4f756e76b4b6cb0b9dd7e3cd5f6580f71f1e47c05f310a98f5384396af795627

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
Size

677KB
MD5

919f8a00c85f30db3acf58234611fbcd
SHA1

1b35ee08b07b45ccf92aef2d614b5cfdaefe1d52
SHA256

4f756e76b4b6cb0b9dd7e3cd5f6580f71f1e47c05f310a98f5384396af795627
SHA512

d2ccf3c29cb49f14b5a1a90aca66fac6d43f702c062481f3d83a0f6bc5a1cd37e18663b712fbf6c4cd5b37c345f85b8709af80e8a4c2381c79960e3c92fb6ae2
SSDEEP

12288:nvXk1dp/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:fk1L/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1376	alg.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
4840	elevation_service.exe
3740	elevation_service.exe
3188	maintenanceservice.exe
2972	OSE.EXE
1392	fxssvc.exe
4740	msdtc.exe
4524	PerceptionSimulationService.exe
3220	perfhost.exe
2260	locator.exe
4860	SensorDataService.exe
2712	snmptrap.exe
3368	spectrum.exe
1900	ssh-agent.exe
4132	TieringEngineService.exe
1712	AgentService.exe
4400	vds.exe
3484	vssvc.exe
4248	wbengine.exe
1832	WmiApSrv.exe
2572	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\397e6eb77a2071e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edd96b21f3d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049879b21f3d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006973a721f3d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a85fb321f3d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a89aae21f3d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075259921f3d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dfdb021f3d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003038ac21f3d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b823b821f3d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1260	DiagnosticsHub.StandardCollector.Service.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
1260	DiagnosticsHub.StandardCollector.Service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	444	2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
Token: SeDebugPrivilege	1260	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4840	elevation_service.exe
Token: SeAuditPrivilege	1392	fxssvc.exe
Token: SeRestorePrivilege	4132	TieringEngineService.exe
Token: SeManageVolumePrivilege	4132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1712	AgentService.exe
Token: SeBackupPrivilege	3484	vssvc.exe
Token: SeRestorePrivilege	3484	vssvc.exe
Token: SeAuditPrivilege	3484	vssvc.exe
Token: SeBackupPrivilege	4248	wbengine.exe
Token: SeRestorePrivilege	4248	wbengine.exe
Token: SeSecurityPrivilege	4248	wbengine.exe
Token: 33	2572	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2572	SearchIndexer.exe
Token: SeDebugPrivilege	4840	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3188	2572	SearchIndexer.exe	114
PID 2572 wrote to memory of 3188	2572	SearchIndexer.exe	114
PID 2572 wrote to memory of 3148	2572	SearchIndexer.exe	115
PID 2572 wrote to memory of 3148	2572	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_919f8a00c85f30db3acf58234611fbcd_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3188

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3188
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e0454cf40ac5dc888f84ffe509778e81

SHA1
93ef805a47714e41292e41a3abca77ad74866cae

SHA256
d54f75d8096b14cd9be54bd56087df443c8025b7472be351175d19e975899ac6

SHA512
a5d93f8d822936c76115087302b14c6972bd774cb1ffc90ccff1a1d6d0de3c82eef6fb0cb760b718768bb35d308209ea659e44a992c7043cc4015c0b39038f88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1cce6fbbaa9d5247d08ec959017b7d2c

SHA1
712e0675ac76e871b4d9a596bd831f7cb112877a

SHA256
0945ab4b091c46543d24502085d82e8a0677cf262c14c61d63ca41cd0b4d8214

SHA512
3f06842ba3277722183467f0252b926176c4c4cb28b3d7667de7abe3c799a4a567778bde2152863386f444fe651f02d557cac820fb89f2450f7c6766ea61eb01

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9aeae49dc7f67a2ccbfe818a9dc30acd

SHA1
7153691fd476d922ab365bd45d2023f03660cad6

SHA256
fb52c96079899c3d25dc7246541f55da5232a8bb7a49f87c8c7bec5e6841dc29

SHA512
b82b995a60e7968b5fba6315ac409555e4ab02f4aafe1efcbd2f902c538b6e40fbc3d169bacec0cb5d1d7fa406ba31345d2e36e86cc70c99a23fdfa34233122f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d8355c1ec97b3953bbf8086fd562ed81

SHA1
70cf3f6dbfdd0c13193f0d1237fdf99881616851

SHA256
41ee05c9e5d83f71e410df8fcc84fd7df21338ca1cfeaa1cad246aad64370f7b

SHA512
be0ed147b88f480e3c66dd5145f1e703a6ade04fbdd8f44e8efcc49cf90461e5a047a29207ced8fb43059e27beb999848a2fd5e09bb7981821fce1c416934ab5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
090628fff5e94affb8c2816df7f98e81

SHA1
c813a3f990ff78e875316740e9dc06b50f541301

SHA256
89b35a37cd55b3342d72e340d350caf97c64b54b0f5806bbbe549966095cea30

SHA512
e0c578fb4a4fefb4564ee7d090c3fe89a7f8d7baf958cce21807a4ad73cdb829b2f056ed45e785b3ac31d71d00b65a107a752318a08681fc341b945f47d3ea10

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
aab3f39c64b90411ad611c13b207636d

SHA1
39478eb7f7b54c3216532e988543f1cdbd7b7b5b

SHA256
2393a645662eee4fa6281cfa2c4a9a71cd091cd4b48eeb31f09210f53af70f44

SHA512
18f6373cd628da1a8ebab007a9e1fbcfb90a4b0c104ed0a3679ebd88bcf1650b77d40b232f619d71da23e96d16cf1be935bf1b7f90cec60c5fa7ee9f952e4218

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a6bfd5aff47df329c2f302ce4a7656fc

SHA1
31d41b89a8f73d240d7a08d807d4c3ec5c3649e2

SHA256
f27ef0e1a3a2923bd7dc35d5281be3e7972f8334ace00df3842d0f8afc454541

SHA512
5494b541421e82a848435c267ee1bd84a4b26fe9fe5ad23f15b8946f51842c4cf0718f186bc09b278b4ab36ac2f07de88f3ff2128c0116898c364ea8cf4ead14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5b67539d51e7a4056c5cc72e79b80b6d

SHA1
6d6100936936a883cb32916bca18ed129f1de5ee

SHA256
64a5287b7a04b7ed8ca0085309a3457360b9973d681c9c4e48371a5e96c0e5a0

SHA512
77d2f5555694183d7293cddf7929e000ade2401c72494f29be79931997130dcb7a89d0350b8a0b1bb095780d5138be3c3afef9d8b9d7dc15b5e68b0a4fabebf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fd0e345e647a1d7ead81a3adf559da70

SHA1
86e02e7cc608e024482bc6b7ae376f2f7415ab55

SHA256
2509b9d0816474e4c10703fc5b08fe5aa06b827937574fc58174cf3f3f5c1630

SHA512
0f9c2172ed2cefe5cfe77cdb4ddef2d35c452304ea9341dc08bd655d7ac7f7f1860b1d58226e6432816843172586d724a208fc99ded9a8d4c106c66484f6b93a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1d63008849a307eeb346959457c07218

SHA1
9f49ddf83dc18fa454cced7bba6c21687a8ea0af

SHA256
99d1136cf8fc7131142b460168ecdb039e49198e4cafb6bb9de37686294e9a04

SHA512
1f830c7597bf57e86a6eb6adb4736146b8099cb2fc3be5aafd4978a2b1c34a05162fa924466a712345c0309700b0d0a02fd755cbded8c3d4e34a3dab3cf2cff3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
afa7ea5e5f840468d7d1f4c3874980be

SHA1
52d033f04996570cfa3b0f961c240532d7cd3fff

SHA256
3a79b1707a171e5d294f612efd239a34833b8d29ed0f5dad789bfe1b31e0f573

SHA512
435b30df57c7364f71f7946d4dd54e09bcc3ca3d2a721a54aabada4feeb0365c0d91317cab240a250d0206499893dc1bcbeae50d165da532e34a2139dd054ed1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
70b510d19dd2c044f78f196886938773

SHA1
92c56170ba9f3ba6e769a5f1ed2541f44117ebcd

SHA256
0cac83cecea2ec87985da2bf318f41118bd605c9e611f9b1a96cf53206171446

SHA512
6b778c41fac16cb2f422420fa40035e4ae133c95ea0b2607d7793eaba271a11b1136ab36b05d8fcba07011635eca6ba552ef8636d7b292c66c6c393c2fbde5bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8cf86b2e4c2ccbe75f7ae8f804e0b4ed

SHA1
be4eb96de7ca2d6b44e1d9fe1eefb6a3f51ea492

SHA256
7aba78c934bce4dc48a8fca0555b94be72e91f3d7789d93641822825565ed747

SHA512
53b2061fc3b6194fe8bd8850bec2668eb5c3b62b2209c2ece1ff84690ea6e4965851f7e454e0e8bc2df4a181d5631ad1ce0ad2e99193e238e88ab0e232f124f8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d36e1ef719763580de9575794d59fdd7

SHA1
2775e34d82517d052147f1c8dc59a0ce641608a4

SHA256
5ea256924ec0e7a00ab32b7b7b4aefd4d5e2a514ef5bfed0a73ff6adea8cdcbd

SHA512
f5ececa2432e10db7b6700acace719f0b2c2737ee9ad6ace202c30ab3c99d9d1a5fce5e7d9b96d991317b41f56233c08573fee652bb7e1cf68b765dfe101410d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
367bc81e5b132efdde85bc5bb0ed452b

SHA1
5f36e0717ecf03edcdff6bf82596951d15aaed83

SHA256
34b54c22330d01df1ba241b232cd3a266d4263c1f4a70a000cb16aa3c17e7d18

SHA512
7485aa1a441196fe6ce9ed3bbab5e2a5409645352ef3ba587b102a79011f718c2c6299f03fe31af8e1289c4109702c66f31b05d630d614aefc1c63b5dc26eec9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4db425f57cf7c4b52cebcfea2b5940e7

SHA1
72906361335abdb4d47326ce6a1d0e0cc4ba7126

SHA256
dc3978f31e27fa36f920449fba694a6b0b61a238c2382d8c5eb9e6f4409401bd

SHA512
5dccafae21ac8e76ad3efa5fd677a9f3eaeb9d9fe2fc173c8776305a16fca34f95ee74330a3403160d3db0afb9226e0a0cf5c098325f69eb1fca59dc94bac7a7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
392b8a4c38a0a8e1be4601826d5278b8

SHA1
c854ffae4032bce95d3000024a2993d55f800e67

SHA256
e272f441885321ed1af4dd4e8fef3c1241f8ea90f741414860882538023fd428

SHA512
b8b2244f49925d85a8fa9a462b4290e03eb730e77a22cb4e938fd6ee702498637a25452ebf9962813f7bcf3d9dc7368df13f97c24ce8feed55388f27e4c03d22

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ec77c175a0fa7ec723d39092d2fd3365

SHA1
2714fef0fc9a87256f5a1262d875eaa799a0b9fc

SHA256
d3599f7414502f4a8236c5f438845bafc7bd039c27e027bceb5294abd7a0a2c6

SHA512
c7b45ae222cb70e1dfa2f64e7e136844b49bf40936336dba017f749381f8eb646fc1afd6d9d756dfbf833ff94978a0c9c0f8de564555c3d0bd410a64707700ed

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
65e195edadf66a78974f662eff2a6975

SHA1
67c252b4312e0498b7a7acbb7f69801bed4ac88a

SHA256
c4175effbb4f183377bc9ddb83f7f542506d9be672605f90455ace9170e12991

SHA512
ceba25a225973066e51baab2ae9d4a5d16091ebc58c6a5860f9f3d4f5c4a948643e872b74bf51eb8e23ec5089e75ef30e744e6a251087120c8f2b7034ea024f0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
29e33eeb12b2d92afd6fe6131fdac068

SHA1
9b4bc974ea25a07062fe6c28e53edd0f2c4add4d

SHA256
9c60950cb09037be61e0d4c22d9211cb0c48cc8f1c9cb0900a06c2e8984d6de1

SHA512
bdacfbbd04d2721785d8bd771351cfee9c7aedd3961231eb42925446cc96d5b9d83a549b802debcfba804a196cd8ff15156742f34093bc6b6264d98a66ee8ff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1af1252273a45d5b26f8946200918bba

SHA1
cafdc8b407550abe0e2c6df430efd8922d1c64a4

SHA256
eaca2b075f6eca40a062a035c0d77e8312f578bf1441ad43fcc769864fa47ee7

SHA512
76dd5d0681b63ee030322797f7837c6d5cdd59c4eb4faeba06da242ffd71c34454cfd12b5ce1626249d2b28d748d8dac663ba3f9d21ded0e7ac39b1ab179abad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
614120eda94e9248ca01d150bfa93035

SHA1
fa0c9e1337795c0e8f5cd04bad99b590d3c757b9

SHA256
63b6527a7c90ee28de7c34a76f06e58bf8f4750761695e32e61cb774db5f2c14

SHA512
d236ea349495bbfdf6d3063ddb371af39be4dc2f89ebfea53da7667fba58ac57c6bc2bea4c806b9e3c5db7b7e2e9f02b3858617838f18280a9154524c665bbc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cae4dcd50e3fca5a65ca414c718ee214

SHA1
837c3600f30dc5ef18ab58d558bb4e32046b9e99

SHA256
b3061367ac9c849f266cec13154b61193bdee9e5b017c257861c8f83a0f84978

SHA512
58cdbb29c25f94b568eefd91f39a9687801d4feb6c9f65c3728740ed5b10bd1ff2a62adbf4b4fb286e586a8c8060dcb53484b45bda6e4e5146e104988a4db6e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
acb8f277934a69d7c87f21b4e15b7eb7

SHA1
0a029a8238f54966ebb1da41150d5c94a66991d2

SHA256
0a55795a2335dd6ec63529fc272e953ff91983fe576dfe6a8acf73a0eb4ed028

SHA512
9ddd8b5af146fdcf46fb256afbddf6edb30cb2ddec97e27f72a10a322b33de1ac48b7478119dec6d48f871357051d82bba540e5297dc63c5cd87b9dfa5dde7f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d0bc15af3c9c669513aa6c5bd30975e2

SHA1
5b15bc484a8b125eab8bee2719823e1768f8d835

SHA256
0424e7831abc70636efb36e2eb8b9e87e0ed3a5ee7c608c75deae6b9cc5a942d

SHA512
3a55997473cd3b99b7db53046990392c9dac099e5444f7f87e792529cb0ceedfd64bdf1d27292bbe4e0c9a5c371ef3507d837c33fc12926b3cb46d39f0ef6ff6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f1c6f6d5da374b69dc4046727797e120

SHA1
5f5da314b1eb502da3674772037effc95ecae359

SHA256
078472a25ca8cbbf682db5487711f3c971f3512fe1deb12ecf4fd0b0ced82aee

SHA512
ada2a7bef4f4ea30eb777caa0d80e72741d51db878f70e53fc036509110b715184f4e41c92257117c36aacba30acdef4427190a3124f413fbab7efca46c7e67e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8880ab0c5b7711638354e6e523bff0c2

SHA1
df715b655ddab1829d4e0219b81974c8b1343974

SHA256
dbd79b24697f37d52a916c6599c78e3b753b8cacdb9a7c948712d124fc3bac25

SHA512
12ef30a6878f917f49c857fdb01d2343f216c23246278ecfe7fcc6a5d0177fa51e3059aa6c6d725b5743b94b7c020ea3d7f24e6745ed95678f1758fc9b359ae4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e44a93d6fc93f59f89f34b5844cf358d

SHA1
f37d95e71234232e345f1ab57790f9d3abf94dee

SHA256
f671c1987d5f0b0ed605d089e2572d6c7dd69e79b8c668a0703f061fcae4f384

SHA512
8265d3d273d8983043084801fcb975c99c0a17d1e8bb8a0c9da6e49495ac8e3afcf7a796b7953f0a92c2ca43d6f1e47a527802b2d21976d0212f3256aebd46cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e443363f6c2da8784a9de9e965558c8a

SHA1
4f703f2ece91c8719aa477f2a3b985574a1a8596

SHA256
d8a0ca0eebf03efd91e96c0de5497496d7c5cdd2ecef632215ba492f67d8754f

SHA512
e4e2b7a4993363804d8a2cbcb47683336ac5f69255c42e1282c9bd7498b85017c2786d7d660821fa48cc658b2233262516659db62b7c129899ee6d05fddc2425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8e4fec7fec0a4dee5a54b70a6039e16a

SHA1
b5b22180f2280b815bf941f8ae48e562212e3b82

SHA256
fe0b8b041823a706ec61dee1474ea97c58cecaccfa8c0d2da5948448b1be3154

SHA512
b8f77929ece676ec3af34c8579fbd48b493ecb227404223b9502e43607f3e8e764c801e62bfeea51eadf8605e4364c1767d6eb22f0e5ee1d632e1601857664a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e2bcd9ba7e804115877519661c6af267

SHA1
0185f4b30bc570f1f043dffa1fa0a7a808574d6d

SHA256
16f70d194237d6d419624f5d9671fab9f7e0cd870d782c8cdc2fa2d9c025429d

SHA512
2755dfd32c6a66d46f67e418da185635bc3117c2fdc3a0db4f778730ac3b0c1b9f90ec52f1295a939ba2d9db3145318e5f8859ae3aefb1d93b84dcb6de3d86c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d72cc76306985ea3d6f670dfbb554d87

SHA1
84ef139720bbf2b2a0c863069826b147eed45300

SHA256
0470f5e4ce51fb8e94a73be305569638a6cb161b64ce1f9e097cf56e0c3e6f20

SHA512
817e63d7083c0bd347aaae3765063d10af0ca4823dbf8d6054286c4734d76aa8a9f006301747c9cc5ea5008b79cb001cb814266c8cc6f5f5bab827b0450896bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e76edb858aa4b0655b7d9d5481ce7c61

SHA1
f059d05905b440d8e881344d986ad2f874fc1d1f

SHA256
294a346cf5fc9a6ca0b2a48deaa9b35f4ebcb87c9d11ce65188dc54776b5443c

SHA512
d32491e6abf73349ba86361f9760983a79c3cc866f1cde5bf950abbe9c7f2ea685d49ea2d807031f8791d28a0647caf7f1cb90c3c20801d98c877eda537d6f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2dd88077ca2b2535ad470c6c575a4cd5

SHA1
abe25559d0b5811f6ad7c19513ec591c9a2b9071

SHA256
03c4eb3b4a81497cda3129fc84344c05726576d3908e32474498b1ecabe69af6

SHA512
a9b2bb975359629e976295a5d3baf77f860747177b72c48f23afe78036517abed229111e608e07896b0e60fadacc8ef1bd0ca11efea765562abdcdf175c06681

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a4a96a36b02068e200ae3efcb6f86e85

SHA1
0c77b7ee5b3ad86fcb91f138a5f832c066225bfa

SHA256
54135cd89a8a26d7478ff4a1a34fcb0c38238328e98b998d07aa960b36fb4f52

SHA512
c0a0e123cb2378d27e6727c137984c16e549fd43eb930325c9997d3493bc7e001fe3364a1fc5e112cdf00f95033ec4134a88c4a185ada708ca70fbb753c46360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
104af5ec518bcdae9d0983596c35b320

SHA1
98b764ff661a04a580f6bafd1683f06d6ba36c15

SHA256
73b7665b37cc89ac3992073c87819843dfaa5917e1b3067c239b7507df09009d

SHA512
98fa73115be53eb64d23514e2ecf28e17aae5c08ffc9bfe9fe50a2dc0015510fef9792a2e75ea0ed5ffd41755bdfd321cdeda4c9f6e150ef6d5b8d5df1f6f680

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d8fe08fe66ad500bb09646fe4c7d4709

SHA1
d9d3a271bcb5fa25c012ccb73656492e92601810

SHA256
df9368ba1643cf37015afd3b70c9d56f0204ff80cfd9fcb88ce0825a62c6e075

SHA512
8853df8cc95d818b91aa383645ba8ea9c44e7d969ea0754422fdfdbc2ff606d27fa61097efdcb86b66c1974c9eca668427d5ad913af9f4a5951ab5d895de584e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f2cfdae116848acb54e9e53ecd43bbdc

SHA1
2b924caceb45e0adb992e208f0b163acdecc66ee

SHA256
09796a5417a00c7b4d2c7b7c54244bfe4f1e5ec093275543986824cffef07f01

SHA512
00dba6c6d1dacaf9a520f4e7048014432ffa95ad2c3fd3f9ba891ee7b6ce45e121cba3f98f09fd1eaa0592b60b97966921fd90def30610c5301528ad869d78dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
f921f0f8b28d4e4a085947b2738f8bef

SHA1
3100c2cba0f15ddf00aff6ae007ffa2b6bd27e66

SHA256
122e21df5df2424c2d290ffcea4a4a126b6afe49d5a0abd6e58827675d631880

SHA512
5f206a8df5ccb0d1ba0a789ea08bcac34993c1f3f5534fbe14d9444678ec9433e8c5b8b440a86ad900e0f137568bda34dfc009ddde039c962f60719ce2f2ffb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
2b3d3a3b7d6ad61c8b9b51b13a9a8a79

SHA1
e1a89d77286327c781da8d2069aff2c4a705751f

SHA256
d221fcd4dd26dd47677f1951450f7963b880122093ca08dd8e1e001c5a73704a

SHA512
5d3e4855def053c60c6ba073f52b45eb8442095dfaa5a6df183f15eae23059bf5bea3608b8afcb415866f30e5fab0bf10c414e0b72a119b17a7d8bbab89a0feb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
781e85e26eded9eadd537bd5796bcf5b

SHA1
7a840de38907d2492c99a4d98adaaa6fb801d0e8

SHA256
0733c8eb2b7f92deccb28283c0abb47a004ac0551b687041bae53db884795c65

SHA512
08228388c1bbcfb0d79ed93c214a6e3d59732304a393ed58583bab795a59f7db1c669b33282428e86832fd9203e15bdfc8b1f0f35e63f0f5063319cdb5507286

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a4d2fb673e1ef5d43046281a9dcddc14

SHA1
4e2765d22371fa2f8b8b9b7fc7737e0a01276a4d

SHA256
3afb15b8d8046724ffd8bfa46642281a2340ec0397d0a3bd60e6ad134ea98377

SHA512
689e016946c81be94519ce59fae16a087580c36562bf5693dda382557a4ed2e88d91cd0c7fda3efa238dd08d7bf302ab4cafbb8e68f1c0f1ba9a7a3189d92b36

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eacf2d79dc4ada18e92530cb9d8770b3

SHA1
4b9b0da46934de31517095bf760fffe4459db4fc

SHA256
418210f6aaaaa2b8d6d117b2ee0cd807e88178f8cba976d0add78c4a70d2db65

SHA512
489b60d65e4db7c38e0c07dd0ee90e4be88ed6284798adc377049440b25a70c0fd69cfdd6505981f2e6a33af2a9772c2e72433113929c282d1d7b91a4b45bdae

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
09b59b470c49044b0fd1af4929bf98bc

SHA1
2a02b06ad1e0a34332f15bfc797b4fb05df4093d

SHA256
5fffd435552866da6d5c6cefac40caf97cefaf1070444059196476aa987b9551

SHA512
51b2060afb3c9f2b68e3d94e693206acc318988cdb4daef0bfcfa378a43795e391c3a97314e6f935cd88b4288ee5b0121390ad6a7c2fc979b2901890332f7f35

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
943acc748c4aeaa540f588647c410e35

SHA1
a91a308b93029b81063fb99ec7934bb04e1c60ef

SHA256
9103aedc5d07362d9ad9822de98250dc17963a8e28a34e2b7a17b4658dc85a16

SHA512
56bfcf483e5d142b5a540736d5f38b99fa8052b664bda3bf967052507d6d3068e6f1d70a65d8242478f57bdb141c6ba59b0080bc6ecaa128ab6a6179fc049782

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.7MB

MD5
13d753a172ff3ca232da2e366d1e6085

SHA1
56588d40cbe0e87720150d7b8b67c6cd450efbc6

SHA256
d2d312c8e3cd367430b77a4c86cd994a6cc0df426d597dafd16ebc1ce41f06eb

SHA512
02f497cf866335665e91a39475d969a82512c56e582d685a41660637838f6659e79944a7d1e664d41b5b34f82199538e1af0764e3a1c6861afdfb142a047f51b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0c6265028c100ab89e47232d5911ae96

SHA1
e597390dc6b42a81ba6bbaf8c2d46085bbab0c35

SHA256
2543b23a8f9a8e5a9a5b080d2ded96a331caa18f9f6adf0782b1b125864a0924

SHA512
4c6653c17e1ddcd1b97c75d4392224d1268a686dcda5b814d15c07dc81d874c7693c6c1194ec2ad81a7ccf9e9725403ae6daec608a3a63f08d039eaef6d7787a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b4651cf2b2b2dcbebe7fd932e7cd3852

SHA1
c28aea82fb37686dde444aff7f5917a511c25887

SHA256
a22279ee010b22d469cc0bd6392698eb94d48264a7680041c5018a1e72557001

SHA512
ffceb8c15d126aa8582a14cdc34ad5e108a06867211793a5fffeb23e42eb0f9c3151081b31fc38b59a37873eb2bd54ba1511d11a5cc234c5c45c3931df6596c7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6e9aafa769aecb392d6cacf36076e672

SHA1
712e5b88f93a9b93bb3a1ba32dfde1a83b480ff5

SHA256
e79e27ef330962702e63a6e4c4a494ba1a59a49e8937d444faa826795cdeab5e

SHA512
60c9c820f483e92cc5f14716142352de2b88048b8a336032ad6b1fd994d01b37f5b815b51c1298d9985edeaef38fd93d1adfd5ec91aceba2735b3e99f678d2e3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b19f223c42494c2d885d5ad9618dc99

SHA1
c803d451d5ea436f765bb97ae2f26690603a82c0

SHA256
fb104235d6bd8b07d7c13a1be9e143f01483679222e38c1f0fd365cf7ade3265

SHA512
5b917447651bb9f3849644e958d0723083e58a2af996fa9c04967b384dbfea93d018e54f80ed650d0b9528a470368e459a06a87ec983674e7f088bffe581d9e8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
90fa50f6a518dbc5a970af0f1ad344ea

SHA1
1f285dfcf76ec21288ba2ba5bb51fd0fc55155df

SHA256
88835e22420dd64f1aa3417ac5ad43a721f94d38b47933c8bf48ce1b4d0dbb43

SHA512
08e721ea1f199abe23d33ed21687cffe85bf3fca15b2621e1ce040ae17d95c046e6234189e97ef1876757e04f2eeacc9599fd8cc8f65576ca5f8a2b2c7087916

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
86633b86ac6d67ff0a8d454c3f316708

SHA1
0487227b3ecd9eeee1b4ec3da846f45fc6264e2f

SHA256
cad5803cb153e3ee0ea010cd0d7a0402531c10063dfaeb3d22af47a88f841454

SHA512
1e46b92d4af8661c725c7a26604383474bdea26af278d354e349bb888b471ab130269edb295b406b3da91616b82c3c52eb0800a749608d7c79eaa97439c69bc1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e1ac3627102aab68345104c1c2820084

SHA1
4d890ee21e30af93ba2703b75ca02c6af8d6f630

SHA256
1a8f1f1a330607f6164462db33a53c983f288d12f0b5c5f4e9c18916756b6484

SHA512
590a516726f6db3f27b9773476eccf39f7be780ce1c90bfbe20e6345617a5e9d9053caf0a2d45b65ebcc7ee3563d5c0f44b24ab63be3ad819e98541a8cdc292b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2f5eb6f4963bf50963899cecdb29551b

SHA1
001a2a2dfce4be09273fdabfe7d1eb8ed4af31a8

SHA256
2ee8c8131377dceb9a4c1579e41e091b70d25e189837b09d9482246a7048cf56

SHA512
aa637ce585c9317b4fbfdfab7f3662007932a9348553251ce511abde70406aa848fc0cfa18e9751c7513af7c3b7477ebc3f28e2d8bbd7e2e680bca8d153758df

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f0da6c67549c2e51c5c6f8b5ad96f9de

SHA1
ec234d5b2dd96797b9185b652cacee323fbda71b

SHA256
a536a13bed95535037e2e780b88bd913842103b7afb3e1bff24840657320e899

SHA512
181ee7d4adcc098842828cc71e913665136a907c501f14fae88aadcc1a9c88c2ac6dd51f5cabc6920e2fd6bc6b126660224662f54f73fdf2ebf7d8ce7bd6f9d9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a0bbca59dd10862159441bb320ef3676

SHA1
7d072d35868e8f633f5dad1e8021251bb68b348c

SHA256
8ae60cf4b84df6718cabb3dc1cf1c0d239a9cbc01aea18e61a995567dd762d24

SHA512
3ed049279575267c9ad811ef45478add1fe2fcf5be7ce409f056d60ef76e17fcfc18c259ebf3bc7f61b273a1cc6d991eee3db95dea87365c49fbd5b9e76a7fbc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
690f141c103ea68023c59df53d388125

SHA1
a6ec52303757535db95c8dcca9edd85bdf85ea25

SHA256
e6b8436fa7762f03d379ec0d5518f0f4779139c86711a71df72f66a935189870

SHA512
2671b88f794ddc38edce41ba59a87d6504690fa81da238f56fba900406f89bfde2c33ff186ede7f5890f119a33744c93a21b1e4c132a94a23b9d59dbadfa9093

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
faf7f3762e7be422c902c84c9ef51dd2

SHA1
2d278562cb79d12d74a88fd366113b47a7580387

SHA256
4ab3777f26c0fbbe58be01ec4702f1c071fb1d1af70a1b0095f9fec57036c80b

SHA512
f7d5c075bf5ac8eba68e1bba8063effe8fd9a6f3923f886e4e5b0c5302633760e2da534b7c071af8bffab96fcf5298331429c3eb94ee1764e1561ff0f13e86e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
588cff8ed982ba5f7f3d0c146b664429

SHA1
3286439037b2ddd9f307f0aa6654c0fdf85c3870

SHA256
c140aa3179acf2fbccbdd8221fb0383566925f79bac0de3258f8f5a4b56036ec

SHA512
89ae133318faaf43b7082870b3734cd5707a7d8b5caeb57259995326fc761da482239e52e51592eacb675e68c5a619312c1309be88e7dd56d7cf5151b629470c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fa2c2ff1436c426d0d9cc805b6104ccd

SHA1
945719b5fa8af9f5a3565a263726e457e4900ca3

SHA256
499a86d9dffc9985459e3b8f6c01905e0799f323fa3f825041eea1e9a2c9b266

SHA512
e0dec7c2624c2eea3007e1f16fe549fd2a816e028ce0a0fdbcb21d46ed85ed2919b79c1f3bac2c8342b913d19976d7e7406603ebaa3fa92560d9645d2b54fd2b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6c84885946a46b3f51c3792bc70a8e60

SHA1
afc2087c772bac84c2600d386b19b966499214a0

SHA256
7066f8dea842ef7c2bf296f24f40126362e775a466bf634cff04e36a5bae48b5

SHA512
bb0d520f75178b1a7249e303da1134bfd3919f74a2a05c17f7cdbf1f2b0c7d58eacc5414e30adacd4204248fc6bd41aea294999b3a01ef5c1fc7b0418b6228f9

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8a58f13d2d8139ac814edf26e7880e1e

SHA1
cfbcf966a3c1ecde9eae64e2c908a4829bf9aaa4

SHA256
273da2e49b6f8a4681d9e15ca43155d27f975287609600cb14974df0b30ae97b

SHA512
ead71f26df7617db3fa1d807f02e798381f4b92ab82b56e2d0fc3e4fb35aaa2dd1b7415fd514a6c0a653c2df4e4cdde14b6a9916d5f74de83d50e024923354c8

Download Submit
memory/444-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/444-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/444-8-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/444-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1260-23-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1260-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1260-238-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1260-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1376-237-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1376-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1392-248-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1392-252-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1712-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1712-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1832-335-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1832-489-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1900-482-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1900-303-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2260-333-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2260-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2572-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2572-491-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-289-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2972-79-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2972-73-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2972-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2972-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3188-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3188-68-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3188-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3188-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3188-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3220-271-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3220-329-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3220-273-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/3368-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3368-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3484-487-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3740-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3740-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4132-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4132-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4248-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4248-488-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4400-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4400-486-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4524-258-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4524-325-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4524-264-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4524-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4740-321-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4740-253-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4840-33-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4840-42-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4840-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4840-239-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4860-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download