cbb33f2f2cfa4b46588094540c4ded029efdbaf87f3777bc19c01359e8728705

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
Size

677KB
MD5

2aa1f8ce724c3da23aacbdb1467267bf
SHA1

d32819b8ca6429a046e945377ea01a3147e9e04f
SHA256

cbb33f2f2cfa4b46588094540c4ded029efdbaf87f3777bc19c01359e8728705
SHA512

db1ae467435cf1e4af9939a1a2e0b1690633828181719b74db45d4b3b9037e6148ce4deeeb29a7dac31acc4dc80b0ff28fa63f0b0e01384483e4455f2c7d69d6
SSDEEP

12288:4vXk1i/bxXyGH7XR2CAwEQki1I7wwY8DMkw5V7iP3sOZ9jDH3kTKE/aoJut8o2kL:8k1iF3B7zPkcowwtdwKzDXkDNJ4D2k

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4916	alg.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4304	elevation_service.exe
1572	fxssvc.exe
2400	elevation_service.exe
3968	maintenanceservice.exe
3568	OSE.EXE
3196	msdtc.exe
2964	PerceptionSimulationService.exe
3244	perfhost.exe
2800	locator.exe
2772	SensorDataService.exe
4312	snmptrap.exe
2116	spectrum.exe
1864	ssh-agent.exe
4488	TieringEngineService.exe
4572	AgentService.exe
1184	vds.exe
1804	vssvc.exe
4316	wbengine.exe
3300	WmiApSrv.exe
4512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84c62a88c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d86175ee67b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd7488ee67b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5fbcfee67b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000971f15ef67b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e15a10ef67b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030e338ef67b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ff72ee67b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4304	elevation_service.exe
4304	elevation_service.exe
4304	elevation_service.exe
4304	elevation_service.exe
4304	elevation_service.exe
4304	elevation_service.exe
4304	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3812	2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
Token: SeAuditPrivilege	1572	fxssvc.exe
Token: SeDebugPrivilege	4704	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4304	elevation_service.exe
Token: SeRestorePrivilege	4488	TieringEngineService.exe
Token: SeManageVolumePrivilege	4488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4572	AgentService.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeBackupPrivilege	4316	wbengine.exe
Token: SeRestorePrivilege	4316	wbengine.exe
Token: SeSecurityPrivilege	4316	wbengine.exe
Token: 33	4512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeDebugPrivilege	4304	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3292	4512	SearchIndexer.exe	126
PID 4512 wrote to memory of 3292	4512	SearchIndexer.exe	126
PID 4512 wrote to memory of 3844	4512	SearchIndexer.exe	127
PID 4512 wrote to memory of 3844	4512	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_2aa1f8ce724c3da23aacbdb1467267bf_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d3abee62b0d989a40dd7a26ab2a07f15

SHA1
95a3e9b8bb41f456b59a31c4a08979f2aa5cd7a9

SHA256
8d1e45f6eec12836a69c3d64d7fa3376b4dd26152199383d58c084570dfe0fda

SHA512
3b13cf999b75962beed4e391643b56d41421f414f73a7701606c2ffb2b3b21eef9dfefc48bd8e7bda0990392dde252450f981782cf9d28420680a85dca91a959

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e7d44e96871b83daaf59282668d15260

SHA1
a96ec9165ea7eeb34e6623c7537c77f2a5435d9b

SHA256
79f5eef191b405a9d88d4ece7bb7915129fdfce91c86ffc0a5a7ffde100730b5

SHA512
a5ea40acd4491ca0fdd982a4c71beb5291912ab15c195ae60a1c7574afd38d3987144d4a36ee850fa1297cc0de078f34452210f533ab7865c41a00acf334cb6e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c13cc261058b1e9da9e30a2440de2dc1

SHA1
3f4fe34f99c32c4ce1fc8faacc8459e2ead22ae3

SHA256
1693fc398b01f3e99db55d0628ea7ee78706f44b7e07ae7bac679a62b2f163d5

SHA512
f82ddbf568f6d57bfcd3aabdd3872e6b05939620db43e1cc825243d797ef25b67fac40df2d7c976bb568c9c0b7987f942a39e1763b3ba4198fb31684479350af

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
45125188b92689df5ba09c0bf371bf1b

SHA1
aec87746696acc8e3ed93b27b6bb17f1e95bafd7

SHA256
ae2486f70e90523ba76d531c97c6805221555e6224807eba6ffb023f4ef0f5be

SHA512
531b86d3ac8d06c4e9acb6eeed87b35bf3b902465e148d9d3261861f6c7e4de882f89660ba34edd78628c4c90b4a5587e41df7b72436b796d5501d25767fbf26

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2377ff25ab3494379538a30b4cf9e0e8

SHA1
fd34b1e47ef3bb65d467b43e4881b9d64d6dec02

SHA256
5c6b147d15748725c7bd38879b62f8e5829bc8d76e84e73624b3c149c6584a20

SHA512
89ba16a094cccfa013352d6521b87e129e97f36429a13fa69b9c83c573dd361ad032fd6e19655336992fd9da0af79932bc6a35cb9042c350519e4e611fa6f097

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8ff18c236145c998fead43782d9df7d9

SHA1
d299113e7dfc80692390258d2b4e77a37928be6f

SHA256
d1fca9a720c56cf9db9cef67e81985b95bb4f316a63dd8cf3f9ef5061939c35c

SHA512
fa699b16379af6599a4dae0c4392ea5292c259869cc3dc0076a57865ff872f4af9511927b3e3992c79a4da93c821f3bfa08be17e75c2d8e48873b7035adf365e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e7a52219414e779861436eb0842cb438

SHA1
b1cc1693fa10c0ac1303b44c59a5418f99a3bff0

SHA256
eeeb93e931b5cb2291112c28823c18bbb5575d867641df173d28951c2f521c8d

SHA512
413454927a56da07cd17c0e535be073eac7b236e242944db62823b75403be7c5b27cdb0308beb4eae7ab11bfa66099d66958fa8e006473ecf312f849272223a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
84725600203419f9928f7dbed5b39b3a

SHA1
14b7f9be8f1f773b2b5cce21cec372d8d2ab64ce

SHA256
3336758ce47d402832e2b5ae122fe6835a5af169991586254af26c1704fa8a30

SHA512
7e9d16c3fa4c09546f37022fd89e41bc2b51d0f4ae5bda8bb5166cfe238e0cee7a59db990e43738c741b46a3c9549fa082de612ac4ff3fefc0130aaa55a272cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0d63595c348f683b64d8751db884669b

SHA1
5080f8bedce08f0c2837faafa88ac27c6df3390c

SHA256
be3eabdf9c712db527aa13df0444e612dfe723750df474bb44b7d6046175d30c

SHA512
57e957e38389e7fca281e8049e507bfb1a8cbf1b35ceb154d5a5bbbe8dec1d4652a4c6cff0896c33c9a76f05a75b84395b4fb64b914249ed2f006de29d395dba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f5b1880a8bd45e94316021e15f76110f

SHA1
d2f7a1260d42d9df00080d2b3643cb531ad46bba

SHA256
c0f83378333b3bd34bcdfb30b8813c7c8debf5f7b5b8f0dcad4ffed1aa19d427

SHA512
b10436ffb73ac1d218feeb59be21506e083bd04825b072e4a8c9ed32f77856ccbff8366b50490dc974f52985bcb53b52846a279f4fffd7fd56df7f541c4d4296

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
89a68aff172b5ce5a5bbfcddbb71a23d

SHA1
2d966c1e5be03d20cc85405e6bedcb99caff64c5

SHA256
866f92bb45609d68745d281df5dc13caf0169201da7c2eac9163f8cfc4338107

SHA512
2a98f1ec9ce0ef2e84c0a9dabe43d6591fb23bdd02b379664ce0d46b73e39c46dac49a7114200df42c4ecf33e96386f06e123daac9b335c0fa2e2e06d438e32d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aa50856096289e41b741235d0ab7d299

SHA1
a4532c08a80e7b58a6ab547c6e60dd894bcdc8ee

SHA256
7ce0792efb438505f8671582d2fae93dcd9192ab7183fdf6951c9ba5aeaf36bb

SHA512
946c88c90d863dbfed9ec2a235aa37d57481c57fe25dd6ef1a59514d49a79ee8806762fc964d9c4a76c6b506689ff7bac4c9fe8f7b828cbef3094b5b51e50941

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
24519d6e2c57ae2480ec8d21cbcb171b

SHA1
6f3cc782b8643c56acdd0c8a0bd6d5ff9356ef71

SHA256
2617927d650b2ddfa62ca6d469e80ea771f000a938e94fa1b68c4af665dc79ac

SHA512
52fc1295f86d54a24f648c3a25483cc002955cc7a225a0dcbccf644309834a79f97faf3029a968ef9882780c0f42f3fd2af11fa4d92a625779a33f736dcfbdc8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
92828b046c37541c1d780d31fd8d5896

SHA1
686a02fc37262bbae87acdbb0b1ffd24c8a6703e

SHA256
65b48849bbb52fb7ead8bc5586085fd6ed2a126fb46e6c9291ac9f0f3a83fc32

SHA512
316140f67a26c99ede7e4cb11448085caf0d1bf86cbacc1afb6d5f6a7c0c110a946fcda021bf6b22d4f435b7d7feb26a6a4a9a1bcb23890f67472581878055e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ce72750ba6b2743c78a9b62315eefafa

SHA1
01be1c32559758d31596f8ee189b951924d52f3e

SHA256
b1bf18803a2b2c7f0d04fedf28f0ddc1e74ef6274a3f2ed42b8451cc3f50aff4

SHA512
23ac78a93a1b8ced36781ca9e8cd5622a284cc9a6aa2dd0923f9bb6c3d471b47ca94ea615972ec59de056f1dca564fe745ffe06d894ba8103cfd622534c8f6cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f0ecd5ab6c10c48811b53aae0713cb01

SHA1
ac341baf66c41eba7f41279a881e32536900e574

SHA256
234cd11b1f7f9f563a4c960a57cf1081fb85f7a326adc73fe81764c275c15c08

SHA512
447f85474fdd7cfcc466a394b7cceceaa21d05476d2325965268df119ad03f28a481a14e478d976979b5f6ccc5943bdd429842f5cce1b27b453085c387e7a882

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a21ead4685e197057e9e58ffe2f36639

SHA1
00f56a473666207034da0f410cfa17f684ec8c66

SHA256
bf4c13dd525067c4ae62633e24c6b17c4e7fbb000a259f9a9685d7767846399e

SHA512
e2de739c93014f42e02613ec5e9c07a18c19f7bd2d5898ee9915da1de2fa5044148722dac28e986600924712ab5f313c78cc96b037bc08672ccdf54c1992600b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
49aeca02fbc0551f8645a660992b464f

SHA1
6547a524c2ac1c26cad2bcfaf33d778b1fb4bb0e

SHA256
e357d42e1400d6fb0e8798b6ca15805500022f03ec3502bdd268156d8dc66376

SHA512
4c50aef948be20af81101505b4e2661fab91475d4972e45bdd0ab8eee612afce000ca99cf3e24b449aae2a492c3c2320cd4365588ada87db6f41d46949d95177

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bbe6fd829794058a3916fd96f085cfdd

SHA1
e356594ca99b819415a6aaff30cafb8945303f01

SHA256
ef4553c80387e990a4f9b668c5df46beb38b3e825258487b3af103611155785a

SHA512
1f8737a70ce8779c26ae37c90e5de191aa03f7ffb9c0414bc8e59515cadbe7a6465a227608cc9cb718d71dc324e6e3b7e54ff2dcc55c6cc524fef241c25c9454

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f4f6531f5cb6339d9aac2e36be30a109

SHA1
45cc8ea37697a13e1d23578f3c24f222f5df452f

SHA256
fce165bc7f390a8463b62b9b8218976e49a429cdde0a087bf5a17d3770c561d5

SHA512
0d670b9f6f99097fed20f1c9273a30177508b0de24c8debd8e5eaac0790ac76c8ed11746c74a3ede9423f8f82da2440c548103667f8b758acc45c13b40e9a137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
19e723375c8ac48b98fd1c718fdc8497

SHA1
555c811234f56ccf08586ac55b85cdb7d5ef5a32

SHA256
9bcd7cf14a95abf49f99efb6742be373913f778b850019e51964d6f35cdb2aca

SHA512
4285753962299147bac263ec049f164a4bccc93c2ad97fd31d539a2e87384ab881a2d6b8ef2f2a1b1c7872b536be217fc63aac2a3b6d30a322b6a0f6329f7322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fb5f3914be356846be0d280b29261e56

SHA1
2f23d98a2f57ec4a691a31d2ebd923ada601e88e

SHA256
45e4f9a78f50209664258c8ac0577f1f00584c5f864bf988e147319402c011b6

SHA512
5917fc1906f477ede32612c18e8d518a32e823feb21efadbd31c8fda034c7ee0b9768222e1a1daa972883ad489043d53efe4555a242c8aa75694c65c44a8eab6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1692e828c5f76cbd4e93b5b9d6ba0232

SHA1
de3b105e15c70790612970a289863ad024e03de9

SHA256
0ca42baac124f3abaa2bd6613b38a6fff2833a13ab82934b7c0e0d2978a0cac8

SHA512
e8964e3217c29c925ce0a86c147baeacb38913d022878aa0e9cf56fae233e8c8af5fb5eec54d43710c343e9802c2086023ba00f506e5135948418269cd187e82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
bd9691f472be07253d5ad3e6f4e16ded

SHA1
2d996a48136e36ba7990a425822bb4cdb9bc5b5e

SHA256
5a0962e320dd25fa8b63c0d9c46f09e21da4a1c43a62d6b5836e0a9730794a7d

SHA512
050c4751301823ef542c6c03ebf6b117ec400f48760dde577d7750907e3c40d2a57aea4133274abdd3bf8724a29c201488cdc1e8fa9decd13c317177646a6d3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e96869a758a69e2489625ebff517baf6

SHA1
90874eab374a770b13104a0f7cbff8c11f069b80

SHA256
c9f1476f7ff1ef32783047c6b857a4401eadb3a593cfed5d0a150a43653f064d

SHA512
e6e3010b90c8e7b202ce7c26e68a4da365a5ab2f1d4b74c315a25348b6d98af83006670b3a67b3bd84f9a7f4a3c184732269fd7a73ce0eb01883753d3477f441

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
986e7cbcdcc1f35287cc3ab180b53424

SHA1
de3236ab30b7d4ea88add11c086df813992a26f6

SHA256
4b0a366370dca49ee20611ac67da1a2648dfd6dc16794f561b2898a3b9cfdfce

SHA512
afaa8cf24c03a795a2bb8544ae867a8f5ac7da48aed9af7b31c704d0da3f0364ef37995d5b78a3c7c450bfe0fc6d6583ce9e5454dd445cd658a73b0dd4b9299d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0f4e84c1ca90d0809e33823935b74db6

SHA1
5eeb4e2edace667fad13fe143a13f6a8e05bab62

SHA256
7eb845a416b229d401b3b8ea3b877863ce16d7feb729a0b4e525816256eb475d

SHA512
97b62afa55be17aee27658bc30b337b9de063f9cf1478914cb858d26ffc8d6e5cb536a2d3e7f422d3fb05fe6973c26063bd939b4d2fe03d11da46d61db315674

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
02d87cf861fed3da4eb8aabbffb79a61

SHA1
e00b25af19c8bec617828b553334484ebcae038e

SHA256
4d29c570de1682b62ead30a5401e302d8f5cf121be83221e6d910a5dcddf9904

SHA512
ebb9a729fa2c74afa1c0db6c2907a466a1eea5f9cfad5aa751a0b2cf298a105b71732f79b45b54b7fc2d074a4fabde7e5a202749d42241f985c52ec41672c03b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7bab0ed79baebba9c798669dc05761cd

SHA1
52ae62dc4da7d1c74ee07a6c0b7a3f5321e81ede

SHA256
830d7a40f178637cf2dffe79c251b6f13aaee1709a32824b3abdc895bdb91db1

SHA512
91b606384c0d5ef019a082ba70c502036f2dfcbb57d16c0d1f4419fb9727fd90194f4fb22002f2844ac58a1206dee7b7925adf18b825981088b70c05be4bad73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d4bf9d82db5cf067c77d7fe7cac5a263

SHA1
da3311d98fd8d8ee3da64612b650e199d4679ce4

SHA256
61b06718e2c77b3b85c066e4ae4e6e670da6d0be5a969aac53c53cb09e439419

SHA512
cd4e4622411fa974ec718aa74e150b1a695c27e45eb619880db4e993eafa7c45585872109b68125960bf788a4e8770d981295f028685a06f7b8ccbabdcaa4a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
cb29d8927b578ab86564ec890659d114

SHA1
a693dd41f38436a6e2be5e995002f60a386d9d71

SHA256
8f2e9ce564f5c69d2ea3ead7f67db00b4b65b32fa38358f7c942130fcae62182

SHA512
3e5b01bec713e97dbb78fd0548156cb6c232f2a9c4ce75fc0f5338dbc53a69d5f540ed479b2be7faaf29807d690c670ca8d2df06de02fda834e7f2a4234b0d17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a68c91af5f783ae0e6e05df1b7d0f15e

SHA1
94781d42c624641293da22dac13dc14d00996aaa

SHA256
c83b62f1452ed35421a7e9ab98241206d3aa25b15b044fba629315b8f0b11150

SHA512
105a4b4ca86c9e8bf17d5244fbf7cc6d5dbc95df95d7058b5cf9610f1252a99c72bd3344d1f335a85c6f7fe2232ce3a70b94800fab2ec88c9ffbb8c4e835207b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
792d6590156ca53d05ca264d715719bf

SHA1
6ce61aba533d2ec0efa05c18dc541e3c82f5944a

SHA256
232644b6c18fd0469d45718fa2d467a864e05e8d0c0d9d0ba0c84171ca401829

SHA512
8160e9ca4cab71b2e7f8309912f572800a48111d00d8bf38de359653f33a013c91deb7b1eb849fd0401eb9592f12930aaed190d8a47096217d64c56bd04f57ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3bb0ab97cda3ef5440186fcc946674e5

SHA1
b26731c1e4293f9222d295104682f6ecafb66264

SHA256
7b2ebb72aec93e445531f928429946d227f66bec1b222cce4d4a7c208ac0e42c

SHA512
a4719228300f8a190507e951d1264d953f587d218f843725f2d82b5df428dfc900b9422bb29f1056de88f8d1c1659ac66b243a952dddbe08a8ef468839f7dc29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
22fc771df73005d5448be49a5978b5ba

SHA1
a972736cb402dd21be8e848e88ffe7f0c9309c56

SHA256
eea251d802cc413d0e877fe570849d79a22d9ee5859280c2ea298f97c4172acf

SHA512
cd41f53ca5b43746ef2623a3bc2cca841d093a317c4c43a112f40d389a95479119cb2a44d2b56fe696ac988ac68ff309c6f42c9c7007fc6a446ad102d63b686e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
cd0cace444df2a24a9af78ef9f16e9bd

SHA1
b40ff97cc46ba975a705777b9b4b6d67e7852c9e

SHA256
57edae186139ba909c8e3133dea46be6bfabb14498db3a0c368fb946e39273e2

SHA512
2a88217096808b0ea5d81e3143237c99bef3518ab3c2d99b2f3ff23bd32310f5a5b056555583cbe4f32d0323065eefab0c0b87d93f6662f11d7edf0b1b349277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
cafd4d021756627f480e8bbbae14e8d2

SHA1
6fa58451a751c1de6729acd416b02db30a7b0317

SHA256
c2b61adb2d608a631f994629d7ae8f66ccd20f1642d7f5898aaad60bf50bfc05

SHA512
a639194da53bcda37c0381a532b9a16090a665e5c35cfc0cfbce24c8a4a01cb5e1f5a7402791ac6ff3602acbdc2144aab0e214a40ac25800d9a2fe1f191fe2d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
5dceac670f483c1b42d6f04ef72e01d3

SHA1
6187f9f12711aee96e502e2e9b18de6482aa8a54

SHA256
cd2474e99a3623e5f3340455a52c726107a55e21cb5bfef23cffda5268769a26

SHA512
02720005b6b36c80c7e4f9575897c60acb1e0c963b972444813e51dcdf12b1c3a5f0d72dd83f67de685836258dfceae2fc2c340dc6b41c8f225787e505421ca2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
43a5a1f8a93c52812607bf2c19043890

SHA1
5373646b5405d0e8dc34871d114e03eb9f67067a

SHA256
62fe65fda6302034c3752bb13069322667977b7f0e15975615f0abcb3dd29e85

SHA512
914862f0669493e1404a2888a84dc286672e6a4f9698c462ee84b65fc5134684f82cbf8b6f1cfe0795cd83f41c01209028888cd3730b54c70197b3450e80e04d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
db153612f6105cf732169dfdbb1741b9

SHA1
ccb012519d5ed38a42f587937e46274882ff6711

SHA256
3de886cfe97f51141bf2c171c04fd155226b7a43af57a795651a0540448ea99d

SHA512
fab07e020d4a66a46b43d36edf9e7a61115653f9eefad220a7ab31a6eb9728c9409145e3813ee86665f99e0395b63b3e2d13c05826d48e88b926b0c602057072

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c0baa4c4b641c7cbae53e323c500b854

SHA1
312c195a00a63f3ce10de8bdc05df3caece5a0d9

SHA256
59a09814edea89d80d4bd00806244af40dc426020e5e98dab1b83df1a9280c6a

SHA512
3e2d5a66829af91e6747d77ce658320dd07fed5beee604fd38af0ad1ac9366b620fdeb56da82645cf51af8e3a9596a9bbf602657976b3a4f09af92eeb9731304

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7a73ece91b3723ecc62cd0be340ea28c

SHA1
6010b8b28735ae401051a973739773b0e20d1dbf

SHA256
2ce20e0bae61d8c358bdf70948f4ab7896fd695ee4473de7492dd7cce7b1bf37

SHA512
d3c01ff50fcf4a52c0853556ba3e0eb14a12cff6a5fa7fd425e822246f3c6ad6d63030d4360683f373e41a4cd6f0903ac4323d3f0d099b29960e6bdaef5edb58

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
54d1d6a455759bca81ba52fe92b8da52

SHA1
0952e7d496b2bd9eac714afb3e9746e039b63408

SHA256
27be305a2bdb0feb05e036b5f17e628abbd8129937e19f106d6a00d9c799b70d

SHA512
d26a0550369c5c5754a06bbf73c2bfe08ef57e15ca244f161c860f1b75056683411a8a67b4e679fee0ba9f7bce7c6c99c36c2a28960933e65169c9e428091da0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ca0af21757ee4424cbcb3fc9195e1c2e

SHA1
047b18ebf9e42f20cd30f00f9c66cddff3d14900

SHA256
e847afe51401931d7f248cc637522074da7907bbe037b273480eff1ef8018d56

SHA512
af257253afda64b40bd9f29f368ee4e7dde1069250efa09f5f9015cda2472eb69cc0f3b281c0ecda5624631c90df3cb82ec48d1084fb9649e2cf6d8b5631798c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7c053545a7925c85f0c13bac413f7dcf

SHA1
685e2c394a4b7ee279453be6437c2b5a10c80de4

SHA256
0d696cdcba7bd7cff0a6bd7279847fb2fe7145e43d991085eb0827fcd796aa5b

SHA512
c8d78b4c33457b1526357f1bb7aa2197239cddd54e1dd5f6060e118fa886d66c57dd2bb39c1f7eaf0fe9189cf0b19f911d817175d024aa17227ca952a53df737

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cf88e968a86c588448c2af0a4e07da68

SHA1
c0ea3ff5223dd6a1423e38a38dbd448809daf728

SHA256
11ba559c212ae05639ace8f38b70172b6590d3e30d5aa407f93bb67eb2eb273b

SHA512
6a559abd7ded97ff609a358b4d03a1273ea4cd1c19c94045341f97acfc5c88feee1805dc05a276790630c95697b53c14a98ebc3bfbad966bee6dcc89ba7bdad7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6a849e54550ce9e16e9ac7e553c06b47

SHA1
0245ab0202e23613d981abdd2f870e72a21234b8

SHA256
07335b8868b7c1cb279a1c9d816d30bdfafeaae0c5efa04e4cf164068b7a1b07

SHA512
45e0839512fd8823bc62b5444876761d8b828800ac0dbe675c90849e27f28d556f62150fdc64e7b21c07009baf9fd8156ae32a3e49b16bfd8d788d53830f6c49

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7269f4c7d24c9c0fe8b4355cefbf3675

SHA1
3f0c7163df171e48e7577bf48ac9df7b26a26a52

SHA256
6dc5ea891e58865846bdc8be40e58c9ea764be1a1d99502b2c9eedc5536d75cb

SHA512
2d1e9456baa18eae89c36a3c67ca5661a601f11b9d05ff3dee67f3242779aedae9c57832555993925d021862115bbe31136a29b5914d4d7f12d8158055833034

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
23a9767237fc4aef2277a85063d84725

SHA1
035ab281133cebcd832c08e94b7473c335e37e2f

SHA256
80f24a0b41abfcfd46298cd3935c397b93dcd7cfae6ecdb67d1acc37bc6e4759

SHA512
2478182c7fdec972c54a0d38e2309ef749ea314e4204e5d5816eac6531ed186e1b257e9b9547695cbae7dc49a3dd26a0d2898f7fe66c67de1007548679695b1b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
aa264244b51845f39e17b9357f1f5ad5

SHA1
209a8d995b0169f1c003278532aeb1eecc353fc4

SHA256
4a1d3e703e3ff41068649c04178fde8ef81d5f9978cb4441d98404d17b7a7dd6

SHA512
6b42ac82ff06143153b8e7364f0a2596dfe285418247e4c4c73054d9c3c78a2de6b80396460ad5cf5a520bd22171362ac80df2f97c4dbcf6f4b24be62c41d0da

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2488dc084dcfc0d457e84783e21d170d

SHA1
bfed339a3fd2cbedff541fc47ff134a50aac2104

SHA256
f475c4ecfad5a69783f8d3893255974bf59e659e610e8ca8b7a4a7c306b5a926

SHA512
a05ec9625f72a6de082ac6c29c723a4bf23a65173f6c31bd5284d1072356a5160a41f3618bea235cbf032327dce4703ae9e3d8f8415d2dc8d3495cc842a703ee

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f98704ee53edd21f7a0e847024d1c6dc

SHA1
f3a659cad858f2833cbd9bc5b0b8cbfeb0fa4f8b

SHA256
f0dedd223e47c903de1eb3d7a162c816a9ec0df954ee3c18f24f2f6e364483ee

SHA512
9f051b1be53072938cb9a2a2d05d0f45ab7091dbdbf14d5db0b09ed406b2171a40795885906a4393d61c6a5774d05ba41abe58f265b674199e54c075a2e622f1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ed263b2d901f01ab531f5cfaaae60059

SHA1
0dac1ef8665a5c703d92d0ee9d9443cd58b2909f

SHA256
871b0949cbc909fba2e632af6f19e3b96918d463f9ee5dedfc49503565097120

SHA512
ec423c418d96e6b06e958d176da2e4542c1c6bd8fe0713fcd7d1a0abe6a4b350084d38004235e664035904a0d620be2b3242af18b3333ad894c34b6f81b6a219

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3c039fe0b1229866eb6ce4e445bbedfc

SHA1
fce0999f8ca71e16dd89db0ed48a262f78ee557f

SHA256
619bba9f2c6f1fcbf87255719d9ce4cc66b735e12579525b5b88e230d7729007

SHA512
ee326258ae1221e45d66df2a087090cdb4ec0421f5e53747fc0ab667fb913104ff5e00c8bbef17fb7388142e1a00a35588c51cf36b0cc172096d7ba5244bf735

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
89e2a572991b4df350eaf5e4b4e7bead

SHA1
11e19ba814017ca84f1c75defc011f61c9f56783

SHA256
53e862368131fe973a3738d170b6275c6ec406a86e77132e75558df864c51a47

SHA512
0e99fdd0c01a0c6a5c1ff45f8f574a51c76b95de3d702d94e675f42e9433a81bf920c1b3470bab35a0947d5853bf243ac23f8f2fff53bd2330153e2d96c586f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
21b889d9e787efc5ef6ed4a2636aa0e6

SHA1
ba0750c43065f2089e7ef1f313c9bf14a9b027fb

SHA256
51b588baeaebad92a5b00284ab504256ff7749c5ffa4712678f744ae6edc25f4

SHA512
2ce4eb4c25898df92669bed483eb97abeee12ab1c796ea493bf1f618bbd8a7c1da6a011d543697c0979e844e86f89e7141cc2df873cb94cf1c14192638ae6cfb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
44b29afa4e71d502e18aadd43ce93e4f

SHA1
da94adc26d8004d4d9b5919af44ebc64b4902f15

SHA256
9a6b1d14029dafdebe7b2beaf8bed4deb4cbea6cd2d32e97f88c8b9e63536db1

SHA512
a40d43548773245512c8a28db0b498c81b02fc5b81b218c140c2d816a1ac0c9282c4a2101dfdc093f58973c3b956c8d1c4304f87a5f78a71bf1fd044375c593d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eb45e0c1f316d15fcffc64ce13fb36b9

SHA1
3ede537424eb7b595e4b614a814cdb25827f2e34

SHA256
4380300d0b67f07eca1be1bc770b33efd02d4f3e2560cfed3f5e8f5ebfe96b34

SHA512
9990ce31e495aabc02b8c47442c696185afca457ef1a60e9308e731949a6d90711b015e51ee74c006cecfadbcd1aef7814d231c5d94450989771e1515b1431f2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
180319e79dacb37a7c0c07ad5a65583d

SHA1
1b2b2e70c68fe44d2c395ddb6b7062e40ed22c72

SHA256
44b5cd02133545b60abc0ffcfd0134df427441a89118e8a3c9f350691f3ce28d

SHA512
a205b640bae94ad19af50d14d24ef290c28d4aa05846aac5508a5a802c67f6847a45fbd5eeb9243dde18ba671278109b5f899473e9bef29b475243acc3a2dbe4

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d03e782b280060f9aead419ce8b44fe8

SHA1
ce3317b3108ad10838550947d69524c849a09b06

SHA256
3a7ad4ce0e5f71d7c167088e1a88326c4089f3865335d49c1de22507d8712d05

SHA512
e5deb0538a7c1cabb3a6cbfbcc12e91b095799ab4508a69b6264b05ee31b63b29e20bdfcb47f60479c945ad9981d1a6b966762a19b200fd4934f7122ae6eaf2a

Download Submit
memory/1184-456-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1184-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1572-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1572-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1804-457-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1804-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1864-304-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1864-452-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2116-448-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2116-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2400-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2400-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2400-248-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2400-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2772-449-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2772-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2772-285-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-334-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2800-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2964-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2964-261-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2964-267-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2964-326-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3196-322-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3196-254-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3244-272-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3244-273-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3244-330-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3300-335-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3300-459-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3568-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3568-73-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3568-79-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3812-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3812-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3812-8-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3812-1-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3968-82-0x0000000001840000-0x00000000018A0000-memory.dmp

Filesize
384KB

Download
memory/3968-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3968-62-0x0000000001840000-0x00000000018A0000-memory.dmp

Filesize
384KB

Download
memory/3968-68-0x0000000001840000-0x00000000018A0000-memory.dmp

Filesize
384KB

Download
memory/3968-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4304-44-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4304-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4304-43-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4304-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4312-289-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4312-431-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4316-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4316-458-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4488-315-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4488-453-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4512-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-340-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4572-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-320-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4704-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4704-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4704-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4704-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4916-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4916-243-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download