7ba6fa2791f3751e31d0a5e58a1f46f4fc9f4e81de0c12a8df2f139dcbae5f3f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
Size

1.3MB
MD5

faf86a164d012e2682aac605e33fa0e6
SHA1

1ac8ccc9f4dea46ad8cf5b82e7744e65a90b918c
SHA256

7ba6fa2791f3751e31d0a5e58a1f46f4fc9f4e81de0c12a8df2f139dcbae5f3f
SHA512

49326f4b2fd3906275f88715f731859f6599972dd5cf01f2cd26012d04831285b36bff48dc00e29a2cd1ac8288fded88595bcdc43ac94af221b45cf8d022766b
SSDEEP

12288:svXk1SXI7vgbrWVQhTCYHvRktx/aICF9flefuKaO0VQ/:Ik1d743TvRk6NwG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3128	alg.exe
464	DiagnosticsHub.StandardCollector.Service.exe
4028	elevation_service.exe
3216	elevation_service.exe
1628	maintenanceservice.exe
744	OSE.EXE
1848	fxssvc.exe
1760	msdtc.exe
316	PerceptionSimulationService.exe
4288	perfhost.exe
1528	locator.exe
3160	SensorDataService.exe
4304	snmptrap.exe
1316	spectrum.exe
1484	ssh-agent.exe
4720	TieringEngineService.exe
2168	AgentService.exe
1916	vds.exe
2392	vssvc.exe
3676	wbengine.exe
860	WmiApSrv.exe
452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2088ad2c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\BlockGroup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed81f6b46baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0c6beb56baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11084b46baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000737467b46baeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000600dc2b46baeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed81f6b46baeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d148bdb46baeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
464	DiagnosticsHub.StandardCollector.Service.exe
464	DiagnosticsHub.StandardCollector.Service.exe
464	DiagnosticsHub.StandardCollector.Service.exe
464	DiagnosticsHub.StandardCollector.Service.exe
464	DiagnosticsHub.StandardCollector.Service.exe
464	DiagnosticsHub.StandardCollector.Service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe
4028	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5016	2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
Token: SeDebugPrivilege	464	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4028	elevation_service.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeRestorePrivilege	4720	TieringEngineService.exe
Token: SeManageVolumePrivilege	4720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2168	AgentService.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	3676	wbengine.exe
Token: SeRestorePrivilege	3676	wbengine.exe
Token: SeSecurityPrivilege	3676	wbengine.exe
Token: 33	452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeDebugPrivilege	4028	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4532	452	SearchIndexer.exe	126
PID 452 wrote to memory of 4532	452	SearchIndexer.exe	126
PID 452 wrote to memory of 2548	452	SearchIndexer.exe	127
PID 452 wrote to memory of 2548	452	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_faf86a164d012e2682aac605e33fa0e6_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3216

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3160

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1316

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bfea048891e348e74f69f2f6ba61f312

SHA1
9660c55ffd10c332d83595000a42bad94cfb346d

SHA256
1a6c7b81a52824a0e38250123deec935412e77eec8e077fa1da657b37621b154

SHA512
936db88ef58cc6278182bc28344905bf278f2643870da670968fab9297f0c969fb826be0124d97fb231b41e6f1510dbdb63adcd19390b62e9170dfecc5518ca3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4ec24b7a1e909fe77dffe29107bbc780

SHA1
1e8d17de5e255c6e844c8a960156112127ef41f1

SHA256
1b0d857b08bd8e9e0af04204aeaee41593d58964b1baf4d722b8cb13399bc6fd

SHA512
e1d8c3c39f0fef0d31e1f4c11e075b4ea0258a974ddb2dc96aa86a2185b5aac58785042848d662ce307f55cd2be94421aac9a03bf78696f6df397efa2887cf88

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8acc7a06e5c9e27e98d618b1d1935b7f

SHA1
5c6cfc6fa79e446f7fce8f8fd15fd8ffc8689719

SHA256
bbb33d944480ce7b67f443c48f61827aa9e2d9adda08471f05962d395abdeb83

SHA512
591efbcc70ed53c2d8a74342ebb6dcf9693880d406d168e0f913ec2932149600e0cb2d49a53320287ebcd37f47773945a704fd0c60be789c4f9082d6f5f1dba6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6ae3186439cb1c7649c2017981256287

SHA1
59b4166c66fb0d633531ef1d966bb954029502a0

SHA256
a78a2905007c20fd0470dd86755a3962326ffe73808c345f2c738d4401ebb96a

SHA512
0aae6ad95456de8d80529b0700fa60c9fe2495d6bc3fc33b59b93bf331d8b4a3a6ab7401f590837e731d97a35c2e11bc8829390f8dec8d5953c07337132f7d51

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d9532b1cad94c821b31f6de4f8c9ad89

SHA1
8520d5152fc93d1b8f13dd17e437266272a71a2e

SHA256
6334fa5673b0545dc1d2a1595fa2959d8ec0f83a3b3fb09d7ca2c50753f90ecd

SHA512
d65d458c14fdab94c3fbaef55191594376370432979e3213086c0a61fc35abb8cfcacf13978b89f46431b693b1904e9e0634761a3d4ae893895ab37db3c2a159

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fc0e5439102c1fa94f484089ea878457

SHA1
73ced6ef9329862054f754fea54956765b8b82a2

SHA256
bd965d5612dd2f7cdfb031983afb1decace012d05f71c62353531911284b8b23

SHA512
ceedac7b7cb4d108d7679c97440f7c2552b8553b6c28697f64343267b825b973b5b86088cf709cf98b4635d62e57f55eacc0820a703ab6761f7d0ba8d1d42fb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bc34b41cc28edb87be2a66600828f209

SHA1
1b20a24f743ef069619679e748b46b1c6269f3ef

SHA256
6e46618f0aa35158d6b39374fb8628c4333c2adb92dfc2ce28de2215b409153b

SHA512
31d9612c70fcf6c5f3b14217dd01c6989ad0d3b9e995156f5637dde66c2d21c3fb9470fc8ff56a0b331c9eb595e81108fe043c5cc114fee70176a547597fea3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0c346019915b4a943074ddf9f5709e64

SHA1
743fcfa690c3552da562a591e59aee8b52746bb3

SHA256
62bf9baad44eba15eccb1aa23e9b889d2488e6f9e20f9968016d8ee9ade7aaa4

SHA512
a64de3a8da6de18a83b393feac96cb31d9343984a60af6c581d6928db4b5102cf888373de10af3769b7db43c31c687114809dc1b2d2d5674ac74842dc512b33f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c6d0a241096f59baa9cccf75aed1c5b3

SHA1
c834647cb8a381ebdb735330d46df88eca8dc3d1

SHA256
ce8d236397704f39d82e1cfd047f7617b29f7babd15098d1d02b8fc33ec29a02

SHA512
05ad70fdbac21de277b20a0ea38fb5945029b9b8074403bbd4e6eaf78b10551529ba76fc132b1e4957590b75137843a543ea997d796b58dded28c02c2f13dfa4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c591fb8961db8eafc3322abf960074fa

SHA1
cdc69aac21013ff3064fa76d6e8032bb165d0e49

SHA256
3426c38969da6d602c707d528a32aba3ef9acb49d61cf928f903d33978a18ef8

SHA512
b548e63189bc70ad96a95e29c73564fc634779eb53d562a6cee3933ada8c065b3f67ac89174d1d63d60a23d70af76e85b2c6c0763aaaa3b932474fbae9d497d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
31f4afa2c4560812e01e5991f96ed7a9

SHA1
3bab5fa955854e1fb333fb6d36594450cbf21805

SHA256
d57364193a56e91d7645370374248e442d748b32f729f83d57aa7190fee9299c

SHA512
d39237f1e6eeebc2992f929a5ec4b18bbe8f5a7a1114f93c7467701a4a8ab134f4547b5d4c3b6b187998321f43e73568f076fbe71f74e9927dc5d04199ba16ea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
03d524fb1461365ca86e37957cce1eb2

SHA1
2fea321f261bc5304a1e9ec3335dd2bf3126f126

SHA256
f93a0bcadd9d9e9490d291a695674d9df07f5651e04e93c69280f9f911c33b07

SHA512
a79de8c13f1197b09daee7fe7773318bdb81cbf41088116477236a63c0917d2a0f0a01ec157f48e4d57a475ae3563839a66452cda5536358ffd2d5ff99ce6ea7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a9d4ad3a172bc5dfa088a197faa5ec44

SHA1
73acfac9d267bc848489adae1899f89da62e9b35

SHA256
7735bed66db43e83ddfbeeb4a94714cc63dfd87f9769bf09a06bc0e8b613ae4f

SHA512
8033a77153a47a883d0f2c80e56170f5d0d819a69d8ab7a2475336b5247116797b2b4e62a8ed4e649732614cbfae8ccfbf1b5abd621779f078990c347e7cde4a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f76ec17edc772248283b808fe0483c08

SHA1
88299432ec0277273a9956d79de1397bbdba88de

SHA256
c1e40ae46f4bcb38ff5b6693e072c4c6e193df1d4afe8ccb02d2e7b0e313c8ff

SHA512
c63df065b177a5f461807ce733d59c6be24153527217834d1476bf6061a73a8c75a0d6902a19f8644de8c9e6027667a30db1e05522b68215fedd564b1b28ab00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2baab2e14223f427c9f304d001cf7726

SHA1
405e7c034ee63193838eae3bc204c24c6d43680d

SHA256
465128cacad246c55f04794e052aa87ef54fad95b08716088b768d92c2fab407

SHA512
cb50d8f2e259edf166143163070cfd9ce3a56762099629f51430a37147ab842efd4818e07c74e0e64e3d6c567cd8d0c6156ece4e32abb6524e348a47a79497d1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
59e3f43d89c03c4e7dd0851acbc9740e

SHA1
581de407509b7149b79b14aaa52db8e94b8e1603

SHA256
93ed2ab3447a82e1b62fc0b8574d76359861c991896c23ee98cda92cf44d7d7f

SHA512
74cc8542d4dd346f1338207c96d49073eee0a1f1a114154d1ff5e95db854206f97f008998f4fedda699172fd30c0f266c572d1ae2c46b218ad3a1fd0a9ebe132

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
95b005deacddbdf77da4a9852f56e040

SHA1
a7cdf7435fbe6598b8a2e716ca408073a446c23f

SHA256
f27b1c61627642010609af33749d70439a5b511a0c091573c98bc672958bd1fc

SHA512
e461288b9b8c29a90a25ead66e212c94721adec140cbe5a15826059c43983788c8e2dd47fe37875526f04b61f3c37cce53b95ea3c92fe77f57bbb8db498947e8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8520f6dc58f656f6391e2549070625d3

SHA1
5b61dba10eeb069840cf2b195f6a4e1b3706b04d

SHA256
c0f6cf42188c6726bce597ac0aaa2d4f2dc021a5224c9a8cd103aa3fc3385af1

SHA512
57bfac7ff953ab679b1645eeb4b6ec0ded34f56b3b9b754bf2833f3a1a21a0b4015bcbbe2bdee3a00e6e2c8725ee0a77cd31bbb7c10f9d11608d7bf354522a8b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f371f335cf4655f676be1441c74bab93

SHA1
0c0d190a5b31292370d0ce437313e9a2c1064888

SHA256
9d1e29f6f8d632b2a18e75c294851a0f7b071b5fd604df27e355ef588698ba22

SHA512
d1161d26eea3c2784f1eb78f892b45d1985b6eb5ba9fc23adce37fc78a42fe8a24493c83985c447aba7ee89a02ff8f2ecbda8e5be07943d9956f26d1474c0be1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b36bf4b80f4055559013bb749a1cbb8f

SHA1
b3c833d866e654b144ac5ddb9ff2204b0bf02c1e

SHA256
af3f339b18cebdc4dcd9bc23c15faca9788535ce07bffd52f95223d1b164cbb3

SHA512
0a7419fc103c9534785ba67b2c3c9b1c8c1aaa6c78fe478007d68ac2e556ed8d41b534954faf17caf216e7449504bd3c00606d9b2bf1552191ee5d448f0b32fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
af460ea308dff0aa22cb69b8235d89ae

SHA1
3d949d19755a8d8debe8e2836af45de28c39080f

SHA256
ee38c64052376912def4faeceb51e25d12bc91e764529d85dabc1ff507bbfaf8

SHA512
6e12a371d922f67803ef943dcc2fd9929525157e4204327216138b6161da63fd2d1fec85a69f4677929977e7b2607c7f3f2dee340aa9de72eff0d20edfc65d00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
46c1aeeb5aecc971141aedecdcadf760

SHA1
9120e90000014bf8ac33e0322395612b53b3e22f

SHA256
052e0742488ec83033ae1aabf2d620fa085ec6407bdf6324ce8b81e5fdb0e9b9

SHA512
00deda95cf9edb3ab29e2719b07bc81d34619db67abd877ec08e24bff972fd7b9892071b680dc2e96c6365f384659a380eb4ee617dcf0d93c570d440d93c8ccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
09bb51b90e8b17791c1cc758bc13d34c

SHA1
05c3b2ef5be25dbc33d8747700d60876161be4c3

SHA256
a9b71c92cf82d4bddffdd9eff463517d07672282039bd4f30d720da8b972b1f2

SHA512
1f2fc036c5ae9608e9ca67a211a2066cbc15f23cadd400833f684ff5776aa54c295afefc91fb5fadc80a6443cdda8c506ca042949614d743079046866b18c59c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b44a404e547c7b9576bed0eef02282d5

SHA1
f5d53fa21ca5a595d12a39cfdb2bdd8a0e5fea44

SHA256
c3f714b59255ac5d8f4b74072329670bd1cfb07a1a84d8889fa86a70d0c998d8

SHA512
8ee617bb343ce7bddeee76243faf64f764902f51ab25bb73e056b9d2e65e4d9c482c41f05f2ef2d6accc7b415b72c77ed5b697d2d335c8065fecc33577850255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
17ac38ea8f37dff45093a144a83823d0

SHA1
fcf243afd4e65a45a0e37a9b7de953af8b64657e

SHA256
e8ebeca26953db663581b7cf6c03b13aaa330dbe377f4381d3de2b87eeccb082

SHA512
e75d56699e4a040c145f802065a5e595066f56e174d80230ac9f644782ce9c9252263696c89f277cd7b53d1637140eb4a4aa3de39c35f5ebb7007c5a35f2ada0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b647c1cfcf8a24a79a2fe11161a0e5a1

SHA1
2654ec79c275c432d27a68501b785e718fa9675d

SHA256
a1e61c6e6e8e0fbfba648675c02eb61004264111cecec2f684ce967b038a2d48

SHA512
cf4fd006b523f5e34511fb4f8574ba9c4bdef3e477983b9901a5d0b89a907622dc90638bf48c0326eaeb8fc7b8f4afe20cb2468ea4ad570e31827348162f2d8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
33f8647aab493c074d4ad19ad0f5a8bb

SHA1
59f41aaa3f46b824278ca8ff2782bb27a68a8aaf

SHA256
2aefbde6bb88b5fabfe97cda37096cee14bfba402d25d34a183b6160d4b946e8

SHA512
13383441b1bb59653e130a5e34e88b1e6b5e9b10f96205fcff0d616b97a961e8ff80022b5e9d4f56d9c3aec6625c1e645ed4e5a88b9b3c6feb1f0c854ece77b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ece863ad820cbb4c6ca875fcc9c059ae

SHA1
73e66c7e82c24eb3eb4f6518927e978d20a375a8

SHA256
685467a3a254905b6e2228fb82625a344f741f69e85ef6df5830df92c539f10f

SHA512
27290e03ee8e5c94e07d00eb9eb10d0cc14ade792f48f9b34a188c3a1f0a74452ca015859ab36179e7356dcf92e3fa6e80b7e8e3e96a3fe6cecf790a4d6dbbb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
74d17a909f6481f040d448eb6b216025

SHA1
280b72c4be86740f15dd113a28726b72de7e38a5

SHA256
9ba00cbd242dc56d4da63092104d58b9272cafa519f64ebb03cfbae72070c2cc

SHA512
e578c76b01aba4c2fcd8910557fc6e166b2adce38ee4903c452d950f1dae663d9e9943a230d4929b600efe1cf239b55c1467859761d483e2199502d6e899fe1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
66a5945f5b960a22ffdf1c1dad9b596e

SHA1
476a94f3a672491e53fe512f241eb38ac1efa15d

SHA256
d4ef35d91ac2a67920f203f0c8700f3eca73de64cda2a332243a41ab9300ffd8

SHA512
12efa85906e38ec1ee0895d4375016234869ebdab40ffee63841551ee74bcdbbeb13b31acb6e6387e1bf56bdedefe6123d38cc6b33a81e029b7d402f1686a378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
eb32599d016769b5e04ab274dad20df4

SHA1
73fe0b89682483d70b1f5f6ef652a80f860edc4a

SHA256
bd3023153ebe1311b857b85ff5cfebb076771970d438887fbbf0f9f5e645e4a2

SHA512
7d4f0683fe4ef5bb46c6d57b0441e05d335ffa125aa72e1aef351d78f97c9dd3b26453954df249d97b9912b6c8f51344ba52b3c5a4cdb60a9064d941fdca3103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d3e9163081b324a819dbf8a00e32eabb

SHA1
dfcfe407d5aef9b2052e6ecbdc485b7911cbbe23

SHA256
75427576e57035af7809c3e652b8c4ace598654a358ca50cbdf23051ee2e2857

SHA512
78ffe6bad7673aac7e60c39add000662aed97fff4658b976839141cd80629f182221f81b26f927e0bcaebb088cd8da779b6509b4681b15ae7539a1ae4c5b338b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2530fd296bc5407bbad4b221ef530e9f

SHA1
f420a3b0a2518b20d0fcfa458b5824967a55f8d7

SHA256
23bc7836dd1688e1cf97d709927ab45dcbe4b59abdf1fb2b67803c9b1266bb62

SHA512
524d9a88aa8499592ae9c11ab72b411d32a05dec9132e9a4a67303f174666fd9fda981dcf3ca02f41ea98b9b7177ef16cc4d3cfb639c6466b649279af1704381

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
02bdba2cfb0e563f017587356d95f5ca

SHA1
fbac3471beb1346d722c9d38961e94fee74ee848

SHA256
c16c61a8f0a12429c959807cc45f336461f4233d5ab9062e72d116869f0912cc

SHA512
bc4c7bf9bb4d45d70dac7fd753e595c3cac6177524bde63ab8f731f9e1987a088756ac1fbbe1207c95701f5a0591e396d5a604600039e385e205afb292520d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
36084fd60ba94451d62ffeb7031e070e

SHA1
c8348174988caf2443ca9dcf8bcb8aa533fe6f1f

SHA256
0883da20deca9c30d7e2c0a3a0cd43db52f03439edb761ed57b30051631ef00d

SHA512
f05d5b6cc8efb48ca5557ffd572b816255a08bb0f5bd48ed1753491da5f07f2728751bdd9bb303b8e3e1a32048f5d55aa1a70b53cd16e481f347be626574b9db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
33750f5a903f3dd97bde06dfc10269b2

SHA1
a627e00e76eb0c8904b918f736629ebc01d4dde8

SHA256
1df8e1c8a4b652368d637387d34f1b3d0260a314951066043fd88da8d60b9101

SHA512
74bf8670d6631c0db08f4475c39a0a7eb349147ab15819b7ef78dee3877adf7042e0a48a546d92c97282c19d660bbbe4ff3b90cd0150c9520433da76b32e023e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
cef8d459cbc4100822b2da926694f912

SHA1
8290cbeda96b294f2d50f24ae264126ccc158c25

SHA256
54bbb4414b3c6f3c8011077e17ef171209c2e2a67c94b398a009290ebc420a78

SHA512
34ea3c2864382690bcdd68b0006157d364d2ab0f77aae4f5d0323e4eee11e1fee0d2406a3f9fdf88c07d56aeb66fccad201987d67a8c12a6a360e0f4db415c96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
7943db3cae6236a73e13310b3198c3a5

SHA1
29ffaad9475c27ad7e3e24ad434062b97db7eba5

SHA256
069f7b5373cd8d13c92ead793ebc0a260c7918a6766ed1d2b674733d7b5d379d

SHA512
cb20452d0b9b829b159b88ee8c823481d9819eb590304da0861222fbf2cb4918b6244f58e02be7c5a2186f02e9824a29321f8db63b3e1c5eefcbb862993d9111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
090839ac3277894e552ad62f7ddf80d8

SHA1
92d9acb2f9f78f61e56d87c1a083de7e192b3cdf

SHA256
77f8a35b43783fa1c717e092805274ef9fdcb59b009ed84bd7a871942dd229c6

SHA512
d7582eabe3f2885dc9461511aae20fbe9ad7835c36a6173821dee608b57351b74fae98dec36a1f46f72f37258afcc3d9cae42a6d219123c1eacee755f10f02cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
4479f2e2823ebc37e6165bb940d133cd

SHA1
1ecf5f6a81af09fe94c23e5eb2825f6374a50399

SHA256
9a738cb959d98d816d54d44e171dd50824d1ece79c50593df26364d499e10236

SHA512
cbf63150e430e4858cadb154d10be00f670dc8c86b57d9fc2bfed37203d374c155bf386062b0d78eda19ef91c317e45dbe9964bd308c63b1a7a6938ccc5bdd15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
789abb5991e4bb92f5a29642ff5b6a82

SHA1
3899edb79a34d923a7dc14a678fed1e2998f6942

SHA256
05e01cdd783906f5df76c2034b5be4bf43eece7031e5ce93abee918945720862

SHA512
1db91c3e4671ee49023a644623e8220bb4560d0759cddf803f233d5cd9f19ebd5cf874e3691008bc7b9771ecd92c6e009684e67c0235cea15c67fd23f63cdfc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
b80af2b548536d4bbe8bde6b08ef5ee6

SHA1
ccd1e72bbe9030456bc42e80fd0cf28e9c570c1e

SHA256
829b6232da17e1d764b820e6b212281b6a915fca60ae7707a43c5ce4226b8a1f

SHA512
c826d383026432c93a1fd14c01e285187d62c3d1352c9a4aea85efd0a1835bd92140abd539eb41c82cb441dafe45f5c78e88d1d58194650a3286cb6762491dc2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
95c58895d1c653b699f1e25820e7fcf3

SHA1
a31571b734e1084581b53b64d0166a55c17b0932

SHA256
6b4e9a8b14d60115b9ebd5b57f7704d104539e083e2642d0149d96a138f16d28

SHA512
ee9f6749ae25621ac56dbdce6bda85eb5b236c0b6c366360b67bdcdb88c2f48fc4f730dce397c171667a44f5621b775fdf5226e8c2df4c3b83ad85ff2f0c72f3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b12424a237af170996d1a777c150be6d

SHA1
de5207aeefac1569ea7f7ed84e24a9c2044dc3ff

SHA256
46d60bb0e65003061077ddc481e56a272d13dc17a933ee32665ec55bb42edb34

SHA512
027d4bf518997ed6ae0496766e2cc18adddf12ab715ce6a741808136ade80e25a29b9680abc179fd68a739bb7af3fd5313c0d84c05b68789eab37c152a171161

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ee63b705aabd0557a1cc387e5c3ddd6a

SHA1
3b8b1703b8819132d058b4b856d2320fcf578314

SHA256
8d2152b122bae61dd6a9b3132b95585f92329f93622f7b093497a429298f3525

SHA512
b21c4160bc2fe349efb03adbdf26338bc6c79132d25737c9193aa8fb1923f92265acd72d7b906f7b0a489cea9eb1e89add4a7657847c49d40591d880c9d67c93

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
34f29f775f2c508cc960c0ea07f69db0

SHA1
f6a156c8b4d14170deb98c47f9495a94b1cc5009

SHA256
197950109f14d1de69370e0710b8132ae9e861726044ea1fa91bd62902e3d868

SHA512
f1427d14ee776bb535a8917510b9617b80dc641874cd211f451e9337df2804540c11b6cda1b104e718c9789ddd349ff70c84c05b436a3ede40f25dd194ec3737

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
24145515a33748e3f5ce7af7404e08a5

SHA1
1be5ae2154595c0d76b56b391758c6e364d88bb3

SHA256
4f5ab4f7590cfff345345c19ddded66ddf8f04ae15c61ec1788a3f0b709accbf

SHA512
d33c34ce5634c78c9260c3a7c9588136e98855861985a976bf077e22644ece42f3e294c3d897f8fa0e8c171ec1f8d14a83dc3b01c3b32f368aae17ba45f22946

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d49ad15e9d5e78bb08aa4fc5c116516

SHA1
107d756c25a674e3f676c95a1a9eebc7dcc6cfd3

SHA256
ecf9eb69d02abdc3735740e5be85b44e82c661055c157ac375ef6bfad49853ad

SHA512
c913ef8d0e611b53478f5d97b189803dab05fc8d419c194f7763ac2569cb202941178ab7f6fa65d48034ac6cb01d44c3ae0a3b220c94cd981798c524256483b1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
519d710c5b8c63c169e7bbd01c69f696

SHA1
d76bc6ea03af78d376b96e0ff64a12421278f74e

SHA256
94c2667c8dbff1566f4045ffddd1d9887c540d6923ec8e941c3c405c2176271a

SHA512
25ad055d520a14156caa521a8768bc0d26c1ae7d9327312056659be3a256620fd2ceb769171c28dec921ab785c8318f2d543b6ac5c38595c4da825b066d7c376

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
34585c3d1f22cdd4ade9bf88ededfb3a

SHA1
28cc4d8c81daec2194f274797b4c672c81b6008f

SHA256
a715dfe5f13bd0801a4b319482f5849fb776b2882f0afea04dd143608a3d2331

SHA512
fb298a1ae0bb37a28032d589da063c8fabc0c7cb7a7709311c3b2ffeea8160d9c720a3e47867b1b21abad42f1846568027b2d4c46f40c5b65e2c9d366acb0a84

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
baeb255b7f65451647a445da4a400eb2

SHA1
1d66eed043625009409387a28ce89b2cc074ad4a

SHA256
d1957a0acec89879f1297b8a3ccc25da4675fc6b3198f5a87fa7361263d80bd5

SHA512
e10710d06468ba297fbcb225b6e5f452d85f3d577ae058829250bde56e0fd975516ac212c889bf5756dfcf95cd88ad12636b1659a3f688abe6d5c26ad301f1b6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
be5672c400a094e1d2e4ee1f21216486

SHA1
f73f8860a9a7a561fc9928106e5c0bb560b93a1e

SHA256
1525c41a32c76b7858afb747058051c49dd759bfbe14a7915e517c98f8e6fb6b

SHA512
4ffa44494763f0fbeed8e07ca99356848e134011f818605240ba368f665265071708c062bcd1b77120737c9e2cc8ff5edbee79693d4fe0938466a3de1bc339c1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2efde905700df6b8c2dc24e79caefcdd

SHA1
03b7195dd9d1617cc2cd7f7c18ad1f2e923a1215

SHA256
fdf5ccefc0a4f23aab7490f1803acd32411ab3420160bb1c25916051816ce823

SHA512
9df427eebae77360a9bbba4862ca39c7b846dd2db266d63eec34ee469a9ca3c1c3c65179144012eebe3e08106822c2805812060cfae2a770cc2b970efff1b5ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
85b1d8833544dda7b725494338cefd69

SHA1
7ce8e0237779d40c5c4c3943c5f11ce347a0e482

SHA256
eed8f4596c0c4a6431d7958e2e59a2bac80890a25c6ecd5682d50d1a24fdbdef

SHA512
063c90e30a7057893bacb1442cb3172e041778374cbc33d7cb72612e41d938b83970a1c790b6b89f27038699159702167a32b7e961833fb4f06242235243aeeb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
45e00d03b99770c40ebb3c99a246a866

SHA1
9b6a79188e5480e1e4ddd10088d9f5d814dbffb3

SHA256
b016465e10a539136980950ebec08332f3fdcb12d5f5982f1a576bc31b7e2702

SHA512
5fe6ac7dd8753251ed22bb9f14791df17ac26b9bfb0ac3e9d97a846e5507d0de55af6dfe8b54ec3242a914f2d22bc9d2381415b022bcb352c0fdf31f6680a526

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f1cc09ea637ff427a9627109c53aad78

SHA1
74228345cec7a7dacbff9275fa0b89a29adcd36e

SHA256
d0ebfbc9bbab6a85d796a664e1818c63bf0e7128406eddd6d8ffa4fec5dfeb48

SHA512
f3573837fb6582df29ec45459ae040d587855ede33dff713ec72de0d0af2210f16b7e2f43885025467cbcaef47d0540cdd04b56fd4050c449642ceb40f4282ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0a72af549a9d78999997afabea177471

SHA1
6a13f1108ef4628c9fdae8d103aded8bb1e2c0ac

SHA256
fd42c7d182493a18b69c26ba0c19034e9ddb775bf5a0c1a08137ebb695c2ea31

SHA512
82b6b94b0f3e44215b9bddccfc86219e22dd8a3f25715ab65d1897b67d4f0aa43fb955011e9c2c93c3a077f4d3ac94629c8fbec469f6e21fd449df68cbe69d3d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2749d308f50cd923ff3f755307e49c3e

SHA1
8cef5ea4f5078e56d7d5ddbe565f3a2aaf37b257

SHA256
daf5b40f0288c54ef234ecb642fd0633c9e1c1b9835d8744e218e12251fa29b2

SHA512
edfa98fee94da91100a1f93476b90653047867689c5f5ac99eef9fee308870f690fdaa3e42b023ed66ab5f7ed4e42be7be59768b4e674dcc8e6859511a0ba512

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
52def0bd0986f14c05ec64ebcdac3fda

SHA1
a687a1ccea234894fe6f2f0fc760664b4d3adf9a

SHA256
3e0de952139830ee0138c4ee28edd8551232d60f5fb89ce900df868270ce0268

SHA512
5ddc564646f47d54eca790e58c68e8dde38e190b4daef504949f04008bf1f41e22994500b90506446e8a5028851e94997f130b10983fd952351e9ff9a630c0f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0044d4d27c7857e93e274556c0ac9da0

SHA1
828d4ac070427dcfb3eef0cdb7750157737a8ea6

SHA256
c9fcebc9c79ad770c5fea27d5fad039cf7f2fd0843bdb17fac696a3f9b954c58

SHA512
8d83edb01e49465af8b0f03f44622486d25981b1bd4f8430aadc2861e7226be74bffbf6a35716bd15cc830061346b1e67ca355e3707f614fe85cca9ffa9c6d52

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4b8b9047af8725b3df687bebc1fc7446

SHA1
ee2f700d008ae68a30477973313fe34f2bb70ed4

SHA256
b7ad27db12844f26f9c9f6d9b78b5de2408ada3031103191692f8b0980ae05b4

SHA512
6af2458d89e1d8266149a634108442c856fe2691036f6c81c32c529e1d19f6dd5b914f7f41484acd836d59937aff9141a41d768c08aa859e8bd2d8b730a05806

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb414d148dd22f54bfea4859749d4f84

SHA1
3fb11e69d7f556aaeaeeaa11119b75e2902beac9

SHA256
182080e00367842ac0c053886247de1a021d541950b839a132c29d7b21c4cd4f

SHA512
579e4faf806f27cb305a52f5c785ee3e762e3e1bddae4b49458e7dff76e705820b59fad49b67fd95add87dc18ff9515032f854eff1f890848081d6e0835d0a3b

Download Submit
memory/316-266-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/316-325-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/316-268-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/316-260-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/452-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/452-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/464-19-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/464-238-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/464-28-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/464-27-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/744-76-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/744-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/744-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/860-523-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/860-334-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1316-291-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1316-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1484-311-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1484-514-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1528-281-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1528-333-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1628-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1628-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1628-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1628-64-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1628-78-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1760-321-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1760-253-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1848-248-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1916-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2168-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2392-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2392-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3128-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3128-239-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3160-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3160-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3160-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3216-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3216-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3216-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3216-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3676-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3676-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4028-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4028-34-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4028-40-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4028-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4288-329-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4288-271-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4288-279-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4304-288-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4304-463-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4720-314-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4720-517-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5016-1-0x0000000002170000-0x00000000021D7000-memory.dmp

Filesize
412KB

Download
memory/5016-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/5016-17-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/5016-6-0x0000000002170000-0x00000000021D7000-memory.dmp

Filesize
412KB

Download
memory/5016-8-0x0000000002170000-0x00000000021D7000-memory.dmp

Filesize
412KB

Download