136418b7e1e9f4a9d30ec01a65f5183daf637e12bb0056a0ea72744d05c3d25e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
Size

677KB
MD5

a2b0b6d36f84acb2050a98e5b47ae204
SHA1

259762b55958655fb16206a947421593d7b7f8ec
SHA256

136418b7e1e9f4a9d30ec01a65f5183daf637e12bb0056a0ea72744d05c3d25e
SHA512

c6bfc48bb3b187d1291def4650f7c14ca8b45616cbbdb66af728cb8ff8af6ee2c1f483d5b73a8651abd10075826ce1028a5065b5eef9499eb76ac8f7a9d739b8
SSDEEP

12288:QvXk1DHUVpyNj3C/Ei9OQSt6uk3zO61zOQJjN6atJ6bVgwtZJzZ:Ek1rUMj3C/Uvw3B8atQVpZJ9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4084	alg.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2892	fxssvc.exe
216	elevation_service.exe
2432	elevation_service.exe
3828	maintenanceservice.exe
1948	OSE.EXE
5032	msdtc.exe
2136	PerceptionSimulationService.exe
4476	perfhost.exe
1228	locator.exe
2952	SensorDataService.exe
4636	snmptrap.exe
3468	spectrum.exe
924	ssh-agent.exe
4932	TieringEngineService.exe
3324	AgentService.exe
4812	vds.exe
3980	vssvc.exe
3176	wbengine.exe
2376	WmiApSrv.exe
2356	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e998f6fdb4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a63b7ee5abada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f00b5ee5abada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7449cef5abada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083158aee5abada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005b1c5ee5abada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087ee82ee5abada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f99eb2ee5abada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053a074ee5abada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a336ee5abada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2656	DiagnosticsHub.StandardCollector.Service.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
2656	DiagnosticsHub.StandardCollector.Service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe
216	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4628	2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
Token: SeAuditPrivilege	2892	fxssvc.exe
Token: SeDebugPrivilege	2656	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	216	elevation_service.exe
Token: SeRestorePrivilege	4932	TieringEngineService.exe
Token: SeManageVolumePrivilege	4932	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3324	AgentService.exe
Token: SeBackupPrivilege	3980	vssvc.exe
Token: SeRestorePrivilege	3980	vssvc.exe
Token: SeAuditPrivilege	3980	vssvc.exe
Token: SeBackupPrivilege	3176	wbengine.exe
Token: SeRestorePrivilege	3176	wbengine.exe
Token: SeSecurityPrivilege	3176	wbengine.exe
Token: 33	2356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2356	SearchIndexer.exe
Token: SeDebugPrivilege	216	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2632	2356	SearchIndexer.exe	119
PID 2356 wrote to memory of 2632	2356	SearchIndexer.exe	119
PID 2356 wrote to memory of 4164	2356	SearchIndexer.exe	120
PID 2356 wrote to memory of 4164	2356	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a2b0b6d36f84acb2050a98e5b47ae204_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1200d554a255e65f92547e185b543cfc

SHA1
d93a1393070a9f8f176982abdc516bb0bce39811

SHA256
0a2ca987d4f3e61cbc0baf97e85e046c3debc51fb98aaf7cd983aff4caf40ae6

SHA512
7e52ee30c67cbfc949512cba16ea1f232ef9b0b78b03cfa2141749d1d04964b493079c6176aa33193e4af45462066939644c0c7a82ac24956a3cd6e09e58ce8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
08dc617c07d44d08ca307f6207042d25

SHA1
6dbc271461c43bbae1f3b3c91c083a11ec66f218

SHA256
b1d2c16c72d005e26aee70a8d44de8a97fbe7c36430a3a5a97633fd14e2c0cc9

SHA512
32ec50806c65e1bdef2a1578c27207ab83443b0096659e44951fec8a3f1e8bde023c3432b1d895182d1b49c3a8bca715329a290a46e3b640bf5c3ead9018edd3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
49d08f96a40efceac58e5765c3b925a2

SHA1
f93316ea6536447b76969f6c0d802ebc1e433c20

SHA256
6fba44746e367e72a1d1b8715f223247936c2b826ae5bb0a9fde428ca455e54c

SHA512
9cf68aa3ad2d3b893f479012e2105b2ed04fd6f16ca8684fceedf7642a91a29ade357f7b8f2080252ea95c3fb428ba0f848b29cf09e7db0c4a4fd2607e1087e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9d2da2e00bfe56466625646eb314b43c

SHA1
9eea51551f1d86c5aca880f1d28d9ca222a7a720

SHA256
3c1b1b956ca2b70d2ba0443a531a71d46fafdd3caa4aa3b152fec578705669f2

SHA512
e316b6753c8566e982c88e80eab25c08e28d3d78b0a16dd420129a8e091af0da1341ce2ec2f9b518d42932e84f88b6b3f90012d6b55f1654847e20f7ae460732

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b6ebb0a869508818b0d19685c3a65038

SHA1
e2df4fc420b386bec3f69305f447dc759108acd3

SHA256
7e9157d150b8cd806c5ed0ad3b679cc4c3e3f087adee761820ff716e4c874e66

SHA512
02c40a47123daf2d2d3b7b6349ea2b244c0ba13fd5b5fdf239dc3b3c835788632faab8f94620ebdefc7195f780af234bf060627df88ae0bf07b7666c72d5b298

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9ff68f961aa8b9ba64b820ae28139553

SHA1
d41b346aec574bb55ca9944f24ac52c9260e893e

SHA256
8b15ec8c5ff127153c315f3d3ffc8170dc874605f21d9b1312254bf305114c51

SHA512
02d4fe49eb688c810ef83ba428034fa179814224dcbe8c6612f2645b96b0c112ee94cbad447540abcd76cb287610ba034e065abebee47b508d864b2568f79f2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1f3582c482844afefabc5b99030c7af1

SHA1
edd9fb32e00261ad8283411cfda59afc6eb3c918

SHA256
2401eadeaf4a9261b125d11f496a824b6e7831408df3fbbf99b7f60328886544

SHA512
e4680e4818baa9d41ee8fb0daa16e4fd08983f019a7516703f9504b85c0fec5bee7eead2752eefe5e9b91d5e16911a073c8933dcbba2dd50e7921f54ef33d736

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
06f529ce29c4413fd38fa2342cf67e62

SHA1
4caf5b8a86423901d7db8fb003eaac65c9b1ac5e

SHA256
5a3ec018e3886308925c1d4b600d1b169b26fa015f6aef02407f97e758447906

SHA512
4328c234ffe69b439b555a62383e46c151784c08291eea767a34e0ae4874188bc2bd6e44c3273d51cac97dc057ceecff42f7efb34557b48dc32e8568361fe4b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ebf7687870bdc6a0149e759f84c8010e

SHA1
6ba057f901a4abb4a8c739e20ee55d31309ac209

SHA256
80421c8dac0bd0b8d01898d477e6e16c80c68e11bb43345e13f198bf9e970780

SHA512
2106ff9a57a7535844eee73f85d395a4759b22c98645aac2b49514486ed465b8fcd41666cd82e55092d5d485a350108369528859ace0fbf2dcad503420300cd8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
08564089e41ca63e1852cec66d90cd2f

SHA1
e26d7fd792cf309d7b00d17477955e767fef4c80

SHA256
712bc77ec3b0084bf7d887e9cdb8fcb841167f31302d37bebbfd3e9d865e92dd

SHA512
21a318dd82b4dbb47d4fcaadec3a018a7deb7f3930389b4ac78f58983f9dfc752e18bfae221b447f67beae761d86bbf292844e2dba33db72f879d5c2e2e9c33b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c413a50bd0d56ad3875e0e586c4d4efd

SHA1
692c1157a7da9cc32b604c62c4d693f88c1f042f

SHA256
1f750f879731d25a494123b81e7fe80352e20a74e5c3da3b2980ef0ae71eea13

SHA512
d93256c794f05d76e1cce69a9cd63781467763a6e378ebccfca026ed6ecb92488a33f28e2d6fda8f9e6a0461603a3f21a652b85ecc5705407011fdeabe944437

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
64a5fc37aa40e979ecb563d3b5d76aba

SHA1
d49f07c1554cdbe9f779865f04b90a3c03d02e77

SHA256
fe7a82fadfb5c013af62609474ea359a778cece0388e3d33767dace7e93ed3bd

SHA512
270cffe1facf51849ffce5cca505b1b94e8ea5810bfd4fafc558923cace1df99c22c73f2c69502457ff0ba19ea64c7193f1964dbcc9e1fa5ffd6a98e372d2d66

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6d93c1406e3f883310d7996e672573ab

SHA1
03474415148b78838df4f8e35b4fa34a0b5d7188

SHA256
87e2d53a11b52a496f20d0606b136d0c16f0188abeb2165bf1d1bfd4bfc1f4c4

SHA512
8a5c3e5e22aef61c8cd62a8b7f582018216f3e9f11ca605e96317e9acf0f50294cea58a41a48c87ba07dc31485c2b024e4977d80dab0ccd4a8ae11a037ff8d71

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c6829e5582d5ce04a2ef8bba68c3370d

SHA1
a793b42c44c82217c5a677d6b8583815e6054ecd

SHA256
acf81e6192da3fe24d750de9dfce05971179b3ed498533740f010a255c810b15

SHA512
3fa2fd7cf7a64762c87763dcd9e633aa06e231a0027360f6a24ddeb08f2b9cd70a51e5b8b22268bf83fe4929be3ac438808b542e24b4d2b7d9039ba7f2e0369d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4a67b63402e850cb3e45892b8ccb60d9

SHA1
3d6d1caa8e1813dd9cac58c8ba0ddc01c1931992

SHA256
02cd65260d08d89f2550906e29aed9413fbef28bfe548c0fdf780247d28b51a8

SHA512
95554af5aa98c7acd5222f1b2a3d4db92aa35182a78e4677fd0f268aa8e424756ebd08051c8163c66de8415eebb406792def96a9c1489abf77ebe015e8436a77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b608b52a24cf96bbfbf3ef5f02ef6333

SHA1
44540c6de9dff7ad4f7d2724eedc464ac908c137

SHA256
f1fc20537fc1cc1189eaed00d2f92d2c9dfff2f7fe9e5e34626dbc72bb166bca

SHA512
eeb31c8bb36ec7d7ff611a25dead36d0521f1dde802d238f6ef877b19abc41b7c61da7fb67c322c7396df28cdc772f5630434514b09ce2c1322f3e3cdfeb391a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
98918146e6b4a744e991612819cc9c53

SHA1
387346f372ac0d8d7671ae417e2fe283722373a1

SHA256
00e0f74f9bb0189a720109cd65ee6ede2524238b152e3256ae63689f86572cbc

SHA512
fb9ec625c6a5e48bf00b4e08ef0fb14b306755c7ace4f94d3f46c9f43784e907221a8a0d71a661ffaac6a6b6cda9e4300e4f30587e1c52550737783b2c0136c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cc5753ae30f03c2587b2d8628408ca71

SHA1
941e3beabc5d6f57b6d3f8dcbd68fa47840575a3

SHA256
1e20e7b4d18a22823827c7ccf8468dd47379f763f0f4a6cc684333721e72c701

SHA512
c9a6599f8345628363803a8230a480d052c648eeb9fcfaddf563018e778e4797ae5387e0d90a07583d29bc6a356efa02b8a8022132a62bdad994dda5444cf26f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4f0c0b02373583f06f9cb088323d062d

SHA1
caa4112b03a717a97af1aafdc43ec7d968b18a9e

SHA256
65bae82b07c19534e61c445d6d4a0e4a48c133e24338a2d36e5d4130e5bf91f2

SHA512
93022a2723a12f049f5bff5755471af1ed37ba70072f518a779474a170f3eba405c92e54f5929e5d154d0fab287ce4d0a07328ed9d2f293052a892115388f2ba

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
924559e012c860bd9d72837f829762f7

SHA1
aebab353e20ae678ec768f41318e0c02db446af7

SHA256
2e2c65599b36cf619516c3586a4e76fded6128b0a0f254fa1968b26fab70c638

SHA512
794e493c06d215415d77d4ce91f0b4fc4153d75057e675d5932b05bf2d859241b61cf62f2c20b841d65451177c6593c5b629cf008e2c8d9f5a039e78db5efce2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c3739371ce3788901c39a009a9a0089b

SHA1
70a064942ab32635c94d127a5b46abd91bf6f6ac

SHA256
1a4d4d164a2a568b820be8f7ed85a4ee71dd739a7114d7654be65599bacc77cd

SHA512
c2f330439f422b90525d797783c675e2134dd580c13182584d524ec2b05e587a9d7c11ab4c57dd251e1181b981abef525fd761b8cb01ab6c6aac11aa7da5d066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c22868970a04a17da0c5e8dad31e1c9f

SHA1
af6ae926163b0de6ef11d0b6e4c88c278de49dca

SHA256
163da51700a001af44ebc8ea07349042a96333dd61d1b2e7a1ef53470038258c

SHA512
61a82ca35a7651ad60d5c4c939eb198ae0c67ae46683de75b1eda17c3a109f829f0283777e4c36efb3a2542c723341a7f554470ef2641dbc26d44d1d3984549b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
549e01e0b276f086b5ca7b6aeee12fbd

SHA1
f1d24620f34c7accf7922550e056102bf5406a68

SHA256
d3387ee3e43efceba45e558e048d69ac11b131b50e167a081a40178574bd3c4a

SHA512
20fb2362944af6cf6beb62b55998346d3634d195cf7c2095df0d3aa0165f6451045428ca9254b930fc24a444f0393c3e6bfb0d72f644bafd737c246685308da4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
deaee2c5ac61ab55bdadf7af1d4cbe77

SHA1
a165f5b516a9dc4426d0788f3f5f02513d1b3a20

SHA256
eee45cf387d508683796097f733ab56b921ead2b2fd05f5c9436fe98f0d8ce27

SHA512
3f5af514634599c1748f57f82fd0aab305ba144cfac6a41fde4d99bcbe681ae3c982951756bc621d6d3bef1b066d583fdcd26892bde7bd9aee2692d32a3108c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
33edd6dba10fba649b9e64a8b891cb39

SHA1
8aa79ae58c02077cc417f5f5d89848bbb46c36f3

SHA256
7c385df360bcae9099d939e93139fbf20a51a40bf001e854a8704ec7428299d4

SHA512
1649fbcc8b3ff49402f2cfc2248f0d236c56ad7dd5b5c07b061ddb0893e044f41e9ffef2ec94286f74575484107b9445cc0a20b2fe18deac018ec9a94388ec26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c9564519652c193abdd32aaf5bc0c67f

SHA1
b9e3ae7c5d3074c98a4d5a41ca3fb2313e9c6ced

SHA256
4fcc5dc895a2b0ebdd2cf6851678adfaef1a5abfa0262eec3d2cb13c4d6b033b

SHA512
05a923f017620c4f5ca7033e9f4526ef175c388437508ca06a0e7496104ec497f9897553e2c445a9feaf2d994aaa0b116ac9ec60d98e4199d2f3b9bd6f13d01a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a8d2f67e2bb3ad42a135ad3725c885ef

SHA1
5bee2b95b02daac71d0d073190f11fff1a33926b

SHA256
b3a6ed96d38384faf3850167d5243f3ec03bbcbeb1be1148304ec0fd4ce4fb46

SHA512
a0c69861663be781f43df0f146b64a911f0feb58d3974ce339ce183a5c2d81fd7bb85e6b8cd8b1b1d2af4a05ec149c101501e9bd7fb299581d04a918aa3700c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
20f09099d24be9b7a4523a20e77b3b59

SHA1
248249bff67ba98fde44a7bcc4e01acbe6198307

SHA256
76d98ed6d45f953b317364a72e8b439f9b5e61265a5a12b1931c18d87dc89847

SHA512
b0c49ad7f5f05f41e12b5725dd83219725302e122b7d5f597a226aae81a0947dd27bc2f557243ff279081f38b58d1832c19f1f23412ed858cc9ea8b942e186d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2d83e60a30a34078f57877a5d0f76cc3

SHA1
789f34ce9836815b19c694caf67fe39e33702e18

SHA256
e49b4c72e2fefb9f5e121df630aa3e9bbb806c9e8e40f2f6f14b4bdf4966e5bc

SHA512
2b45f827cf7603f566dca88fa8f87be189097129bbf5b92f5414cba8b025161a82d96c90511a209cd826585023989c6649ace2144ff6a3381bf8611682c4c62d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c855c046d9f407843ccb28120dff9d93

SHA1
e34eeb0514e02a48f1f47d4f225b55031900e41d

SHA256
6ca31b63995f74773570a5297b7c5d24ace1f58f801474aedb66df5bdf11f71c

SHA512
a20936f2e3891b5fa48fd1b732756df345a310233598f742bcc0ec157d9c748aec97ffb58e78263dde145202cf0cc55aaa1f6f5fe859e6ff0aad76af6e6af28c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cc8628cf630b6798959f8c5720114610

SHA1
b204c95f3cfb099dddc7a9f31dd8757aae1f8f60

SHA256
7e6647152372c7cfe7317595b79275e7a139ba0afc22c27d23a196f762761219

SHA512
3faf774a592841c919c14ed7cf00daf35b8bc10161ede4fdee13624ab880b1b9953d2a0d41229e7c7058f0dee16d44629e4bdbc8f00f6f6e4e20e4e0a95bd4cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
71e930123ec61f65f37c4d91789df648

SHA1
ae40d128d02081336bf88f5820fa28a59192f87a

SHA256
963d73beea8b0ba878e1d24014dfe40d080a71dda7db0eddeec8dfe83ab07607

SHA512
5e1b131d861824e014fbbb361f645db6f13f9c4aae1f632b2939a2d8703d1d49a39ec03bb7b0f7e92a50dce27d514add499eac0965526d7a3b0b3856e058eaee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f5c111fb3bcfc864435b068a7de92e62

SHA1
074558f3a5a11910671a41c00a630085a07923d3

SHA256
fdaa295bd36cb7054249d17391bf8f578b7147d48e31a1d459077da23f6bbae8

SHA512
bf0da459fc3935cfcc42d1f625adb85281f7affe0c942caa54b52df9cae9430d852f335f2b7fdd157c73fa06ccc9dee696889ec98afa37b131acb9183505b7b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bebacaf81e5a24409122321281919d46

SHA1
5fe41bb1dc4c927548e87a800be20ad641302afe

SHA256
82558671d0fec74d399d9d333d85613617bd2e307a6f83f673a9093a2505dae7

SHA512
43d96f4447154a9e48d02380a13c8dbb3f09ecbf0c4048f043dc472e07dca683c6828f29596d11f93095e970653c6bb973e6155281bb0c897178f05a1bda52ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
00c50d13213ae0ede976cae74e11283b

SHA1
aeef90b8277cec645ed3ff302eac511db769ff0d

SHA256
60d922061c18ced9e31ce045a6b47e4ccd0ccb9b5023f3d9f1e02e3db48aa523

SHA512
b93841df64ce0704255b630ed5a2ac0b0ad2368fb45b360681e3def5a4451c8bd06c0c3bece8553796b71e5808608d8ec8196b0060ce53a862c155333e310e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2991ad9ce262665316719e2661f793f7

SHA1
870e351ff2e63283d886f3732db89a15cf40ed6c

SHA256
efe6efe6f837a10300db1b5876b48b65b9ec65095116fc2c6d25cedca4897966

SHA512
aeb1de52fb49fd40fe710cb066669f19a5e08b539252e7d16d154e0df18d034b71b74684177885c5273cf916841cfe0f07a0734deea455db3c2c8ab9d4f04460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b5116302a84cc6b069f3ae0ace8c080e

SHA1
567eb455fb3163b5680ae66676684fb8dcae20c4

SHA256
4b1a6913d0dd456c03e8d4908108077479edf8111c308e256d42e4ddb46953d1

SHA512
9379727530851268ec76c68caaa081da74e76cc4cf22e368c77d1dac1996408abec135c49175314f3746cf02c46277bf9dc3217d92b2af26793b46421c1cec16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
ee2f3bc6e3a619b266233a509b436cef

SHA1
cae98df0046f4cc489fa29a287147fbf3944b524

SHA256
19e86952aca75cb159ab749c92684507cd633726a203e8dcd36365d09f659a5f

SHA512
ba47542d007252ab683ee4076494fe61af5c4fcad5b1760beaaf78c61a1ee1eebcc40db3b85efcb22dcb645c5885c8cd1c81b23614e75f62bf643ebf91aaa4f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
dda702fbfd75bdc2636cec290ed1b293

SHA1
5a7f8240f2c4ee930ae0a2bb2a35e2442c2dd22a

SHA256
99b8e6221a7125c519cfe67b5c8e01607f8c997820e60c8e5d3050bd77fd2e51

SHA512
ee1b7c513c891213246fbee98389113fa0da92d1a15da223018bab3ac7b89f297274340fc88ce7e9d4789082b4576993019f267462a2abfc4135505ada6500ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
288d4116bb1b222e25bb8f7408743838

SHA1
6b4b62137b3d7bdd0d1e1f0d05557ccb677b153a

SHA256
83e73b892156b06d0eedd577ac4a49a2ed273923841d51bbc5bf6749ab249e72

SHA512
42e57970c689989ea2369771c9147a159234287379df8716ec5fde239f6b621816cf9dcd0cde4fee466fb61bc18b1897f6daf20374ab16214af621b5627ff3ee

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4cf6e32c47f7a62671952f785472d8da

SHA1
afc75704a0e267f0c36d0b8b2a873937a4acbebf

SHA256
ff2d4d6765cf1b81b884b276f8c06b89cae1c299b25ff391c9088f17f0e5e84b

SHA512
b26f29f153cfbcf0fbae71487c50559a525bd6f117bea1dcdc6b94f746c31e61b37fba89108590c947b5f728e24d234a9c1d6eff06b1448325ed611b0f720d14

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b5ac033638f3e83fc3c6cc76726f175d

SHA1
21defc5678f8dfc55bc8a4ba27461e91d1d1fc9a

SHA256
4e21df7d11626c03d6009ca087cd650b3c68a930e28440aa40cbba4b87053e94

SHA512
68b2e8e251d4da2014825e24fba5e663288a5ea42fcd60aaa8250964af1f4edc0372df460f7e9ff981b883479bcfe7dcb597346d134acc1d52cb6f8b052239fa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
faf2aaac948bcb9d8a027aa2b971492b

SHA1
1053352df883806da2aa4b5253831e9a69711437

SHA256
4e109e0363ce6e9fbe33b3dc5ccd29e90414a3c5c702d0e876132199270e3657

SHA512
ec2312f32e87f3f3719f5a59ecb1116fc9155f92188b4297ad2dc0366f46287160c1ea61ab51d4f4bb88dcd3921770f26c7f2e65ddb17c5ee8870aa1d72f9810

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e6e99df79f5d3a98ed265bf02a4ec7d5

SHA1
65a9619c689353ec5d3802b2616ed6efb7424e04

SHA256
d3698d7bbbea97829763e2cc96211302ac84cd50f1220028cdf167e5bcdeebd3

SHA512
59f8dbe66f964124db2a3c4fedb7abd127792d8f89304fb9c4625a09a00fcf22e388c908b600360ae068981c377f5b3db72eefdd821ff06c35591c02b6d81045

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d0870fa556d974f46bc4661c8fb2172b

SHA1
6590d031b2aef662f477d7116dfaf9135d447389

SHA256
3b1e6b9416d5259e03006d9b201d949c3be4807d1c08ea5ed28cd8319a8e620a

SHA512
15f8e74ca66c84ac29af37ea383c1451b698f26fca525bae14d6b4636dbc6f2154260851254bc86eeebe5fd517c65d28dcf16f7bf260517ab4509e3da506b3fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a077d9db8c6221cf3ffa37993d349ac1

SHA1
3f2c93831bc3e97f9ab5793972ddb8b6bac9c5f0

SHA256
33983f81abb13f9c9722cec7ad7ddcbb8f7f84ddfe1e57eee44f7389e3921fb2

SHA512
dd8bf28607327d91ea471981db8c7e9ee9ada4c338d5fe16cb7a32454a584dd39faa7f55c6b2ac0b5fec6fd2a534a632b854743d4988671d00570d66fd3a8e56

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
359a0ca9c12d87fbdfa717924e8d5aad

SHA1
410cbdd77d36279a67eba607747c25613de067e7

SHA256
452b78fea2328a94604b4aaa7083d6cf9a0ea1d043444804c9f94b6e630de214

SHA512
c13f1827827e90ea0143825eba808cd5788524e898f5f491eb4fd24cb70bc493b575a1b9030585e1ed925ee108bd788ade892351f0b6ffda2ed153da5ef6fc5b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e47204ebbff945d08a79b1575578c632

SHA1
02340f44fe5b2c57e221b306831dac856b0cfab4

SHA256
085db5b29c0be632436f0ca590b4bbac3cd68520385dad8e5cc2657d38766408

SHA512
f743e9b09f2687f7c441177428bdb127552cb913fe347e08f150404a2549b7d89dd93a14fc306f213cc6b017134cb7895a541f5fbc573d5f9b3b861b94933b5d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1469b045d6845339fca67d15df46eb7c

SHA1
4198aa8531123793aea97009701402a0eb86638f

SHA256
0558ce2ef05efc4447ac9178be347eea28f65cfc3cc7bcf16513b93851476cd1

SHA512
1379f69c559791688b5e73236316bb7ce0dbb445753179eaaa71e19fb97cb1706a747d9c502c1c09145269a16a19f8f117adf0b2e77f7b8556c574141c5829ba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0ab27316fa5a3a0900bef26cec503fbf

SHA1
2008d3dff814ef49aada0ac85082a1c2f14b3a18

SHA256
c4bd86be39efddbce8979b587dda09e1bb03a743b0c8a35f8d30476030e96f99

SHA512
1836f7cee81f9f570d4c197e30c965d2fd5652ea0ed9f8178a96c60de0c19697c640b8fbf92395a28a73336321cf1c304cca625ff4014a39a801f8155d562ac3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8d4394057a6324292859685d2d65528a

SHA1
59124fa70aaf025fe20abdeb581cf6ae026c17d1

SHA256
38a7809492e8e3b23228bd15c50d97e242364f57b41ed12032724814508add6e

SHA512
632d088343d769e0149f1edef42eb247b8350f4c15d0d5d44974ad88e7020f526d4140c38a8fe30cd9092a984095d65cc59eb184dff0d44b6aaa72ed785ba459

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8a6fe6653ddd6875155c544c47a65e68

SHA1
2d62f7da6f0edc5a2da3b9e27f8fa59aad1d189f

SHA256
2eaac3c227944391cf22df250463ed1ee4c8d9f10288f8c6f9eb491482d049d3

SHA512
b510c36b728e8ad3182110cca50ee50e5027649e726123407ef0841fce8135e0e9cc244679c3d0ef2dd3c327d1dcdcb25f02197bee4dceb78cc29693a5bff5e3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3b290d6188335a5b35986f009b58d20b

SHA1
c5fc221149dd250201e4aab7aa8dc394bce13e3d

SHA256
5b8e61e602bdb9ca9048f57ef6e4e62c3c815e03c3128635044c9c07cc121686

SHA512
e1c2146efc5b9cb685aad43dd17b4298f91767c9eed0c4ae86da86ee1ac81e55163876563d7d3ca8001d5f73af0253e009b2d7ecccbf18277c81eb46b685de0f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
15a2a543bc7bdf07e54f40b8e96cc7e2

SHA1
b6a0cd190d114407a67462372ec3136a1edd15a1

SHA256
48c46e6502825bfef1f7a846fa5e001ba8f1191d2aeec49c880562363323d884

SHA512
b99174913b87895d8906d8ada494c55969c41eb1fa3ec23d47d6db0e75fc5d6f8da20ca0764e02b84e3adebd85151327f602380fa0b1d8c5554bf13f0212f655

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8b6b4363d05edc89a4d9394d0f25f313

SHA1
4c6dca35768faa01de7d77964f249b93030cd9db

SHA256
756277bce41a15256cecc4fac5c2c6a7988a5d76bc904b7f94aea15b5902c462

SHA512
7142c64c7714a2ade2404a7e7c28808e72497b970e4d133db48655f7808b56a75cab4dd8c2cb6d76da0e13784f4eb2981be46011e2f38ff6af63a6fb55844544

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
30cfba64172e9d845475812f763f091a

SHA1
9899e39ad999674986218da4f619c293f7a89a5a

SHA256
9f0798742f54fdc36da918565ce6aa38b796d1ea8cb0c33d196014c3353f9b5f

SHA512
054e6b46ef030e1d9aac0b24d488da3fa5b0772bc23d34a2c0f427c2da85f4f3b106aaa371ad93f3543d81e4cf269557f74cde7df57aac115e5f78a34f247752

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f7876973999d1e53d72ef61ea29265ec

SHA1
e2b918921e028e0163a54daf95b4cbcfe427ad0f

SHA256
a771e1505112c64b2efb4818718836ecf522f7a6050f56f3573d83af988bc6b5

SHA512
71dc990d6516d3a145ae3410372ddbd294c6e78e8ac28cce2c2ae6b80fe768706c03db9847c72bdd844a6f9d8515cc59d3735e1fd72727ff8d48c5e2a75121bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0d9d9ffe5d23830d21a70e1bdbed3f54

SHA1
1dc9e4f8a05eafc5a85b2656032834d2e537d6cf

SHA256
8b4c8db9ff80cee26f706513ca185fecc9ffc73b95f3e56e1cfd98c97ba7187a

SHA512
ce312438371c94e786718a07f9f1ed08e9cb4e619824633f1022e7bbba0dc800824bccddc462bfa5871b5b9e808a0d72f88c43de7d53fcacd5bf2c01dc3c6e97

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
aa9de52c2617a0443de89f766aad216a

SHA1
5f9c053e41c6ddcc53c2f4e4bec2d81c2c12b91b

SHA256
3f97124e1a29be2d68a34cdcd19aca32c4fc04a735987e55aa0c58328ed0431a

SHA512
5a417b51964e166a1bbf2ce687c7edb94b6aeec7c0d01a2ddce4c46b5cb37ee46ea597bd5a3e9d1502cc9ebe2dfb2cd7a5d7cf34f84aa37a2a26120ccc909cf1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c2000319ea0f5ae02ef01883507a0e4b

SHA1
419ce6567b61ac954c0761b77fdb940c2de66d6f

SHA256
86b537bb54dbd7a4bc3bdd584fc38a15a1fe0688a40c6d41e9086f4d7955a806

SHA512
58b86d6446e6176787c2a2559d0defe3046738f11cd22f556c14ed15c30fe171268a03ab8267ad22c7d46d841d98b18b439f30282ae9c4177a07229d19251318

Download Submit
memory/216-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/216-43-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/216-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/216-45-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/924-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/924-466-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1228-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1228-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1948-81-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1948-74-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1948-247-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1948-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-261-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2136-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2136-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2136-266-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2356-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2356-474-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-334-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2376-473-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2432-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2432-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2432-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2432-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2656-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2656-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2656-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2656-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2892-34-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2952-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3176-472-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3324-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3468-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3468-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3828-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3828-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3828-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3828-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3828-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3980-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3980-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4084-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4084-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4476-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4476-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4476-272-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/4628-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4628-1-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4628-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4628-32-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4628-8-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4636-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4636-463-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4812-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4932-467-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4932-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5032-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5032-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download