9bea0e110f705ffd7cd66c71ed1f902659516e7376230935d5d8a03473097120

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
Size

677KB
MD5

1576c7956bbe36ed8591988b429b1e8d
SHA1

be65cb41cb7f13866d4fd03daf89f68898efd0df
SHA256

9bea0e110f705ffd7cd66c71ed1f902659516e7376230935d5d8a03473097120
SHA512

aa974c882e9d12a7c7b12ccacdf493da06ad9eefd5b1835ac6abb34df15c7ddeaa57fe2cdaf810996f12a094c99596ffbe1531f5d8f8ea4a5d63bf73d658916c
SSDEEP

12288:QvXk18DFaBfvfoPDct6SlxlwkJJrqQoUhTFfPLgpRtHmr/UNvp8hMoZUDNF:Ek1AayDcMkqQpRQmr/UN4MbN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4852	alg.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
4828	elevation_service.exe
2592	fxssvc.exe
3524	elevation_service.exe
2328	maintenanceservice.exe
5012	OSE.EXE
3648	msdtc.exe
3964	PerceptionSimulationService.exe
3856	perfhost.exe
3516	locator.exe
4000	SensorDataService.exe
1792	snmptrap.exe
644	spectrum.exe
628	ssh-agent.exe
448	TieringEngineService.exe
5036	AgentService.exe
1004	vds.exe
2944	vssvc.exe
4416	wbengine.exe
4740	WmiApSrv.exe
4664	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ce2d3ffaa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000625e3ba8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000907ddda8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef4a28a8139eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8ceada8139eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b4d09a8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008593b2a8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ae0ba8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e8280a8139eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
1656	DiagnosticsHub.StandardCollector.Service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe
4828	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4644	2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
Token: SeAuditPrivilege	2592	fxssvc.exe
Token: SeDebugPrivilege	1656	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4828	elevation_service.exe
Token: SeRestorePrivilege	448	TieringEngineService.exe
Token: SeManageVolumePrivilege	448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5036	AgentService.exe
Token: SeBackupPrivilege	2944	vssvc.exe
Token: SeRestorePrivilege	2944	vssvc.exe
Token: SeAuditPrivilege	2944	vssvc.exe
Token: SeBackupPrivilege	4416	wbengine.exe
Token: SeRestorePrivilege	4416	wbengine.exe
Token: SeSecurityPrivilege	4416	wbengine.exe
Token: 33	4664	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4664	SearchIndexer.exe
Token: SeDebugPrivilege	4828	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4132	4664	SearchIndexer.exe	130
PID 4664 wrote to memory of 4132	4664	SearchIndexer.exe	130
PID 4664 wrote to memory of 2540	4664	SearchIndexer.exe	131
PID 4664 wrote to memory of 2540	4664	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_1576c7956bbe36ed8591988b429b1e8d_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4824

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2328

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa5552fe0118dec37d1e2b3c887b91be

SHA1
599d1ef4a93175465074efc8dbe7f12efc007808

SHA256
da592f0fdc4f7f02ddb8feed6afc3cfd7965fa4de4584c6944e89ea69e5ad5ba

SHA512
266c3fdeffc82a9a34168fd54f9da26eb1654a485e0d94a471f6d2486b8d9b3508479bfc17b2dde9dfeb1fd7cbf44dd2f114570d6fb9375412bb7a7021a61931

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
aee89fbdd6fbd18778635a8e3849f91f

SHA1
8fd2c2eec7f6241b1354828f046f2b20e2089e53

SHA256
c1228879399d584d5652a52b132ef2c9e4200d690151c4eb331d8f07fbdf9c76

SHA512
7a45ac547a714042219d9036123d022a6810da96c7d8a4777cf6506409cbc6d7d63016772761077f8b63879c5e9ca45cea74ca017c1d95f0aafc311cfa2d8a49

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
818d005881dbdd639a3101c8755543c0

SHA1
bc984de1e73d2f2e2609cc667e6d520846ae4e44

SHA256
3cf2c4dae393ca497885f285665f41779fea5bcf3e8c91944987db4347ad258c

SHA512
3133ee60bbdea967fdee8b0d00ecae1e74f6f7a9319608ccc1674266ca703dfa7de34d7c9a0aad63426fc027dbf1973141585f8aa1c21ea88ba46c5b3bd00b77

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b90e1aabb672614947dcd2f0b344b4c6

SHA1
51b244f52961ed7f5b16ecbdc9e831f723952c74

SHA256
30a06cc35ffe14e4783af83bc47c0cc0c0860f4355cb683ee799e2f8d9805c6b

SHA512
788c546a054f9d8fb44ba406e937d72b8c274abf2ac93ecddc725d99775bd75b12fdcf908d4740b32c95bfce21bef465e8bf967a9e93d99afbf0d76f38a716db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
495108b7742ce704f94a60e1df64a2df

SHA1
2f129a69212bccc35b3fd1736b287ffdaa218276

SHA256
212a1042e6e078b4def7511a88dbf639a07062b90c286da838d562b5ab1d49cd

SHA512
c98b3b01c00ea343432cca25f3e8856067c25346ce940534bc2c5e5ad8a72378e5e3a2f4aea3affc381574e795e31a4b90d89d842858a50310d67d6237cdf505

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fb93390dce92d3a9f72b0281d19cf0e8

SHA1
91e9fe564e6f5d2880e5aaa0dc0e1ecd8c77b4e2

SHA256
3808ee19be8fe647a5fc648b98750eadc23554bff32ee22cf28f4528002cc9c8

SHA512
9c6d1079f0d218b95cd34a8aeda5d5aa9b29d817b43f978d2d9e07bcbd4068b6208d2e47a3bbcba325bd791c17dc64e689ef2bb9aa2faf175f06594f699b1112

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
429fba0928dbf3261899e430691928b8

SHA1
6b1e3782c38500dd2221987109ed2b21258ceb11

SHA256
7ef43b698a23b68f68f3f0a108e02b99af99b03c317001f2311d3ec1c086064a

SHA512
b8bfbf785f5464caeb7993f124c03513b96c245ca7e47e7ed861dc28e8b8dddad860ea63bc8db6d37e52b1938b366783508df455ac7a74ac106d81121929b243

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b832be759c4847e75e69286f98cdfaf2

SHA1
ba57c5a122b65bb4176e14b9db70031b9e582a2b

SHA256
fc364e9647d84383e107de8524b550f1c9857dd527a007961ffe5a8999a8f821

SHA512
6fe090982da5b2f2bc345296e5332a3d48f4feda3fbd15e339e67920f27a139a26cfec7f60f3c908b3b9af1d2ff1df32c16294d94137098a7223c87f7c9b3e3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ae35f28cb8e7d4de672eb366642d3b9a

SHA1
c968acd9189ead0b73e582358123a2bc339166c0

SHA256
76c0b0254a1ffd0b638c635eafa34859c5217882096215cdcf3694bd8fa753f9

SHA512
71f02c398d5ac771a10c2521d68ff4168a72ac12b85debd9054343f983ceacffe89630a5cb48901451b965756682ec8bc9c3f861bf42c665539f0929eaa5f0ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
88f4cb5c3b163bf83101b52e5709c176

SHA1
c7e45f7b534abf138bd0bbd87525467f53606eee

SHA256
52606db9b484b3dea53125ae7cf9ee124cdeeb54861f30918a1ebf7784762372

SHA512
65174871e8040bf9292ee4aeeaeabe3949533492a501935dbdc6afbd985b10170307f3f9c81f91675b511acedf545e587a8d8f8c7c95ebe37df5f282c547eedd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
60d7a1b0591b382ea416b4dea8982a6a

SHA1
f31e3f34c3af39244dd6e300e1a28793969266c1

SHA256
a4fcdde4b651926813b465514751069ddd49e53dcd9c7a343ca536479b7b9cc3

SHA512
cacaf2f92d3a8a48fd89ea68b72d1e1d2cac4893683cceb76cb96d651cc3b95502001265a98924dc7b01c91ce54567623855efc0493ff43ebbe9081ed960d7f6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aaca304de1d7090f752b520dbdc133e5

SHA1
c514b6a5a2a5131a6132ad8b207383a5f481dab0

SHA256
a75557eae72591bd6d5bad410efa5c717a96fb8af1795797b176cc453c224309

SHA512
667302f071c44996a8c20e42eba2fbd7f52095b923ba514376c6a8aa26c4605a7c65b83b59cacd5237612d1b954be3494bae7ea265dd919bd340409b8099fd8a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
23362e715253241c47bcb84cb579d17d

SHA1
71f93770a6d890e41ace9c7bf5bc9329359be284

SHA256
022099455c887d3351a757ebefd3e327d57f93cf0b88cc257c4a8810c3797937

SHA512
ab563de5a76a444fc0c8492208b4f636cdebda3a96872c0ac9fbdee1be6455cc6260a3b77270f28baaaaac54127d10f9907886a3e5e29ab8b4d87b7805c8ec3e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6db5e4c03b8489c4509c9f07419afb69

SHA1
fa8f81bb2c9ce4754253003c91fd9ce0ffdb7842

SHA256
c5843770e5c6e0732b19d650b864242e3ebe52baf913ab333f3ae6e283ce1162

SHA512
8cd9472c0f9d3fcc178b1608fc7a49682af81eb39898a2ea03b31b6fabedddf211be99bbc710fa16ceac5f1e0a115c3426f80350e07cc4eca276a4b86110d7a3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
855712618b5ca9e892978ff789906532

SHA1
0c8fb9f7c57ec2a5d2a7d901e7728ec2c2e1a197

SHA256
020f78ba5e682df4e3e8495e2f67f47b63d907af854c9faad8b67d74e24fa537

SHA512
0fc3a9d76ad0f6753e6074634b8ce1c05aa0978a343e2aef8db300428b49131fe20cb0d19ecde0685497c6a20fad276b0be29e640ff26d730418a18afba289da

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
9da3225bc52689e44f2b2d6a5e1e74cf

SHA1
c31bfaadbbed10743c3fff62df47ba5d7ee3aa75

SHA256
abb6c6ebcaff562e69545701faf298aacf3e5178c460805aed0683167d7ef146

SHA512
13ed4753e564e84d0a785ee95b6b0fa320347a0916e7c574dcf24f6d7eebb48b6262cddeb458957ef50d64d1f4c0566917102987fc3142f3b255b77eba5413cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
05b965f487a392bf9b6772143849c9fa

SHA1
83f8ee7425592cca6c9dd094eb243109630f6407

SHA256
839d141c7f7cb5bbd6e4e8ba59d2cf9ed2165de570cdd8e170ba4a905019bc41

SHA512
f9268dd914f0da474df282b64ec5c1d0d5d3cf1059c4f513b311e41b40f230b2a446c7c450ad328813a91b3550285a7bb93159f3c3938887751dd74663c35d87

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
6d12a93bfad9a1ae306b2b7a96069aea

SHA1
10fae0e082fc1cdc82346adc9f1de39ec8a74c8e

SHA256
b66a8f5f89805ed770a6169e46fa80e8644726b1f444913b206f2f84d80e8e92

SHA512
cb07514dae5fb707eb01b4c6dbccab3cdf3631af5206116f5965534bbac4a2836a7b6be2e17c084a4b680a285e06ef0dbafdfb3e37ddb493167e8d2b1c4b61b0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c290cca1ab9867d6617d7c6e24d1a3b1

SHA1
b670b819cf534fa2e4b9d43b84c7c89ff3ccc9a8

SHA256
0c36401b5ae2d2f6a1b116139e06ef419804b16fa7d8af7ca5f61b02e494b284

SHA512
ae0252837ab70634b6c4d4fff46ff2241a29eb09fe5125bb07e07812124c7d857bf48dd231e1c4951f19f01152e753cf92dd0debacd2eb77c29418344ebba131

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
005f47150ff41178a9787b3da73a2a8b

SHA1
7ed9031c81309bd86a117c62a3aa97a68f345434

SHA256
82f6f971c147110e248e170cdf682e0040befc5c24007d2f0dea0635c5ef6740

SHA512
a00b14c4546d68a0c0641ba7da3c7cb85ee9f79ff41d9f183b4fb4d83448d16cde2867c59a53e616d4d10727a095e304d11ef26bcfd2f23f8b5bc4d9b0323a3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
89788d77d9157e9d0d49a8d8c6620661

SHA1
87879c1cb0c58ed003781726084f686fb030aac4

SHA256
d85ace7665f792dbf5e561d35fbb91e16a3a77212ac696d175f2e5ee5ead8166

SHA512
6ed0bee489c0a8b15033bdfdd078939229b5da655ff5c3c53b9f76d8d685de6f000d6edf7e2eef0ad72db4ba8718c77b513fe373c113b37e8c04def49dc6047f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8bed885abd90dda4dc614e4d444b841f

SHA1
57ce1fc914a2aa3bd5cb5904898afb49d9b1ca31

SHA256
fe63b03de1ad9a14ca609b0115442ae1f4cc5c51fd5d395eab10b9c689fb30ad

SHA512
b11e162f754b556f06db218aa0afdf86903093582be2dcec2d1cf2943f1e0472596181baac0e5af524ef6fd59c5c7342d0eaecb7b0325394d3c85c27a7969aeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
dbedb2b4ab89f96813d513de7489d3ac

SHA1
0e9f5653522377692898bf35f82f7e8dc75fba95

SHA256
c8b463de8dc3ed536c2324fd9940dc2b253d09869887bcdd90a97cfde2977c39

SHA512
a53591884d2a0a9f6c5469e4b7677bfa2e485da1844f9793e675e5b91fb540b6bb69f832521a1f031a4bf8a34f7d84944218538b8e92876faf1f82d9f949dc5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c7ae6c561bbc11c993ad5f7d07fe14c3

SHA1
4dae11d96b66d97a0161e6bd492f61ec84827f8e

SHA256
d05dc492ec850d16cdd9bfe2996ea7bd47b486fd8e0d56dfbffb0b5265aa131e

SHA512
f0d4cdd1edd2f2759004bd4e17f876042a46e6657ca95a62514e5b59d84b1853571e09c7725fa13c94e72774c4c8447ada832aed669cf4126d0c8dca859a000a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
eb6a8ffb93110e79ae941aa36aaa61bb

SHA1
084852c4e5b3bcf585d32c44c1a943805b57848c

SHA256
72ef3816faa43edbe801a147ac3cbd8f3bd965cfbf61442195ec1098fb63efda

SHA512
7986622e081a6c40bfd41434a79fec8e2e27bfa2aebe75789d01f21779453930db1cb5f7046245cb907eac4231640a94db32a3ea0ad0c55d91fe67cf4acad542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2e1f31d9a7ee866fabd509a21230ae9c

SHA1
f05c3ada1423b831597407d33c039b2b18a1d02e

SHA256
24b496602cb44894bdf75d5cbcb78107d0ac8511957edab098c3183a3fd8dfee

SHA512
36e90a78ff7fe9c61f95984e13182bace10d0f5cd0e498cca992423d48b531ba7b839fd1b169ae6b58ca41f08453b076fee660de8085983d130f70a8ec19566b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cde491d6aa532110bedd2cdeebaed263

SHA1
4ee9de3b10d1d8752b51cfe1cf145bb38d0e626a

SHA256
e9a38110411d38dbeca859ef739cebc3b7d57461d8837e71878dc54c8938a531

SHA512
93ad0437fb7670e7434b0dfdd363f4ab1378925bc0035e2920b0046959891a369d41f10d36eecf22ea858b5c8c9260c48218bfacdf033e356bb0e481464124d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2e9a0c722ffa7c932d46af44e9c6798f

SHA1
55d5959ef25ee60487eb81fad12f9d04d96421a4

SHA256
b4d114d38ca871645892a6fc8eeff84a90c9815cfdfd5cbf04b782ff13192c36

SHA512
76afdabc37ec1789968a486ec960ab9b2360ef36c0b0173327bc83f55009ce1dfdf4815f7672293aea59bab3c2fd9e1e7e3e6ec5cc822837488f50c305b9cb75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
aca80168a421f80efb10f9224f9bef94

SHA1
01df68462580c3f0fa3a10f8bff9e9b193e7211e

SHA256
6cdc6365997dbdeee5cf4483b81cb1f217819b8560d59146b2bd46f786f5c071

SHA512
8aa24139bc8adf2ed8bb6c5a9d98c295fe637e71c11342bee52386bd29c0a584c658c3f7bf44f900836e3eba7f165d898ee0ea53499376751f0872ffb4d927ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d546faeba1d1b1514b7af39d459ab2f3

SHA1
81aeba5b7bf58431e2f719b704072d83a5078bef

SHA256
869a97ce9d22754a75330a7f4b1d9d476aea406a4bde7d74f45e7183cd3f9b06

SHA512
71e386a99e54ad58021b4bdceda6e87fa88df977d89b2a34dea31a7703196382e51bae27446fccab34ce3f018b482213bbf133cd03fb775f03f1c6c3c08a20e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
66c92f69a30edacf1a780510ead21454

SHA1
bb17ca2f896444b8ccb1c9e239c45096cdb2d7fc

SHA256
529022becbff0e038ef0e5d2c5666ab8447247c0cd53fd3d8cb8ffc19396cf89

SHA512
3d1a63b9d5e3cf9f809e4b9b50192b8a76e1907f8e92165a946eed0320174dcf23124dc6e8b7f106bcf3b392a5c69a1d5d49c45c594cf97cc0a35e612b10a8c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
95d484c2e4da9a234a8c3eb889dbe3fc

SHA1
27c5a2742b502031c3e96e8b5cbdce32cec067c7

SHA256
206bee745273a9dbc7bf6b135cf2cc2f6a8b20e0404b65cd921c73aac54a135a

SHA512
47357f072605e72d1ebb76329d50c5f336ca3df9a77a9575c1bcce082ada30c288f439198ec538560d6f7e981466f8ff1197ab7e93ad763fd80052a391f501c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b224aed7205b6cf99fff3c0b011e4b79

SHA1
349c8e9b3cc706231ac000f86a606db0745cf18a

SHA256
3e6e26427ff651b162c1885216143dac74a8aed22e8f67c56f80f54cfef28d10

SHA512
7f428690281687c11f97bb5ecf85995907ec2cc80e7c0915397e4d4f112dcf84416d7b16ec582ac8359039aad2781cde141d2795b456779fd36d82540b20b3a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9e576351b381941e59e4226f30af53a6

SHA1
66bde30f7dd8497ce2189755b90369e6d1e4838b

SHA256
94c86e6f9ff982f6d0e1bc0027347852ee5be5829e0002cbd06b657996d9fd21

SHA512
1f952b6cfc2333643e781b3fa9a0ced4578d44953b52732c738e3e4c28f05390ba3edd687dd90fca1f58828e9ce5c5099073e83eb1733cdfaa5a3c4270eaeae5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eb489d8496122178a6fc7645751158ca

SHA1
1a381b545a2659a71a949b1aed7c3b9e8500550c

SHA256
ce28436639391a89f8fb611a8af207a9887adcae62e9769d552bb08f4f09c7f2

SHA512
1ad9ef6da1b8f220afa06c1dfbfa46baaeb3572edf35777d8fcec3784f20b46e500999f20515b7e19c3bcbad7bffb76a76f59657ee91d543c463e51a855ea000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c37baa9ee743213e3758e80924e032d5

SHA1
22306a5459f75ff4398fabeae09605b4a3c52d08

SHA256
f11c134ae623a749381f76436f4674d7c593abeda0b3c6bb36addfd32d9bd829

SHA512
6a9bf861b6fd79524528e552863a8af2a08fb5386d24cd5293750543754f7b87ed804eed00f66507bd14752bfb4b8aad7ab59f2889edf02d0fa1099f1f7475b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
53b0f670dc3b04623d00cf4a5fdfa914

SHA1
e58d5f68e4f4293e5d6e8e81bab9821bc22a01c5

SHA256
4f824b741657e607e3befc796d1ef2190ddb3581a376d5a2e64d82f6bb2e9cd4

SHA512
77ee6f6b6750673d39ecef0531c8e6b3a25ac06d4763a7dae029913fdfe73f193b518446e6be3160f395b602510f9457921af19f5160e3ad213bade9a834ce65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
208ec5a60c3d3e4fb6c92449d727d8af

SHA1
0aff60beb502a66c936b47913e34258eb048140c

SHA256
09eb17a450fe76e4216f4293a0fe979a80d114e293c909d61871de6429c23944

SHA512
696f71b1a1a03056cd1bee7ccc62ff1fc1d42f802addda4ef7d7ffeda44c59506168dbf1c513b5d1f0a664a69b5d03dbb7ee754641932192a7826627bfc5a214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
264f242d2f787590625d0d17bfb4994f

SHA1
c626f7d72a332ec4cc3469b064f0c23d3ce0964d

SHA256
6df9ac0a99a09bd008118d9b7e79b3689479f34e114853207e9921458a407bed

SHA512
61f889ccf514c804188870335ee6a22cb990407698cce170dc4b5ee177acf347d9138831921e9dd1eeac8c47fc3000cc707422ff4e6eea141d9e68b71b2b93eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
3b9c90f9f6d46be8e79a209afcf47bda

SHA1
d21ddc30d598e777472d54f2201f54e556177c13

SHA256
92cf355d0bfcc2817bc94021d9dabac4f16b69eefccc895338abe84507afec57

SHA512
ba7c3ff8076040e21f82270d58158b49e52819cc67292e157b1ea655491ac2e7180a7583e1aaa88d27459f40d65c243b8e8e2902ebcc64b9dc922e9a06f3bb88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
5e1bd5a89236a83dee55ddd3208965ac

SHA1
4691e98dcba0624939ab75a23a814f2836921e01

SHA256
9b6ace28c868ecb36b95c9b3f6f3cb8faab4188b3b408ef26e9b691bd5536169

SHA512
ec6b749d75d7f9fc1be76e12b4a419766b3bf1a03f62577fdfab6451a23f55c1ae1d355569584080faff0444d90b03e6d172b64a0b37220a35a24a05b664bb2a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
78dc7dfd9656588ba7f3f95729994019

SHA1
2981f277901ba2ebc74096ac041ef99051dba34d

SHA256
b8242a5876ba45a8eaba2392a5550db0626d159cbde7528e404de14eacfe21af

SHA512
32a5da0493280b60dee5437c68d9b701b8ac7b01acc5bba157cefa7d19aeae6ade5a661ae77f6e898b5298dba474a73d0af4a76242fe835cb6b3f3c5ac854cb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d2a43fbe3cdf754ce97e18c88db2719d

SHA1
7f7bbf5bbdf7aadfcc0a8056ad7bc48b4ebd82b0

SHA256
95a45bb0e60358d8b7ae0cfde0f6d5dea8200899e9fb738d3cd4e3f66afc5242

SHA512
17dba2315a3b9b0d90c9ca542cc778777d0355e35733561cf3f348296e47bd799217d851e40c4cfe4f5a297c8f6c8fed599af5c3675144c574bcc07905d21c34

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bade9a7a5de427a343ef065334b1682e

SHA1
434362210237b244144dc5ad1149dd94475be530

SHA256
912d3a1fb3fd7d5fad7a5d71d6fd1f3a259a302b826670526886c79eb6d68c70

SHA512
b94a04165595a1c5b6d7332eb026e907ca0fe7e1b1875979ed4c7c83c78d5ffcd048c54761630d688c19c86bace7a43ee0dfc0b77fcce91b53e610dcd43be0f8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
80f416b8f9145dedabb0cd16e2759f91

SHA1
a78bfb90f043177a731dd54034e0cb1246a4178f

SHA256
7326f14599ef201cabd267fe53ca983fe9acd3bb65ce4777143fa6a5185d5d9c

SHA512
cf09f33b30d8be3c8dbb3ec749a6a1da97819a766e57249abb5eccc1a1f808bb0e854c49d54b218cccdf5fef6bd23171c65f81bfb8d1f24dcef2360c518bf704

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9838fcc4d681227ad96ed70d13c794f5

SHA1
ec61b34c84b3271896bb9106f482e882c7ec0815

SHA256
cc104b1349edd7ecbf726f8b538395cd0c667969c14530e9d10bdbbde86ce105

SHA512
3bc0eaef5d5bc792399d1b69742803fb737cc2071d440fb1ac6413022a719ea514c0d5fbb333bd13ebed76044de2251c62e2c3e1a48e7b3e587601af35fb251f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
43ad9fbc59b8b791018ef5362899e441

SHA1
e267a01113f756b608738ab3a5c47ab61ad5098c

SHA256
6302a8db79d94687453f8b874aa1f08b10769e23273e4e1bf075d8a7a3e4728c

SHA512
d49d3fa12b2c8c0aa0a149ab4b2f36df5f877394aab57585eb800664e3082b50fb1d67de67203e71aaf209de17c5fafdedb7efc9965f3e52a4fc25b98f76d3a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
15805c44c17ff797b81b1bea6f4d213a

SHA1
6eea5b3c5430ed7e0fbcaad59072bd562f9d8f07

SHA256
93da5a9d8e86de2b00020700f897c1bc98596c9f29fab211ac3acd0399449c39

SHA512
18dbb2a298ad5c26e9c94c0a1f3dafdbc2874838aea2bdc9da2515778953a5815ddc569879de883983d7d550ccc0d62e58e20a180822bdb22d9d512629485d9a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
044f6a8a21b6bcfa3f7ac8f595225635

SHA1
5a89c18e07fbf910e6f411c41483b2343bd4b25e

SHA256
8d0aa49b5add99c0287e7035cb9c704d241406ad11f719de31d6269d846291cf

SHA512
7dde57f7fb296c424bdf78039ffbeb24ad3502f23fb672680e427a324eb8d6f6c27ab92f023e99025aca39774d54fc162ee50eae6b7fc6a19e327ad26863f5b2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a567c76e2ca5e8b3886601a48a7f7eef

SHA1
9ccff729c560e0743aaaad34ae5013a7ac15f264

SHA256
c8aa8e15fc99862520dd046f32fbb9d0534d1af1aac11e2a267a82fceee2c1a8

SHA512
578cad2f46925eebfac1717ec3a763ea9893c474b9fdf13fc4a8eb0127275f2f17cf131ad1004854aab123a7fae7f2042cb61e639e48cf4b83eac699c5e79289

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
30ca8d3c5fb2085ddb262220ef32a784

SHA1
f775cf51f5d3f8fe0f01cd0edf412eefa562ef9a

SHA256
5fddd9581394fef3a3114a98123337702c9f519f932a38e23c78931b3040a17e

SHA512
3363f00314eaa675a7b1a35d3a8cf913443dfefe49c1a0faf9bd2f234354fa5aeb5be6bf44f7e39c3b59061fa241fe17e9b6cc8fba6e163841b2ae56eab38138

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a2a8395297d547ca5c6e3dbf30f3ba27

SHA1
31d30322d691adb2fdbee86a5d1840ea05a4d526

SHA256
a57855abb06aad885585785fca3440961e21f90ad7f5662df3a095fe030289f1

SHA512
54e9ecea917bacd9b92be9adf9b0d895e470c96703494a0a273024e87ebad0cbbf88dcb068cd0a06a942638becad3e6e0fbd78fa6102022a261e90fe525d2ff6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e67035185a4fa777b370b917c104cf8

SHA1
77c85c2b776fb75caa2aab64c8eec9fbce3c2898

SHA256
7f52724ab79adb771a7ac8082f26e03dfd30eb6ae1a7ae0a1073307fee3bda60

SHA512
5762cbea64851670a5211ec437575b7d34ddc8ede468b24db2782a7038fd3514e7a350047a3b4e434db15d604ac958585adaa3dfbe2d3dbbffc09408cd1a8ed0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
859690003cffe540c54382cb6bf35987

SHA1
33517ebf138b66e7416ef76f9494f8ea38678cb1

SHA256
673c7b058df5fd988e82308efc2ca41030ec34f19d49811dac54c6b5828346bb

SHA512
1fefe57aa0d49e5c465db5b169f6f2a5d66c55e6f722f6e5448cbdd5b8add639acd6b0aa04dd70e2f683a914ed3b02ce9bfbed943908aef021bf2ff90f020cf9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
52d739fd7b1c2af638a3fef8e2ffbc56

SHA1
5fe4487159bbf5747081d0d1f929c08f7250d55e

SHA256
5a1076543f299064e719298f456084ed6307f7c3d3df05343dc6c336b2217412

SHA512
f6df53912c7482c00bcb6472dd2eb58fb71a25da4b6ea240388f46dd0bc6db8dc07d23cfdeddb7891a8830409ead70084b70754859903e9da08f712da94703b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
29db6298cb5f65beedbd7d48f30d007a

SHA1
a217200c17a201f483ad9834c18a850dad3f0e4d

SHA256
81f1ed1d337d5581e0a22d5062661971a524deeba4817470b28baead210f6836

SHA512
df07a894bb89cd8ea7270af0825d9cfec7044310c945e09e1bcb7aeb7fd0df9a9dae3f95a9eb41f28535bea5659d2334997c64201ef53d54bf2c012b408d81e3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e35c064ea327c4ba61e675f54d85b121

SHA1
f100e5f5386c32b54c573bfe65acb16d640f2a51

SHA256
c239cd4e84415a01acbd9d574b9a3c968589404732b623e7407495e97ad99fe0

SHA512
be7ead768454aecf048e8b8809ab4b824d9ba67d2432237b72007356391826107b5ae90add1018ed49e616a14b7bc5dcd847b4a76b24a76e5a363f780e8427c9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1a216eac17a0fbddfb79458d6875289c

SHA1
f6d8968374253980ac1f40276675d75d06b2ebea

SHA256
7aaa6f2bfd602021dd6b32b9a9563a87c2f6ede02198a04ec55fae07f7af3a23

SHA512
c77e0ad1f54946e474dc7921b57d6ddb2340a8ec63bad9f235f7ea2f7ec5ef2e6d5a8864b22b30fa26d062dd9aea5a5f9d7e5fae994f67acab56b52205940401

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
10eda271300d1c96d4cdd8e4ffdf6c9f

SHA1
05ed7e361d0d0f2b21963bc29bef96169d84b2b6

SHA256
6ae787ca922b5dbab68f84b578d107bd045413d6cbdcf05406215fd2e36e1c0b

SHA512
0c27840e3ce9f7b4c94fc93808adfec9984f7d76b966784364a6b3c7732b200b245054bb20aa65fe7537c99b214eee63de6256c552ae200526e9c6dff2a4b522

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
38e97233f8b6962218041983d7558002

SHA1
e2425305a651d327c9ab961e4eeaed30526580e1

SHA256
8e0cd1d574b6aa73c1034400206d79d30eeb9b6a941e844de7afce5a4a84654a

SHA512
01eda453de00ffa323237c1f313c5c3c9a8732c0d5f23fcc2a771e8a3b6dd1d4a7451a0fcaf4af8df5ec86498ffa9c372b22690361750a9a2af6cefd52daf8c9

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
eb927d570e0209888545766c2233e90a

SHA1
c03f47344a96df9954b8274d8debd2c029591f55

SHA256
268b5a4ae2d72ea3efa428fd43368cd4d27c9ed1da69a9460ac22cf341625900

SHA512
a4e5b960fc5d0cbde3ba4cbc4c28bfb5fa018a056bd139f00d55cc2f4a041260f70230828145f22e2646e8095684a8718b3a38506c13559f9f12dffcc41e3776

Download Submit
memory/448-531-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/448-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/628-530-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/628-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/644-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/644-528-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1004-534-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1004-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1656-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1656-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1656-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1656-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1656-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1792-429-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1792-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2328-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2328-60-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2328-66-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2328-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2328-71-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2592-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2592-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2944-535-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2944-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3516-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3516-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3524-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3524-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3524-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3524-54-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3648-320-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3648-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3856-271-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3856-270-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3856-328-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-324-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3964-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3964-266-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3964-260-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4000-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-529-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4000-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4416-536-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4644-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4644-1-0x00000000020F0000-0x0000000002157000-memory.dmp

Filesize
412KB

Download
memory/4644-6-0x00000000020F0000-0x0000000002157000-memory.dmp

Filesize
412KB

Download
memory/4644-31-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4664-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4664-539-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4740-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4740-537-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4828-43-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4828-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4828-41-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4828-35-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4828-243-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4852-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4852-241-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5012-81-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5012-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5012-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5036-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5036-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download