	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1628	2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
Token: SeDebugPrivilege	5048	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4756	elevation_service.exe
Token: SeAuditPrivilege	1944	fxssvc.exe
Token: SeRestorePrivilege	3956	TieringEngineService.exe
Token: SeManageVolumePrivilege	3956	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4528	AgentService.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe
Token: SeBackupPrivilege	4428	wbengine.exe
Token: SeRestorePrivilege	4428	wbengine.exe
Token: SeSecurityPrivilege	4428	wbengine.exe
Token: 33	2676	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2676	SearchIndexer.exe
Token: SeDebugPrivilege	4756	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2676 wrote to memory of 3396	2676	SearchIndexer.exe	SearchProtocolHost.exe
PID 2676 wrote to memory of 3396	2676	SearchIndexer.exe	SearchProtocolHost.exe
PID 2676 wrote to memory of 2404	2676	SearchIndexer.exe	SearchFilterHost.exe
PID 2676 wrote to memory of 2404	2676	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cab03efa8dcf6e57bb2e9844690b2b08_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4724

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4812

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3396

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
fda96dd3eefe658a6668fb0cc0bd26ab

SHA1
3804726f480201e40d6f21f9225d30e86031656c

SHA256
99c26e15915db40ca646797df2e584cb67d28505b68d7954b81f999db74fac30

SHA512
4fdc58e56bc41fdf7c6f0973bf7e2590bb594bd5edea15c6771f5902f418d860c5788fa44be9ca7124d266d52124026cb136ade201469435bb011ba7200d1e64

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
2696df2a5aee9a19220304ab2e150e61

SHA1
f6aaf271ea8a324c6b9e4f087f117374814d237b

SHA256
a6297d732a3d26eb34564a9e560f0a96073029c3f9c4fef0fe96c7627827a5e2

SHA512
e25a25735e472250e51101b5819ecd3e85792ecbd95383c125c49bcbc07da567eddaf176de3d511f0d58b81c238745aa951b28b8c5167e08551061567dc728de

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
73ebbf54a7c96b16a17eedb0d022f6c2

SHA1
c64d18266a8c9a845ea178fe46ca0d516187d405

SHA256
02d51f77feb07c85883013c204fd374f1025ecc628dc6ebe0bf0a0f11b9c5f24

SHA512
1ad6a1aa8b2c751a55d56abd1a39852cb212d73e0d15d1d72e2e429a23ae98afa2987b72762089bbae0dee57709e1fe5912cd3f1752268b29f63a3c27787db8a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
774e9646226e0f3cd5d2e1312da5f4f7

SHA1
84500f1ee58ea96cc4b30d05ed26b80558fa22df

SHA256
3cdf00cc6a7ac1a544f24244aaba338d138201332d34b7578b26de8a7ffd1cac

SHA512
513051c6ffc4b7950a18e9cea3972d5478256484939e35899edae6c1b35e557eaa3e0ed16ab3c6792341d54f25994c7360ff8401116df1aa75030e746a90b539

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
75a13c3d517a18c9e176ba4d47e41cb1

SHA1
0488cf8b04f2afb9ac02da8114811116ad13d34f

SHA256
48331ceba2bd402590fbb0796f22c20571365c5be35b9d9db2427433a75edff1

SHA512
9819cf771f983bd5afc8331aecaf18ff7e9e7889e10f3005eeee72cff0b5c50f287d553aa3eed96b75569995c5afae0c9ce00699f659919d6724be694d7b9aa6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
0b186faeea3276f68078bc9a0d023c39

SHA1
ca681efbbdfb413ffd5e672587ac842f2969e2ec

SHA256
4c4f33be3ca39dc6d5acfcf254dae5d3dc95e870bf1fd8e26b4e3b018ecbd933

SHA512
7e328f224ef307d8b4b1ddfc19d67735ed7077a779c101acd7ab508b23e7c64329d050c3ed393ed3e54c686f062e9257b78aa7c5386f4bc8126c77fcbd12bead

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
ae4b74e63dd945931c9fde35aa6a2c68

SHA1
5c35ca388d48899b5f9ca4e0741c07476e195738

SHA256
399bc433cca3a2343d6571d5d1a004191ebd25060d935a8abfd36a7b8dc07def

SHA512
27a6a0ba25ec2db7269146a4e7b350ee68e7dd0d3f425fcfdacad41d09a9fc04c22bbd5eefcfc3e3586763ee5f23d3c91ad7d6081ca1a905300835493ee31cf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
7730911ca012bf904d80def3999dd465

SHA1
8d06ffcbf232156ae4a70bc7fbcc276ff45e7512

SHA256
ef9a017ab2b847e9ec86698d9e074b46ff3b60985fd8c78825f423356f608860

SHA512
90b68b24aba8b95b059232a21668f84ca0f80e81dd53b2ef1a5860d94343a128c75a42916fb077658176ddbed780237c4ffdc1a7af9a380c698fa837a43fdd58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
26c5a7f96dfb85b610e7a07036ceecb7

SHA1
e6e72e46cdbfa50dfdbe2371c653ae029f1ee70c

SHA256
cf3c781f2161788e85da1ae7f31e82b96383a2dff3ad619b4a2aaa1ef2551f40

SHA512
7d73018e789dd2210266fb71e18042b25151b70148909e9a851e6cee47258eabbadf1088b5341d6e7983dc5302a75a459d43c0480294ef5b6ac2a070301ce994

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fd357a465677357f650f1b1f4230c4b3

SHA1
022cd29494545ac9082f056c108547b556d3aef3

SHA256
2a0096972bcee4513c2fa050a392f7fa9eb10ba6c049bf6974c0f365eae8ff94

SHA512
79d386a58dbbfb77790b72e375a0a8999fb3a27917d773ab1f9aec3d223e023e53e590aa059e1de04b88732421873daeac7e6f02a6408339c2c88aad97a210eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
513674d1d2be9d1fbe2d612c65e5153e

SHA1
2679d65f141a172eac460322ef7c8f56e8578b57

SHA256
05b5383d5fa434a673f1dfef04eaad4c6250bd39a3414a830cb8ca593be22b24

SHA512
8a301ddae082dfb05799ccb421f7a9e4267e090ce46198474a0feb73c574755dd2a6350d67870a68ff35f4b9ff83076c44af2ccd13cc57f1e332f0a89b86e203

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
d6173194e3401a508d08e0de261c92ff

SHA1
5945eff0adc91769e957e2c38384ad39017d3517

SHA256
c7946e2bac48cd7a036eae2f2b5ec93b844c56a8c20c59ddb89aea45aabbf588

SHA512
97a85132de6fe45c63cbf5ac489f8021bd1a746b74dc145d353d9be794be7dfb8e1891fac75f0abdd2f8baa1ab32052bd7f1bfe21c9455f31358093c1924c06b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
73550a1787ef5a9282ff9a757083fd75

SHA1
5138c641e453283429ed113ff06c4d343f7159f6

SHA256
fd9ec982be25590199cf68f7016aea2d19c987fdfeef4bbfb153e00d1d1922ca

SHA512
f8a35f9ea943a31e65f212724be28503f9ffd97b2f840111c136a00dad0c200697f3058dfb81713b231a164153db01b13fcc9f680a08f374f2d92874d6793e86

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
b551b8e83a7216d950f038a6a2fb61c1

SHA1
b354c3daad754000b1cef7ac614c20504a113c25

SHA256
a12da60e2d88a5c066fee01e4c5cfedfd1c98c6321301cd927660baa36dc5aa5

SHA512
b19428ff3898bdf7753bb22673b4a24739945ebfcbe1c0dc5c8e0603e6220bb983d11a1f662ef2f386dfdf514bd93f8ba17d894982f8f81c3ddc8f33ffd3700a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
51707855d8713cf730e532fc6870a162

SHA1
7d4af7c43475abfd50740283ecc64a31f82078db

SHA256
ef8d438c27640fa619f9735e566e33a7d3567bf06d83aa83de35184b78710642

SHA512
c0b1374d33528bad6f4702601afc9fc0cf147d8ea18d5bc28ebdca820616930e2bb584df811e30c8008579bf037e8a7ecd97fe577b600c76c2511ef4d2418299

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
3bca4bb03e9e1d6639aecc740cb52765

SHA1
2047b34985708fd5ab4d523a7b44353b13584473

SHA256
d4c4c2c7d08700d74c56e71fb30a881714ec94808d4340a2e75e953aba79f0d7

SHA512
495f04e8c37c3c8129c2909289bf075bf13a05e83a6060057adf968d451587998c204a9bec1a06700c9e2eafff824b3001eda114bbe12c1fef9b83741d922b82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d325a46393eb70b9d86ebfd6c756a7c8

SHA1
ec2f22fcbe4d92bb5c02abbd82bfe9b82c42caae

SHA256
100ff069133dc7b0419a72e77e69f122239e946d2b13bd2668da884b406000de

SHA512
f1ee1fccb8f64b70e136ada13bad933522273c335fe3828551d55131b34a842648fc4bb09c14f5653c7f1e7b093e7b39e8bc3bd064b9c41e25486ab2905f8b30

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ffed95e57f04f71b76c5250268aae9c4

SHA1
c51a8e75d7642ac1ac5b051778fe2a8b436a9ff3

SHA256
450881e2c5ca6c8f29fc13f242e1ca210bb64246e7f719c178f5756c44d92754

SHA512
01135307ec1d357d5d6007d1c9bf5568f9b7ec5acf6b1ffab850fee89f9854167626cc25c17e79261b4b77d13aa1f02ecbec1ae303bd14bfd055631fc1feb7e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
ffe22fdbdae577c9fa67328890788883

SHA1
cb488b3000a84441aa401d7f3641955b6a0af2db

SHA256
8253086f03cabfb4449b33118ef46fa62fd0eb9855445d571a9b53d92423007f

SHA512
f407ec3d709c2ee5d0019079912f5b193a6db901d1d8694023821bdc76013050716940bcb7117a6c425c9ac9cea4d15cbefbcb236e1064fe9797c8f454d7d8e6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
a6b8d8440295c2b9903ee2e677edf5fc

SHA1
5abfb50df54df1fab7a576d6f04c2d5096a94713

SHA256
57154b12359ddfc8c8cc96dea4324f31ec89f62bc5821f0e463f17ea4ec95007

SHA512
b2b160f605d2b33157cd5c0d79fab4bb6b1e80504389427ae6a24dae2d5294400b1a224681715c26ca47a79ddc3e23869713271736b726ef94e216602a6b0100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
9f4c26d9626019227f01cbb004b40833

SHA1
716684e8730fdffb3ea06cfbf9fde90e08349b81

SHA256
763fc007adff6496446fafab4d6cbf06ac884b1c5204d7f516a58c27d354a701

SHA512
d6e33199fdfb47a02f965150b66006a204d380f6e28c91605e57588335abe0369e1f2a139c7bfedd6c20b6728b2ca1362e525d3f4cf2d164bfd32c4d6e8195ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
6b8c327174453c77f68dc56b70a3ce9c

SHA1
6be63aa4ffcdd6a30d27baeeead5b3605c3354ed

SHA256
6d3c6dfd03a9318f19a328cc233371d1cd97692e512bc666c22d39afde5f9fd3

SHA512
87e410e3623fd5360781c540b2425875fe860bda253f342146c5bdbe13113166104cb9bdbec3dc2eecfb93ee0441b56f0c73b908bca2f2ef7c7effdc5d31ebf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
8c88142f7ac8960651265f6e0f803c43

SHA1
dc397aa142b00252a34083e159c5fd509da860fb

SHA256
6959235c459f5eeb0047f282102b184d36a4685e8bd7a58aef692bf28f8f29fa

SHA512
76188dd0086dcb49b428b0dc1e71bb5ddf25fdbf0d1791fba0fd845e7645a2860483731369d84adcfc411a5629a14d5c781dcd02fad173e4dba2eead5a4f1c1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
9cdf848a0db512a508a503f7f6c4f01b

SHA1
7c8b28064c4c1d1d73da68a518e93bf68ad044ae

SHA256
8681abc3cc0e475a2e43c35116ffe5c502619cc3d4415aa76796c8f01bd7f44d

SHA512
344343bd17fc4141019e1e8d9ca5d6107c92c3d93230b8527485ba1db576286237ef02ca9782bf444958c2dc05ab59371a41c098fc15291498d165c700e50e8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
12250b231990abda4c1ca65aaa39ca68

SHA1
b5053d73d2dd52a0cdb8c7d00374ecb6bff05d66

SHA256
c11625becf11808a5e53f41a931b5fb04f60be0df81a02a1faeb39bf77664f32

SHA512
416fbbdb0ce75795bd1238ac652c07d1ad0d2ca96681c7aafc246c2ddf459de6c35008608528eddd1b62dc010e0a5824d107bd36d0cdfee352c98e1e0337e159

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
2022a0cef64b2162f3085e3a69666ce9

SHA1
358918498a13fd6e15b185e6eefad74b4733b73e

SHA256
62c8093d0e75e718636f0e378173d08e93f3aa1467f305bd68bd093864a0f982

SHA512
5052830875b3ca8aa90720ad3568fbde744d4ab01ee6a5f3a12ef76b4961df7aa56c4444a3389ca3a2af2857c0190ac42c2ff75ba2417b3c72edfc16ca9d8044

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
8b85b151e09988dbeeb78747ed0b5536

SHA1
41c3c9f3fa8936e12071cd9c0a74ae79615b5b7c

SHA256
534c7ecb3c0254e715a84df50cf37a8d78295f868a6d19559feff601b1dbcb13

SHA512
b4640416c16806ef7c8905741f2a118e60122416062a0cae565e644b2290ef62af13c81b292c83ea98c1d3d3c7e2d4ca68d6b51a566dee62e527241478d762cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
30bc129015a61da87b10f401a4f709ef

SHA1
8412df5edd224c7b4d40d224361cb3e646270a99

SHA256
90f997653f7c44d2661683f08830b71e167b760fa480eca0e338248e048ba92f

SHA512
2b2c41de925fa47d54eac55223e59b1b7ea2ef951fdc41bbe5a4220e9938cc51beea5ed83e77395858bab46315f6b0e209b5633c8d7485c41b489957b4cc4860

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
67d6743c5163af6ed80776ef616013b0

SHA1
2ef1f3b7b75895cc083b5a5198c0bd26cddf7765

SHA256
3f113a025c3f272091ded6fdea3d513bb81ec0272c26cc7399c2c1e4f4b3b41e

SHA512
9025908657f2aa5d80e5e1edcc1cc892eb2ad313883246f58fbe6767fbc32105415b6eb1c33ab18e6900654a453637e9672aa3fb80a2d27aa3bfa13803b03fce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
89dfe616cfc1b3e007ec96b3f379a5e5

SHA1
193096316c1ce3b1eb75f665304f4a6727666000

SHA256
9fa8bc5b0011b5589131d8593edad30dc02da805dbf6c127d5a6c43cb237d6db

SHA512
81996f8dffb05f69519706d570f08058f9f7f7c1e6ab4e14e911b9c2489afe798eff75d7fd7f24f6f5735911c3ce03a4aa244a564148258a946bfa9d99a0a440

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
a04c6fe776c85b6577ebeb37c8c2123f

SHA1
37e031d7bd7e2998b789691d14ff2c99c7740ce9

SHA256
a1efae82b66786f416498f27706b1ef8a5e0959605374c2662d5338481868f1b

SHA512
6fa30da1934edb74faca5a77d4b3079834f3a66538db281d2ea270be20030b3d071dc5b6f4bfc0fe3772dd02ac35d57f95a54eed5b567c6f3a7f84e9600debf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
efd17888b0d0252caa53d0d1ba381ee4

SHA1
e9de0633c1d6d99cfe22a149c413a0173993e9b3

SHA256
423f02e2e0ed0439da475ff8c92ecd047eac64fc5ebe81a9877d3778ebfe6ece

SHA512
ca33e3668bf41f7d5923ae74da88c75fedd9df9711737db621e7656a2727a24dc48491d6cc739110e64f4637ed195df388dccce99bf4fb8f1532c02c46a2b49d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b4e2e664e5801d602dedf778b2a19e15

SHA1
9a636e3d0127822dc35abaf599cec95d225b9e0f

SHA256
754dcb024a1905c0ac6efd079f6e684ceacf60c6b4152ee823eb634f5cba8408

SHA512
4a57decdefd1533cf021b53614e6ead2d98b47184eadfdec8f58d6d3c6398e36e01bff9d26ff9ccd92e861db9f2acd52dcc041638b1907f251f2e0fff1c1797e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
042186bf76cbc71d475aa0240087f760

SHA1
4a4ed2a5ffef24d17b3d2f0917fb7744eb9d292d

SHA256
5fa76a3cb01d7b0c5525e03ea17fdf930988b6cbb60da243d245848c0d510365

SHA512
e33427acc0df6d0e5cd38793abdf00243c0ea881dfb83db66fb500aa2aadd56a4d4bdcdd942e25371e1081bbaf32921f2a8ba19a5338e39855abec37d0236376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
8efd1190a659da9ad5844b2e29bd4c7f

SHA1
bc23a185f09dc310589968cb03ee1db9901ab107

SHA256
970419f5a3487d716cf3e281e49d78d390801300c57a18fcb71824f06735cff6

SHA512
df8a068843be5391eab68867ac34d8a82474add86948d7fd8ad3186e156e0abcabf4c190e06638e98dd03f2ead84be53b612b4ed46840faf220ab7c62fdb6d0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
8cfd25d11af78d60d3f34c7ebe4cdecb

SHA1
6c8d70244cd91894878a0c7345e51c816d563358

SHA256
8c3a7db229135aa2be27da97e6b25cc4c7fe2c5d6143afe2e58c1fa04b6536f2

SHA512
e6a2060ec5193fa488d57002fe715caac47cf88966ecde77d76be0325d22ed08fe9b5d886c9c1154d7f3a1cd0dc06209c8e112b4b5e0a8b04fd1e826c933e582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
389b8cd653d2cc29d18ce195675e952a

SHA1
1bc383f6f933a1585624d4b03b88659a26e3f554

SHA256
cd4c198dd6df44447b2dce72e23fa669b9e12a622aee6d7e9e3c4700f8c26271

SHA512
07ef9101896d58441005679f3c9b90025a310faf690ac30571f30eb969b070a6b537789493236e8ca40992de2922f6fc8fd966fdd9d7cebe26886aa5749ec95e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
d69feb8649930c6e0b839aff585dd095

SHA1
613ee3b4c37ab3fd40ed84ab9696f6c72d174c52

SHA256
10bff8d3c7d9a404c6dacf76e03ab5a6f4835c58b3db4c579c5b22520b34da78

SHA512
fd3cc3edee8add1cdaee8697724fd5921ac469604721c52d090ce239b6ec912fecadc52aa6abe04055b5c778dd78dba56c993866df0f54bd61d08a5415f3046c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
d98b37988480fbc9b851d1aef787b963

SHA1
1fb411edc2cce85c1f923aad8f478ac44001b284

SHA256
5205b130a807e181ccb09aa2b916f51884b259f0692cabb56674dd6da4a1ab1b

SHA512
dddaa98d68b8f8a0ea614f5b36e70fd7b5a13149a44fdbc356d4f684c2ae8726d18e35d6b83ba9436f0769225de95d3dc3089f26476f7e45b10c1055062a9af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
093a32aacdbc7c21b1c8ec6cd5fd4638

SHA1
8db731d38e99ebb5792e0bd29562047d3c791b71

SHA256
f0a8cc67d8c857e805c1955c07e98e9a448b0bc8ad64fee4bfb300eaeff2f854

SHA512
e8a5cce33db771b30fcdfd24fcbbf8a56c8a114b8642b2ab9dc6cc619280c1e89f80de45832304ae1a864dcba335456514cf5fddaa741d5103e6290a686bdd24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
1acc06b43a4b759260aabc6702701d0c

SHA1
c73dd44465a1c4bf506d6ed442ae9bb5e6288a9a

SHA256
b75631a6c186a7dc2d6df1371e691177891281b4260346a69ffea8d13f669840

SHA512
092fb3c4475ab4c590b1aef24cf45c728a1da55846ed768e322a5720fbcbde31f80211e2215176675c162a357efa7cb5c6f7bd7543c675d4b170c89fa264e6d1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
c2d764b44cdfc9739a30469ed3ea54cc

SHA1
7dc6943a903fd7c50689b6a821433fcb67cd409b

SHA256
3089d93d465c6787fb35f977a1f5cce4bdcb95c2d4dba7e9e75b78bc564936c1

SHA512
205f1655f67613dc26fab242f702e4f94c091435333d06367b7ab762dc4b4afd15e5b00d141edb3762f928edb53ecf8de3cbf15ce98feeb098371049281cded1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
a17ce5ceb07189b5045552f8c5fb848f

SHA1
7ca681d8dd0d67ce77221eb609c9f192ecaef3c1

SHA256
d4103e96b9f412b4ed090419d80fb9267b432cf2374975f8b4fcc6255e26c2be

SHA512
e162b762a8c7742fa6deb821b3afcaa4803f782b980259c63c8ba9f37790ca562e2ea3f198cb4f56a787189a251a0cc2ef153cad03ccc6a059fddc740eb03e46

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a3870555c930fe01fcc6b6bfc42147ed

SHA1
43b531ce06cad00ecf1755321300d775f4236001

SHA256
8b43ff8a728bc37cad64f8076ed2d77612f3b2e477524e9ec4d1326a19662b57

SHA512
f5f09f56350892de5b41f2bae5aca66e9a9a25e12688c3ee67d96b8ab59ca10d23aeba7d3815793740a80614037f811256a6aba458865c062834858e7637daf8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e985350153d3304fabfc351498695b55

SHA1
55c3644d9b3d55539591960860692c2e56c1b6f9

SHA256
89d27548ec88d5f330ea3403381bb479db5569425c2b30ca31c9d6a8572a6fea

SHA512
2becd1dad1b368d10850ba4ac9b31bb32fe02d9eb663964f56c4d613d9c27be89c76f3e02467caf7bb64482f23dcdc0d7fa2a98fe2f0cea596893ec624900d8c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7f22f11b07e0e8a5d1fe40c5897fb3fb

SHA1
d41e1bbd9a291bff423d4ea901436d2df60b4421

SHA256
3044ce4dd6c947302d108fce3da14e65c16f95c3defb524a64dfc921a4592d19

SHA512
b8e6f8a35960cf6b2f09d036883420191e8af89208c94d704199acbb8aba2c7a76b54ad6db249cb0a2b23b18471e66e6619d72123d1d19fa064b57f573ce899c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
028e6de887d52120e0d242d9887ce3da

SHA1
e5b94fc7e4018d008d368d87c1b2fe1194ae13bf

SHA256
0221c5a3301c6b709d2319aee946fa4d619eb71110770ff7db95a776836ed98d

SHA512
15317c10b3d1771e1461faa1a1cd93e3f2b72d92a707c4b24eb70520d44777426fde7d60d3b6486ec2c655c2560c0aeed8d21d91795d6d26fe3065448ce071eb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
26b1aa09c5f1942cffff73b38341fa62

SHA1
e37e22cc0229eba0b1a50f379321595a56d17d27

SHA256
07e594533927583361cb028c3e03ba6da76e89d6a6dc5b90333ceddb4f8191e9

SHA512
616ac3af3faa4de35f0646105be026d14c487405d0386537258004804826bab177d78138c01dd87c32d65bf4452ae4940003488f94a41962a53d31b564fe6753

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
fa80f7ecc84b41a5dd9688044c89ff65

SHA1
c09a9beb3a9068b878642bb989dfc2c16f48068f

SHA256
02adcac57d181c07205068ace857787792ee42bfd84b125f20fdc2b9ec4023db

SHA512
7a1530c83acde42ed2459c24f66b7da7e53cb9016dfe1d767f82c3981e40c5a562a0cc8a43174023833c7e225e916b6b6fb9542c426788c6e96a6ffdd0dd1a39

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
bbf68e18684b7e2a95b6ebc9757361f8

SHA1
a66c245706ebe9cd34871b64ba683d68af245205

SHA256
472d811979742e3131e288110d0cfe664b89d5d4b953f22efcce3c7fbf593509

SHA512
e7f4b69e6ed72b8e2cab3f73b1d4a536f81bfffcd0f1081d96363f9531ff23672175defe1ea48e0202e891d4f0ec98e48434a53499877d5e2b29ba0149cd3ab7

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
93e120130b2ccfa45ccb21a036c14bf9

SHA1
4f95abfdbafc7b492802412aeddd94ab4c9c3173

SHA256
c6c69b5358a3f363cf23d8f6753301e62191454c0e291c4bf4d122715e1f3ddf

SHA512
b6f20b2d678f58442318b1268fca14cd2b3f64eb040f9cb4b0efff52844d3b4bf5d120fd39196af4fae98a696286604fbedd1875e3e526fc29a657e11b151d42

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c628174376d62f12e96e75a957bc5011

SHA1
7ee3d53901e9742a8ef4aee8d7730e76b3e03ae7

SHA256
ec0fad86a957b8148a5f4e6920000d107018c918c3ce557b94d4d78b5b713aa0

SHA512
4561153b9fcbdf39e617e4334f3ab15b52b27e9efa47c8ba94b73ef713255edbd15e6dcf78e09e7d244aa7d838e77b06c1fd5100b54a8749057775707c4429ab

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
e6835258439932c171c28d624dde409f

SHA1
b48489b31036b9525449e84a099cb7876148ae8b

SHA256
fe092943015ed243cb880172962bf55d1bb114afa4bfd38f24dcbd9ddf33960c

SHA512
7a60daf92d121952ae5e0f33bc631be02f62641f6eb7ee37e3763ad243621ea787e1279ee5ff80791f7646ac4aa4b04d748f8d872c08bdb7c790d6abb3be241f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
53a1eae467cebc742a09ee957a46e16a

SHA1
7669ddff1c91479e1e6391f2e651e2d3d8c8f16f

SHA256
3159f4b6a76874c96fce1183eb797cf900d10055bce561ec21973aef95283b87

SHA512
04b931ca2fac8008432110ec1dafa867104eb4df76ce3343e8a57c018f126f1b49967367d1d182efecaa112c262ca01fb5d2ec14e4230ba7d4079e443bd7321c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
c0864900f110dd90ea31b74c4aa6639c

SHA1
82440df7b24177888aecd7cae15ef6b8bc745d23

SHA256
21b89ffd53275f5cbd67f7ef527247bd6059ecd70af00e0c58e0905ac510bb7e

SHA512
5d8efb2384d219a34c033d936ae89d2e665853ae2ec5076c07e7e8090038e52a9e7438a0c3b8e4c9462c299c49f3decab40b51c1f7c1ab550b0f06097cc7aac1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
c5a1c68d69905944fd144ba644fe6c2c

SHA1
68a00a7d3e1fd308595a38ed811de12d0801594f

SHA256
93b60dd97298a851b036d78a2d1db0335b6a9e80b806be5212e7426d94dc9c57

SHA512
d4653c2687b4bb721554e7a738633b8aa4b34c471bb025ae50dc0ffe326579aa3fc26a5da24680740881e9ac65ab5c2bf7bce79f4573f463224b36f37bbdb536

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
bcc829dd023a72f4071bd5bc70110921

SHA1
7a3cbef1d618c52eacac2e18642f4633582f974c

SHA256
6d3d41cda57015f18efeafad2c08972690eec3f7b80a8ddc1d08ccdce952010f

SHA512
f665fad9cc4b3d2c6fc468a8377d786f2a75218619d820a1b5f31bf89d4a4fdd029f1fca177afd3de3e425c9e70688bcec3ac57de289269afc3a423d6950026b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6d239c572cb4410febdbdd0c484609f4

SHA1
7a7014d9c64a2988ae7e46e4add8c51707aaa3eb

SHA256
6ccefbcdc9169b74f5231aa4615b117978a286293837667bab9af9a8df5c5e2f

SHA512
2bcd5a67a63f36b0341d65a655f1d16dc4d3bf28e59c53e41379a6e226477fb7ce39a9b6871cf0ef0774c8fd0b0ee7137522787d5a613398e101580fa650132e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
7638755c84e01b77decb1369832599aa

SHA1
7c3d242053ebfe0b14069367589941bea08de69d

SHA256
99ed59cd16e0a38d797327bbb121e706246d0cf44599db4d220f7c3045fe7a09

SHA512
373135e6b272e5a1be635bcf1b929cae5ab627a20ef3a0975d2c34fcaca7ea3cfc2f96e95fe113e4e164e6b709d553c8bd8c4a2b917229a660e4a7864b5e3066

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
70a8fd4adb5417283f69c4655691bb56

SHA1
87b63f91959523aa0f08e9cfe619a51cc672a177

SHA256
900d172ef4873852e9cf0ad7d547114fe504bb8cd4f7014abe6efaf9b187c081

SHA512
eb3bdd79ed654fba8d136a8ff2954b62ee52ef34ac64784e61052f77b3e695da916b2b79fa8c09563b406b65bc211b2ce6945a85ede82738cb52dcb022d2ac56

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
3a5400310a2936882e7e585030271e64

SHA1
6d809bf04d0adbdbcfc12ca63528b22274927031

SHA256
2b548d51810533fab52068bf1a333202898cbfe5de67447a74dbe02c8e4c024d

SHA512
9625cfa6ef94b75d7c983971584368a755ec0b27259894dd7903ba89536f432a2f9a000a2fc60a28e77b468a06727e83183b79f95bac95158f15862cdc31c4c1

Download Submit
memory/540-558-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/540-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/984-563-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/984-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1116-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1116-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1628-18-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1628-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1628-8-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1628-2-0x00000000005E0000-0x0000000000647000-memory.dmp

Filesize
412KB

Download
memory/1756-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1756-54-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1756-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1756-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1756-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1944-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1944-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2272-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2272-567-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2576-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2576-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2676-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2676-572-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2996-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2996-261-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2996-268-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2996-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3552-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3552-272-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3552-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3956-564-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3956-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4000-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4000-73-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4000-67-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4000-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4428-569-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4516-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4724-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4724-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4756-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4756-41-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4756-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4756-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4812-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4812-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4812-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4828-559-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4872-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4872-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4956-570-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4956-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5048-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5048-21-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5048-19-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5048-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download