17c60ee82a400df89d28336f838fcb5c41413135f84025b979b20ebf87e9b167

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
Size

677KB
MD5

7095745acb2e838004ab87e87851e5a0
SHA1

76c3f83742ddf82021c0db8133d47db772b3d5e6
SHA256

17c60ee82a400df89d28336f838fcb5c41413135f84025b979b20ebf87e9b167
SHA512

276219fe928e0441585bf284cad8aa5ea1390f3e26a8a055c1b144a9c8e17bde365b1713b4c8f1ded4996ecce10b64c2c0ab69bd4ed028615692e91bda853e7e
SSDEEP

12288:svXk1pZI3XPWvOYRcDRJZ4w8qIV8mQR8XZi/mWcSjpI0Tkdure6:Ik1pW+vxWJq0Q7QqtWLjXTqM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
4560	alg.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
2940	fxssvc.exe
2484	elevation_service.exe
2284	maintenanceservice.exe
4676	OSE.EXE
4412	msdtc.exe
4348	PerceptionSimulationService.exe
4444	perfhost.exe
4636	locator.exe
1604	SensorDataService.exe
5008	snmptrap.exe
1592	spectrum.exe
2524	ssh-agent.exe
2140	TieringEngineService.exe
4340	AgentService.exe
1876	vds.exe
2772	vssvc.exe
1092	wbengine.exe
1240	WmiApSrv.exe
608	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f1a6856c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef7ed8d383b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dae25d383b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000830c85d383b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005de57dd383b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030871ed383b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003358d1d383b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e43ddd383b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
2484	elevation_service.exe
2484	elevation_service.exe
2484	elevation_service.exe
2484	elevation_service.exe
2484	elevation_service.exe
2484	elevation_service.exe
2484	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	932	2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
Token: SeAuditPrivilege	2940	fxssvc.exe
Token: SeDebugPrivilege	1968	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2484	elevation_service.exe
Token: SeRestorePrivilege	2140	TieringEngineService.exe
Token: SeManageVolumePrivilege	2140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeBackupPrivilege	2772	vssvc.exe
Token: SeRestorePrivilege	2772	vssvc.exe
Token: SeAuditPrivilege	2772	vssvc.exe
Token: SeBackupPrivilege	1092	wbengine.exe
Token: SeRestorePrivilege	1092	wbengine.exe
Token: SeSecurityPrivilege	1092	wbengine.exe
Token: 33	608	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	608	SearchIndexer.exe
Token: SeDebugPrivilege	2484	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1256	608	SearchIndexer.exe	124
PID 608 wrote to memory of 1256	608	SearchIndexer.exe	124
PID 608 wrote to memory of 1800	608	SearchIndexer.exe	125
PID 608 wrote to memory of 1800	608	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7095745acb2e838004ab87e87851e5a0_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1604

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1592

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1004

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
56b6896bd49c16b55350f638780e2338

SHA1
ec4a57e8cb090c5585d268669b4e50dd269380d7

SHA256
6ed8d3af891b72de3aba4cec438e8e366398725c9f377d39cb4aaca553be3293

SHA512
a0af43d566a4c1bb75b1a18a5d36fa0885b9cddff6a6054b4bd0dd90a14c513c10ecc19afafcad2fc16c28663cf571175e38675d6262c1ca857b9cf67a8cc6ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
551b1435d25fcd10e42324aad20de925

SHA1
bc6a580a15c4acd22a1d515e5098df091aebfebc

SHA256
2ae73b25ae5064eeed234998c31f0edea2017f95d4465cc214c6874a605766ee

SHA512
6bbf88c254772f8ee35f9b3f4450b903c1d594dc59d3ce09ed1849e83f4783aba54088228076a15aed8acf87d9e29f36d719ff6098177100d39b0cf6fd63bb2d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
460d66987ecf51503e0bc5ba931b0d28

SHA1
069e1dc09aa3cc6dc5fefab68d42617990be3e96

SHA256
6adbcc25f8f2f9b51d29722b0139f380fed00a1a7c84090346e155bed0a0af4b

SHA512
d0569b51ae5c993d948b4a1912c6f8990282a155520c24b33989e85e5d652c355ec0906f8b45c8437a801d2aacb56150af7519d5f69588ad6a9fcc78cff79536

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7d131236cc2288824bb47c332cb8f7a1

SHA1
61179fb3155c9a8ef98c65d06d1c5940056b49b9

SHA256
b784c742470d9b14c6a55f881aaad9548ac8fed9550d5b43d7bb19a735619c33

SHA512
c92fce888f12885284378f5fa8f4dd3df958fe4884e62dd68cd8ee3b9d11287aaebab6ff0373767fcc735618f9d45bd46ed05540bd9a062f3efe1787d104beb5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
844fc8cc3d6baa8c5bfd34783c6b2951

SHA1
71f1fc3f5fbc9f877bb77ba6f8e0e51e23fd0232

SHA256
dd4ab1da3b847a0f377c7ee1e8bed07435df65c1f0006b848fe53ca52d6a506c

SHA512
5b9dde1c24df02020c3ee2f1c918691ba4f44ecc076e5cc61ab58c91acd89c29d5032686aef799532520d832d8ca18aaa6f68320b4f25cf9503bb9125bbc5338

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d20a12f604122f2c18df61d9985893c9

SHA1
70e41138a817e2a651b4c94cf2c8af90993317d2

SHA256
eb3345a4aed7221bf9750174b66175a74f32e890e24b1632592b8737279f3034

SHA512
4775771acdebbf5a2433a7b44990df5baac53e8d13f84627b574683313d46af42f4fd4b88add8c664801de70fee58c1a92dbdd756c01881f50afbef8df680b6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bea3a63570f6b6180c8fd00352c55f58

SHA1
893db93ba9351c519bbc17837b5de47f32f10493

SHA256
f65af07a84809e04ed197551085c7e50240f3f5b045a8a7c318b229950731362

SHA512
6bef6ce7a348180ce680d8a683dd0d8989b8c1f917db5b453cdda4df335a08744af5819d93c2274a81d46327afb1bc25270007c67b11245e6e29a1f97baf435e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
048a7623cf021503c9fd1ece4edb0ba2

SHA1
01e363894a68631fa421aa5253ecc1cdaf8098e5

SHA256
a1674aad809fd3936ee0288ca4fc37f7a854655064bd5f353e99ffbaea1a41e7

SHA512
4ad9c7592f40773894ae1c61fad2c82303d7ac680c9a50637813447fcd5d76b381f11e949bf572356050dbd86b3fef720a642bf8fd163ae7c269e6b7d160aa58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
89a78e9e3b90f5319982b13def282451

SHA1
dceaf9dec77776d6bc4c95f1c3e879f0280e2cc4

SHA256
d1e9014db5a820c9d36faa580f25e8ea111e97231c1ff580b8ea8ab98b3e12a8

SHA512
1fffca2ac940728e260e577af17230d57967d7c94c1f5857b9045de47990b4a5487cabb94878da88928f4e953cbfa42ecc13996fb0d8cdd41232db61af994498

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7070f578241a4fbbf38da926e6cb6417

SHA1
453010bff003be0309ef88132a4611956a683881

SHA256
cbc0843984336c28fde2d23a9c5a504241cf36a371d894b48ccc40f7f24139cb

SHA512
776ae15edcd78af33f93b437bc8c41288b194a8b379478114e86288f3fc80722fab97f73ab343af96bfba03a3c0a6edb09b873bb404da103aba99d3bef173557

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1b684b8fc184a91d553579bfd6922d21

SHA1
f909b3282f63eb973047f41e86d895b1f85c5f81

SHA256
9618c76b9abd1d6f04c15e5a72994e41bbda4f941479041971cf9087ed3a3802

SHA512
cc2170bc4cfa400a1729acd3f819d67d25cfc8eac1d5883b436bc0ed41f9217f1e5b83889f19400ad14d8e8a52705c864423a49afaef8ecef98439070ccc2dec

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
27c49c973708c84d63fe3b6ccab2a697

SHA1
3e024287537985c70d381a51bcecfaeafa624b71

SHA256
b8a366986ec6bc31c1485ca639f6aea31368a1de8408981235d61b1261517308

SHA512
a104ab12696ac9a96a2b65f7bcd2c563a9a4bdb3f330da011f2cfa6bcfff2de1ef366d0e69724c91b14d2fcc69caa947c950ef82d70325f3100f55d8e8f7373b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4fa9102de4fe343ea803bf290ba04dff

SHA1
2e824ec455211a9eb248da2b002910412fc52486

SHA256
6449ea698c72ec9198ba4210634de30c53460c1955e5c092d8f5e754eedeab3f

SHA512
8754506f5e25046e1b9a99ea109a387cb702670010fdb63a788e10a3c6d6772c4bd1ba3b13c7c046d367d41aae3e24de564ddd56325558570999f5898db1140e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
268fcf13c07a07f21a9ec5c6c65b3899

SHA1
fd3d73e7f120979df5ecf37e2b78b94fadb16030

SHA256
00e781b12f71d5cd00fec87da2c0513dc0a97e1f535d6bd1634bc1daad144b74

SHA512
8642ea049a609681ed216c4324f5635356673f872fe9f066e742c0f52595a826aea434576da48b0c38353d26058dc961ed409bdc34c05e2a164bed4cb6adeb13

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3259faeb7021186ab1de0a0df74cf392

SHA1
3f4ff7d803537b08ff806077e1fa9dad072df547

SHA256
0cd40a7e4f6e1dce57fbf04e21956bd34e85a72287ff2f6300e1e058b572ae8f

SHA512
4967019e08606d6675f71535301516846580a5b817d8917f32e1eedc2d06dc92004e94b17b28f0b8ef91c2753395e436c472e32096494243c3947eec5659d604

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a481425d4efa5d63392b537fdb4443eb

SHA1
ea479c2816900976224dfff2adb4ed59ebae4a54

SHA256
a2aa9d02eaae0beb8f72f035941d29f522e1f95d6a896bca253f01522ffa4516

SHA512
371648b86dc9cd0e36e2e52f1956d6562b1bed2c89184f035e67c5bbd6bfdf0d6090f48a3688ff418dd403f42654103c1281e347aad92f814fe0af33161bcabd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b3d600fba3d0839cc45f40195a8b6095

SHA1
9ddbf4e1c559640e67af9b3dfc96bbf2e6a2fa03

SHA256
767af58e9cb8a57f6bda1dbd3641cff6285f617e4ef8d0061044a5de7f46ed26

SHA512
67761162c5866c04dee2266602380e4158a6c9642404aebce8c723a5504f86c3d97299e4fea1728476d316c4dff234708acb76e4a90b7ed121c7764aa6ea2b53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e5f65b15d907ac29520951bbe6e70689

SHA1
3a6e01d4a17b5810f809724542ef88969b099054

SHA256
8efcb21848cf33b902857e81b9cc352eddffd973a9830aec7803be09e4183dbd

SHA512
f3b91081098e8d25ad5bae429a791598607d54f358a98a3587b167dd057fcb08304e35ff14d6f7448f4f4dd76a2f27e8c4fd0b57bc60c8f19f0b6628b32cf1ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
afce83c1f8274c5851ed5a39798529ad

SHA1
92e60956121986ac67b7b83e5df8ff257cc1bd1c

SHA256
1cef9c79285a5685821b0a883534d73dd00a7dc619ba01bc52a109e5e9f4acd3

SHA512
1ab27df21ef1cc545058bd854de9676f2d39b5a50cbd4c35fa5ce64248cf1eafc422232f38484358fadd8a1222f559f2fdab1cd97b422ad26941dcd9965eda6b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
45ba96fd047cae65d781cfc913f5306a

SHA1
c8fe10b9fbc376bb98ecc891ec3e00204def5c45

SHA256
ee6de1b8fb88242c2c4bf73d425b23f10d47cd6b9ec2915d69f4441c196e70b4

SHA512
96c792e315716cf6410c48704b0969e06f4e372a90f3bac8f312913c5dc79305289b60ad8eeadd1f702a68cb5b0c7ba88353f45a9b7b0843481f8ff853f298b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8b8b9001105926cfc3ab0304e49bd25a

SHA1
846729083518eedd4902602acd891d672a8ccd2f

SHA256
13ba890d54e858986eedef479d82521a44c6b56fb253858c5e65c80125296c5b

SHA512
abe7fd4cc217baef754b6740e0882478ceb73b81a720adc125a18e13a0ca7cd99e1cc24081316e254cdbf5947997e77b446d8ce60e4bc03c04f2f9df22cdc4d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d49b4d2e53795cb2ed3027558c63bd5b

SHA1
fd8592ed1ba3a3bf86be2d067c7921d90eee88fc

SHA256
d3f9ded0513206da84dc50cd754561b0f6cbe0dd4b1571b965eaabf421beb0b3

SHA512
6512afced5e07d97371b50d3f9e388134447a9ef9f72f43ec3e5d2fba00f89be5d714aaecaa57e349cc9190f35cd60aafe225c30a70c7a57c06c3b84d93af504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d4ef7f7fcb0e0cc268ac3c880cee9ea4

SHA1
7b702a19cd82bcd46e7066dfd18ba3fd98fd1863

SHA256
f7b185da47e206fe21791849984f132aa891acc9327ca573741836717a71074b

SHA512
c5a405bc66bb3aea8df74a5435c0ae73179c7a8811b89e58908a65a86e68f1f6f81978e5a21d6e186ef4ed8f2886e4ffbb76ce879cf12fbd14904c5f09ac8f87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
05b9679fc17e89c6316bfff7d97931c7

SHA1
966f7e65e114d7114ba1699bd8a887bf32a68b10

SHA256
97c5886532c8fe63aa079b482457502da70045bce34b10d91a189bf0e1b20e65

SHA512
976268627660607925d16389b7c1d3beb83d343a523283e3500547e52b8817349dcab0b1a90dd3a8e1d35ce1ce2620938a6357a2fca778fc71602ffd3361cb81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c32e0faf7519fb694d815888d4a83a39

SHA1
ab54ae8e09ae7301d38722d6e9da1bd471a58b35

SHA256
2c48ca189eda819057412ef3943b015072866e230fc928c3bcaac41cb4b0d1ef

SHA512
78af35aed493ba07ca106a0e5a60dd6dde51b6a66c7e96aa9f1235571cccda0c3d25df7c95434ea4921319e2734bd95c22314c0f40e20cb2bd9430ce921f2629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4fc08376a528a99a73e905979c2a2731

SHA1
5a0e00a3000136d5bfc95548e8a04295503cbd9a

SHA256
cf23ecbbb60b39a691aa07cf9356ec3d6f69bf5c2edead6b6b4d6973c3739456

SHA512
0a9095ade5f305a3b8ed51b6974b21be9bc754d2be665897174caed544e4f8061f081efb342a849421c8b2e1612f51f132b7b1f5ec586a6fea9808852ca1aefe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f676781a78dc8c45e393bfa5dcb8e845

SHA1
3593d69e66a940a5f47c7a2060b25e6a617ab95a

SHA256
3bd5917b81f1279122833900fd40653d4398805ccc7f728ed8cc9a371b356d48

SHA512
390779bcfd1e12c475440543832637cc4ab5dfcb4ef67d794db2918187f253100b5156e069b7b1b71020b5560f9b5545b999756582c794cb33e7016b9b22d019

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c7023e7d14159af9263bb996a13552f3

SHA1
60d1811cf641b7dacd5543fb9938f7f7d230a01b

SHA256
642a6689c1a514adea36d2a5b28eabf1b96736168f57e98e413c6a7ee5272bb1

SHA512
fe13feb37da4db40ebdb7ac859a0ffc9978c53ea37df2a64f878a6c28d9d2f4ff54766765060ec6843827c212aa46956c6ff60afb80f063d56b747dc547484dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e1e7fe286a3dce5d80416ff75ed3bd89

SHA1
f5267f9e02f947ad171c791293374f177bb4985f

SHA256
b303f6d33daa8e3bf2c99602ebeb6a7a63ce6b8c41ed97ddb15eda1e9a996905

SHA512
c6ff6b5359c2b75410cfa8833daf33ca6ae0fd29202a98e856fe4fdaa41de0c2aee2baa06b547b6138a7de4ca12783354d6c48f0b9bd1f4e4abb5221efe85a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
49fabbaab961c192d497250950373ef7

SHA1
4449ff98ef2ac0f77b2944f04ad0c72428c59afd

SHA256
10071bfe2bce2f8ed17ee3aae782e01d7659e0dd097d8edf6ab180ae196fdc17

SHA512
149147b14abae28ab094f1a986062263eaccbe3d94ca2161af5aa9be71fd3dae9012751c70d90db71fb3c5afb6e87637690e797d643a0b93274d10f61ddab7c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
78a36147eebc016fd70eafbc6191e014

SHA1
034b0937aec8e5b9d9c860b86d27bd1f3aba5a4b

SHA256
33f6f15b3cef93962e4ed776f2908d8ae201ae16f0d6be641a73f394c8aa22e1

SHA512
149b5bbb750aded1267cb081104b7ed88281d35bd9aa74725da0a1d6208d8c108d07be1ffee27a2b2007d38bad701205efa6a3b07e6f67f2482d1379b4cf4543

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ff1c98028d71e8fda38712ab88a704c6

SHA1
73e8613050dd0c5b4161849038d02cc1c4f96d9d

SHA256
dfd15960a5a2ad228f1b2641e38bffa6d617c01d24ddf85c027ca899cb019fcd

SHA512
8bc957059974c4402c06654e24f69ca8c55a654cd293c148fe2e6325c34d3117837a608a3f72d969f08f48b1f55830eb7ae95c2a540aeab72f4802d8c0077b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
11d9a3464c9c4c9105cef28f3d996d5c

SHA1
6b18f67818340832886f76ff3c464d48112078bd

SHA256
7c7362cd294a3721f9581984f3607e4ca1f91d0f891d1d999b20760c505ad753

SHA512
a5591c1bf52f6464fe0b6349d7551cf05e4084dbb2b535c46a33330e4d4bd6220420908e9841f178bab157d8afc6d88f78c552fa9115868705cfa50a1dcfa408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9a76d48a92387db8c52301cbc3b7f2bf

SHA1
78b99264df1b09ab7b93e5b49eb1514a45b78d46

SHA256
a635de71c7cff96ae136bdbf21612ca454c442530c414193508e453deaab9530

SHA512
d4c77e7c451409645186b02f4d107caafb61fb9fd8dd15e38b5d4fd95e108aba4c4a82148720846f22b8e16e53757aa154aaaaa917d93707a277f75bb6f97fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2d9e9ddc205bba024606c201d35e53b7

SHA1
505c49211dfb06d3e4bf8ded312cfd354ed50724

SHA256
0b9b5b40de7518fa0d5cac7a0c8d88cba33bad1c1f849cfd78d2c725484abb2e

SHA512
4e023d9ebf9a0054439760fa1796eece2093c76d47def4a9fca7f6af495c86feb3728d9eacd2a95a4e1b927d4e219fcf64396168e4aff5ea4ef0f65c5eb50c55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9bee82be534082bcaadc681e1bae9699

SHA1
4d10404e8563f8377149d92065af3ead34019448

SHA256
f11807327f4bb5d98ad71f17cfa6d4e25e86a5f455e28272aefa1e1d4e95e897

SHA512
9b8c065dc5aee5353c8118b8d36c0a46d6d98700586571ff443beb3182c18c289072b9b198e2f85a958c9635b32529bbf308f2ded790e94c4557876b39b06ea1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
be7a2bc78c78fbecbeeeb4ec82963314

SHA1
d566d15d7f32933cdbe222d413f0196e34e18b82

SHA256
34910dab16f6eec3bcb1fedfb5b90208ef22e8dee7620a291c62af4f022e995b

SHA512
d5c20e5400450ff6f428c1d70b84d172b99252b613da03f2fe728076e67b10a008f5c3251a7503b8c9069d6f46ef286f1209f7491aff5358b24de22f84853f47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
d15967a0cf1c809b80ec58a7c035c10b

SHA1
777b5ce66f2b41c763b864d34d9601223fc69ba8

SHA256
01efece58cc2882941c2658325c83ece8cc52c2ed65398c9be10cc440f1bfb79

SHA512
f8a06e77fd0f8f564914000edccfbe6a438818314ab910ff24843898092c0460b463d25435b03294f9845148f37086a4033b74a1ffe2709de4ae49660c3965b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
139d21bc29ff41e05cbbead4ac9a5b24

SHA1
8c36c793bb48623c1f382dab3cd5036ec3f49889

SHA256
d81a4ca60b859aba62c8d6b93fb6b1b2594a2e20248cf1364dcd410a4f9d3ebc

SHA512
c3534dd6a46c9724ffcf0d222f36cff8424b94709683b0b85c1c0276569b041781ce088f4c2ecc45f2d3239ebb44fa02cd7c1007949aa8d3728ce311a1f309eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
f3c7ec2aec6b04a6b74559eb34ecacf2

SHA1
70a0251d7960c91c6ef4cddaac680d4843369d02

SHA256
9aab61139d7b1ef9ab4ac3569335dc0a49f5aae4ca545dd483d8b2b2b62a6bc5

SHA512
c9c7052a2f364f73e857cef57b65f6dccbe8002f9d56d1fd5c9cb9cffb24735fba5658fd33fcac6b8c98c06ce7ed0a25e26052e1679531805af011c04d341909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
cda77deb4a666d5ff8a9922e53b7c832

SHA1
555f6c600738b9c6857064a7c1cf92177c2bda0b

SHA256
64f8510ae88cb68eb2aa6ed03c52403b81b9a9ea4e4f1cf7f310fb1d1acb78be

SHA512
8d31555f79611d2038deaf14fb85f505112b01003014b13e8ce32af32531282a6ac76b88487cb9e7ec355b34fd44d8f4c6617a7f45d21b60a048c582cb0865a2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c35abc646791f4f587b4030590d80bf8

SHA1
f96c90e07d0c1e54d29ee1b34e092024b21ab767

SHA256
58500ac9c3580e766c0219c5802e8cfa2f94b2bf63b5a529331ee76e8e3c0034

SHA512
8ab3885639eafb0012b81e0b060d639aa78240a409c3cfc0e52c7ae1daffe0e4fddefcad536fb05adab94159666d03f4ca90bb7c5c7f55697428924724b813a9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
525d4a2cf0fb3bc79e4862b454cfb16e

SHA1
6336797f09f55c622a17ef5859017bfdd964a293

SHA256
fe35ced78b989b124055df7269c87c2b1417c2d74f6fcb5f1a40ccca1dd53088

SHA512
314ca0ee3ca654eda6c8c218cc352f5a08a20a47e642db8053c4db1cd95268e1a6b38501f301730870ca6bf3697014f573bb18fe737838bca5968715884d8294

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
658b09af316ea910b5a3d9693fb4c6de

SHA1
7daccbc551d7036880a3853acaf24534402c0316

SHA256
1787a4752a51e6fa6906372726e93f5a41095af3a7002e760dc9e6d79cddcc0b

SHA512
f0ee2591ac20d215c406c8703f58603c95837f184bf399cb3e36da14fd3b35fffe74f99e3ccd707e50de658dddb6fe569b5a80977d9229958398dff6205f8bbd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
329cd5510a19c01782cff87e63f9ca24

SHA1
b3bc9624f17f34396df670b99592b8b445121c3d

SHA256
edaea91325f861c886ba81fedd69eb8834edda202cb77b3c8c61a2ee1688159b

SHA512
830b88ae0fd0ebc1ffc95ab48a8c787212a930eb63d88be1630c79256e23d2d05a9a6fbfbeb1607ad7eaa8a000e0f4f3de59c060a5c04d45239a8ea405901b02

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4031324af92db8b537e1b36f24b6df52

SHA1
9b7ba901ed73f262451871775bd9b760add448ec

SHA256
c498e57b3df20a35371086ae8faaca4e367388559d70f2205de37b6809cc47f4

SHA512
b0a246f86d7eefdb2aedfe36f8a346b7c87daba5d455831ed39f01d4daeda5cd5370fc3cb24b2f99e43c6237511f3c6ada8a6a4c381aeb481a1b07cebd6c5014

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cf956b9413e917ce05cdb0062871176b

SHA1
e8bc7c018e4b3d5613306b55c7004b5cda4f6842

SHA256
e355f7f6d5c48533228986461c53bf4814d82eab2b93790cb7a53be815162c9a

SHA512
42cf52cfb845facdf899f17266ab70af4eac2b1194af91824995cd5f9844e6066a7ca2fbf5df8223c41ad7f711bc21f62ee035c841b061b3c70f8189b005f1da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1a9e8479bda8a287e2932960bbe818fe

SHA1
e8674367359e04dfd40a21cd7ffbf2f83490cd62

SHA256
f778bec9374ef79a21eeb747711e92b1ca732ffaf0e63aac2e83b07233ca6eff

SHA512
09558c931b711a58d7430ca68d198c04cc2263b29844696d9af9c3e8f7b473daf666b4f03a3229c5a51f419c0d73b57ee4e8147ee8830eb411922ec1577c093f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
04dda637b85efbd9532f5920a7ef797b

SHA1
8689efbf80c9cd68be2bcf17ef7ee45b440f8387

SHA256
9af5e84f48f67909606c331c72ad4765adc0bf8fffa1f731a14a4f7578b70fd1

SHA512
9682547931ec1a536adf2af8b97e3fce21e156f8df7d0c0dd8522ce61347df57b83cddb1f5a1615578030f362ebf40886684ae841f3034813f9cd6f7acc979b0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
91226ed42a7d7408782715bc69bc3b6e

SHA1
b04ccb5abdb19dd5ed5fc09445a34935a0b7daf0

SHA256
a62f4435d974e1e317fbc7e9cf3d49ab7264a553ea5415db3e8c359a7feaf21d

SHA512
7d983fbfc4090238a6340d34514d8260dae27be9646179415040d392ef3a02be317bfc221c9f48bdfd3bc31bb35336a9d692eb8afdaa10e5e2b3520549a967ac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
45da52575e46fc62379139f88252cc80

SHA1
b6a81a9053033ef78c2d7de158ff4137fb4bc35d

SHA256
5ec63508d65a0d83f41c1458a208c560dc260695fd8f3a4907ab2fe9d4573370

SHA512
801243b8a488512bf4cafbc3b85f2c3159137119592e82a14435d1ce2f311d9c21e8af60e27138f238f719bb9d52b0207661d618fcb63b01a9b93d6b112105e1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f721ade3d80d21eb108cb9af329a2621

SHA1
cfd9c994e4bd3f4b4d1822d8803174aa40291997

SHA256
a149bee2ba9c8216e36d64ee29cd1142c63b2a186e67fbb0e0582a4c7b92c58f

SHA512
a67a7b7c629564c70ec109cd4804b251a9b88e12b1c6c7e04bb93c6662a02bbd2f12b6d9900f3ac024b8566c7443bb5092895319a40a9925c04fc6ef0f39a51c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b11c38b4c851c946673f658302125048

SHA1
627deece23e58fd2d2b49d3b9c80e53427d25cd8

SHA256
e7e96535650298d2cda4a87af04287aa8030ff199fc0814c4261fa3fd0877dd1

SHA512
fcb164c626efd0b83859de5553f72d92ddd56c27da83d387c57f15dcc544c3c9b09392d3e25f7bab1796ac053756f210be4a140cd52119f05febc0dcb078c113

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4620da9197d7c32d681da34f42dee4a3

SHA1
392de2bbe2369b85ee364e64a14c4a1fa3bd5153

SHA256
81accaaf00825f78674cb7956865eea8be675a634a53fa742ec2898241c6b031

SHA512
b764d2a8d36110ce93f2d56a7607b12972e865c4d5d7d02786e6cd54077897d2f93a698fd52f78fa1743bfb4d90d97dd01c20807726f455c8f6b6d959f86e996

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e846a1533b62dd269e434fb4ad1f535b

SHA1
81f0cb259df518f10112ea71d2d017594fb1dd24

SHA256
283337fe79554de37bf1ac323549e8b04b2dadc45ffc3e3f0a4a58bd6b3ccaac

SHA512
c52fd027029b2a22c918fd0418b050995c7f8ae90322d3709828cc4db3e229e2be73263ecefd092512d2518bfc82e71fb0c1b5d3da0d79fcb6c3da3bc340e8e0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
51131384236dbcdb189411cddcaf91d4

SHA1
d265c18b58ac431f17628cbd368f7c7d59104445

SHA256
6998bd5f1eb85be3ceeeb8fe061a078175404100dfffd7522c33135ca5b77f07

SHA512
3b31a2fec9b9fa2d5ccf6d8bdc04f8a00f725a25c68e2d07a05a4533531a12161ad14e72a4211d0f00f1d7a79f20ff9c1aa77ee21a5e4195715b28ad8e1c588d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7246dc60f2187c3db2f9b0146c188537

SHA1
b2e5c5231a94e3d6a7cc8278d367d30507bf4218

SHA256
f05b3997c353d9023d785cc8c6a1ace64212ef1ccef2036e6566c31440ea1f37

SHA512
c431cdb72cd49c39be25f70c330a15d71116936139e4c9efbafb65d8b42dbfa8c934c87703a9c71406f37f1ae2bd26d77d28ddffeb810448fc746b29e3077a9a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6f8f668586d857e37bb1e7db4ceb843a

SHA1
dd70b8137ce35d0a8e964da52615c7771264f238

SHA256
92d7ea9194d1585a35f28382d4e9965a76185d10dd48c91b11f13a708b585261

SHA512
b402703733887b91901255253e897bbee0a3c8ed836ceceabedb609fd705b527255a03986e22708351a5f52498427b32a66510f8bfc54756b865bcc3c1c86125

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
78e3347157eeb10708479f4486da74a2

SHA1
09f07a87536f344816ba90d94797b57fdfef65a4

SHA256
9bfd741efa85ad080a38d42b0fb9eec73f4a44dd3eb53dbcfbbeef97ad894e41

SHA512
b6375be5e35fb7510c798143c9652eb99718a4e7160e18c9004784215003c05b2f4286b60c9bd856ca4acbcb3ed675f7987fe8aa189788646984d6486b38ba27

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17ee33612fd801cdaeab393e98e0a35f

SHA1
9d27987d1dac0a9d6108ccd34532f135357bd653

SHA256
9da81d15af83bd1232e7921d3128ebc4c0d4927f808837cb26ce66fc27025f70

SHA512
85dd27a28a1656a72def2909487c7567bd29d103eeaaef8ec8d585a279f8dadd196cb5d288f98b969419deddb6d647b557843c9e3b8b48244bafa0f0d498a721

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
858e992de16dfd52d4fc85e71b59d33b

SHA1
8222943ec53a188336a7275df3c91e392f389604

SHA256
fcfb8075926e290d489f6f5eb84ae05522363025e8cfa6ba003ddcbd36a4fac3

SHA512
5d936d87d7218a171becf2e03e32568ace116d27fa632250cac302bc4ac193e299f0e385461c709385b9ef92bb445ca3acb619cab3028ffde23cdbbfc88d8f4f

Download Submit
memory/608-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/608-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/932-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/932-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/932-2-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/932-8-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/1092-320-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1092-447-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1240-448-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1240-324-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1592-281-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1592-287-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1592-437-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1604-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1876-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1876-445-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1968-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1968-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1968-232-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1968-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2140-442-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2140-304-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2284-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2284-50-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2284-56-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2284-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2284-59-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2484-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2484-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2484-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2524-439-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2524-293-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2772-446-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2772-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2940-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2940-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4340-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-309-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4348-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4348-256-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4348-249-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4348-315-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4412-243-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4412-311-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4444-267-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4444-261-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4444-319-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4444-262-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4560-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4560-231-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4636-271-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4636-323-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4676-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4676-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4676-64-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4676-70-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5008-404-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5008-278-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download