6177ae2536551c17c06d45beb6fd9df2bbf4634f3ec4f6240a258265e3bb8fb3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
Size

1.5MB
MD5

a49c49135ffcc48fa318e141e69ea0b3
SHA1

cf50069f7084caaf1ab63949dfd42c6b87a0a4f0
SHA256

6177ae2536551c17c06d45beb6fd9df2bbf4634f3ec4f6240a258265e3bb8fb3
SHA512

049c311edbe2149952a378ccb4371cc2403b1900dac16a5e9ddeb12aea6a8b774fc7136c4c1ad9c2147dd3031a61b16a7978bb91c24e7d49d3dce8972473507a
SSDEEP

12288:yvXk1PoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:+k1c2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
2200	alg.exe
668	elevation_service.exe
4008	elevation_service.exe
4944	maintenanceservice.exe
1928	OSE.EXE
1724	fxssvc.exe
1012	msdtc.exe
2176	PerceptionSimulationService.exe
4604	perfhost.exe
5048	locator.exe
2584	SensorDataService.exe
4584	snmptrap.exe
2576	spectrum.exe
3508	TieringEngineService.exe
2408	vssvc.exe
880	wbengine.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce74468f293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc4b8dcc4a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d9e92dcc4a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001987dcdcc4a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b223f9dcc4a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc4dc2dcc4a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f54ea3dcc4a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f10e6dcc4a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000216397dcc4a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe
668	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4660	2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeTakeOwnershipPrivilege	668	elevation_service.exe
Token: SeAuditPrivilege	1724	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	4868	AgentService.exe
Token: SeRestorePrivilege	3508	TieringEngineService.exe
Token: SeManageVolumePrivilege	3508	TieringEngineService.exe
Token: SeBackupPrivilege	2408	vssvc.exe
Token: SeRestorePrivilege	2408	vssvc.exe
Token: SeAuditPrivilege	2408	vssvc.exe
Token: SeBackupPrivilege	880	wbengine.exe
Token: SeRestorePrivilege	880	wbengine.exe
Token: SeSecurityPrivilege	880	wbengine.exe
Token: 33	5032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5032	SearchIndexer.exe
Token: SeDebugPrivilege	668	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4788	5032	SearchIndexer.exe	117
PID 5032 wrote to memory of 4788	5032	SearchIndexer.exe	117
PID 5032 wrote to memory of 3296	5032	SearchIndexer.exe	118
PID 5032 wrote to memory of 3296	5032	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_a49c49135ffcc48fa318e141e69ea0b3_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1672

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4788
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb9c8c65c6b042bdc37944694293465a

SHA1
82021c3829b18b0c824b8dc120b630405e0f24ed

SHA256
5eb75b2d9daf6e725e2369a13eb89dc03a1980de243092346375cc7bdd343ce2

SHA512
8885bb1ef0b73725fd3f6718020d3c0bc3b7eab47c054f4fb2b2d0f8c84dad0474e6d285ec8f75608d8bf5c895c7c2fb39a759d6c5be16cd31b7a7dd556d8a76

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
7d44b238d3cf8501f97cbfd72fbe040d

SHA1
29332401cad46e050fbdbb3338f75ce0b3473522

SHA256
93a6209170f2dbe9c5005b9e09cf5523aadd72bf7ca0e06549c16d416256553d

SHA512
4690f892f7f69d40de0920164e94c93119d636a5cda7cbd19f7688951d27f555cffa361c1a6c54dbf8ef20c2f915ffb1b3e61c3b1f4b6a0eecfa1d2fd91f36bf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
68af846a1c86a8afd6cbc153ab9721b4

SHA1
929420974b26b5b18c4a80e7cb1f318d65b879bf

SHA256
52f4e73a5b81b3d930ed5bf09adcc3bc80b07b8c8b8f0f007ea80ceddabc1d67

SHA512
0bbec9e459391895c309cef478e3888dc38eb1aca942d7dea0c395740c5b9dc68c50d0aa54e031bd62dfe9b3338e19182183c097a09910ffc585a48bb06e51be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9006d7d2ec3a9f693aedff4a4d8cc81f

SHA1
756fca8dab12ca2884e17fff8e6999c470990b21

SHA256
3158455c9df802297849489dec7c2588094a128485f46bc22a8d7d931d493130

SHA512
659a34ba7edccb330effdf6d67dcb52685fd76ba100888e4d11d3d39255106112534c17f170877a54be49942d2d2fda541e2be4429cbcaf21fb99bc008a3e4ea

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
461a3ed77b2f2f9c550c5f4d66f18b25

SHA1
dfca1d20be2ddd1d11e30ed7b992e8aaa1a0bc24

SHA256
b8d0f923e4ad5e400d1c49603b1a2ae28cdc7ff2d37f984cc050c04399bc441b

SHA512
9ed14de45c0664a983c9616d6e94102a5710a4e9759e23b98ab21671b48d0881cf8df4869992c16715eff2d6fbb190a5ce9adbaf3acce1bef692209571920a12

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
3177d006b77ab4b7be7ae6ccebee8f56

SHA1
4159e52142e681704f35a196d4a8925080d54115

SHA256
009f527f4f35a30580a8d42ca8c8fd374f3bc2d744daa5155954fa0a2604978e

SHA512
c3f3cedbf6f0d5e4f14b2c5842615c17f9f75745c4de73dfe1038752e552ff3466a67a4e1bbda2ffb81a76cbb4e64819313a4aa39c18f6da7df021255c3db1e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
137cc373adfb3d4c95920848f0891535

SHA1
42ef732a6b50838f2d6c1c3a6d12b8e73ab9dba9

SHA256
3c6ceb1942bb02cccfa832e0f4aa34edcb356cc56ab862cda0e3db43deea9236

SHA512
e9383ee8f530cb49f6ed7c735c06653467689b3ca79ddd6b0e482c8f3324c4022149f494be2e89a6da099bfbe4c2314d381ae68896294e485bef3aff5b5185a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
429cac7d0459740171c0eabb319fe902

SHA1
1a5b4035243d275fa8af0d36a320f8abae8fcf15

SHA256
535a4125ee6b126bffbebfd4ecebc582b6960099d097fd5905e5544737345b1b

SHA512
28020ec0ace5a77d1f19ea54c2dea2390d2ac6e3e517a92ba8188b3c56984c8ba7b6813fcd1529a2b69eaeae3f46b2eaadd58d0d1b1ada7ce86a48eaa1f7c0d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
b0e9d29f5c966b50ad52b8db60b3df94

SHA1
dad84ff5d56d41f9f252b02e94ca94f0b8ccc349

SHA256
cc72793653eab57ddf737847ed4c862ecab3866fbc6b3a530a7079c452c2b58d

SHA512
7dc0e8202b9c9cb5459c9bd049e688381fcd96bd4ff149583e8243ece7a8fee47a4e4e21c594d70fc89bdf58ec6e3cd2bcfa34c507a6097c8b2ca80ee8a2934c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9a09a937331411ae865f1788b4bba99e

SHA1
3aaf5714de23dc097a68b45e45ceada40306428f

SHA256
ff65487430449b10a2100e7f0d8ba3efdd1c07af0f02d39c56f59846dfa76c98

SHA512
eff2dd22aba2bae96feb5f4fa5fa2d60e313b41f8a73020e8a34afa00e4f760c14f49d7f16c4cdaabe41379a51e959ef2b72ec2689d089de08ed8f9863422c41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4cc187e0f8fa65e6aa10cfdd58aa1fec

SHA1
ab92d8bb3ebd794e703f88552cf4cf36bb3fc53d

SHA256
1842f072f15f1eeeb37a63b9512a600ddb2b659c01da0cd78835ea553a09128d

SHA512
29436847ef222d079ab02890bf96c6979eedc758702b47ad7e36e33f6b989273bd7fe6ecb3a6834f6779b2f2d547d4224416a858f097e702d1ed369d338c5118

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
173d6f57bdeeb8b8165e06ce6803edb7

SHA1
5dde017ab58d183154fb957f9a05a83151b537cb

SHA256
5cfe32530ed77cd781b39023238c36e69de99d82dc691d503177a77962624361

SHA512
8777c35cf4b0520cf18261af9b7bd64f58619db6a0671f51c9fb9fbd9df837a7379d40dcadb2796f7b1298a90f6ebd3f15fe2fe58810976e44abbb5c835cfedd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
af9a064c89095168f06c4ec4344c1c4b

SHA1
52838cbf36e748678c82584585c00d4cda000997

SHA256
145b669b55368c724b2514bf8a7386edcaba68a31ec2abcbb80c87cb22e90f70

SHA512
e5fd2d46e43bfb5e4cd156cf4ec64e15c57287eb04a0816b04f77c3ac56b719636348d21fbfb0570d0ac794c6796db342b8c10ccbd72e15566d7187be7352c4c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
83784180737aa9a86d42dcd2cb4e6192

SHA1
a63aa6554ed5f60a967f0fdea657e343b0036011

SHA256
52259078cafc53ed865a28456998fa3a61338c6388d168f910b522c894202e7d

SHA512
9ba7b20441b523667f34ea9778f44cceb52118b5b47c984dd18493146ec1c1421e05b0fe93611ff55f75539d14eacc9b7f7a3b04424d7ca173d879f7891574fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0df8a5d59491ea9081ba5f48c68753fe

SHA1
3542751b7e4a94a0b624820713743117c657a2f5

SHA256
a8b663732c9cb3f8595f5748b32b146c614b7ea52ccc6121e7a5ce3647ca7c4e

SHA512
e61fa67fa2c59d2a1819eebc437cb760274ab49492dd731231c50f3bb1c3c7ece91c60ca805e45e609f12ce5f283914e9a6e530b6e867e8814eec1f9bdaa6621

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
25c4c179bf6a4fe653f4e3e4d2963a1b

SHA1
58b84fc06875b9ec4ceeaae3bed4e6335a9e1832

SHA256
cdb4138be8bd9eb240e3104f61e33f9038e022f1a27dad323dca8719de9f6e7a

SHA512
3b8422910de348630f3d3595381b4d9d67fe5e27809d167699b8a2a191a882ea0cd7ac4f0f189aa702e00b9faf55ffaa975b7cb04d9ad39dcbce19e0903cfd71

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
63d6f7089c8cdb6ff94aea0570e6859d

SHA1
d0d40c2c0c0abb86cc3b4c2afa9813862ce24e58

SHA256
1a69d380fb44e7eb71a125012358b4c2dbb610e2c7c5bf026423b62cc14adbc7

SHA512
7c418a84e46110b289c5ca1bd31b74507a2fe2c3cf6ce6a9707de82b12295d94780b23aeca88726babecbb70594c2fa4c5fc6783e81f4ab1cb70ba97b7ac1939

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
53b5722b322f560bc08779d45d257781

SHA1
c1886fb82019dfccd0deec0befa336bb49bbf7df

SHA256
1f144d1b164bf269eb5016d78378e23c5c9dfede0d05246c4aa2d3c98046d08f

SHA512
ec40ad969214597be761d68cd818c93f55aa5eb66c2c45b85dbff5ffcdb4fd45544c7e9e2cbae49bbab2f09a6eb62f77f7975093c7e079f7b2dbed56d08e5abb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e2c718322d5b48c6dfcdeed59722d893

SHA1
b79cc55e7c79916b7d90b6ad2f757606d7cdcf21

SHA256
ae86afb14d57f38bb727f2d925853f35dae779f35f9dc965e5fa238dfa4b27dd

SHA512
2def2d5d9e1fcadd4e911b0da20efb87e462148e62d21b34c16d6986cdf7874e0e6727cba2aabba2d1735f93e25c9c58f70677d58e2b37abaac240d4813422ac

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
01a6377e5b660d2646e6825ee0e62a44

SHA1
f41c7a0586500b6db57c8df48f80fc7db17906c7

SHA256
940a37d42aa55b74052efa6e9943597f5f58ed502238dabe2b3a03528f21a262

SHA512
43a223f53aaefb939feeb609d98e830b6eb4897f502473b60c0b21b058018ab06240757289389f7f2d8c761feb3e47d5496f5961bb22716a898ae78868c15bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b311ee8606e4d024e30788646de2ea45

SHA1
7e678505f2a2ac869adaf4889543274f6b948dca

SHA256
c39c82b0cae3941be74f337e7de7dddf1a76d472029a5b2d053df52d47fc814a

SHA512
64a3f269513926d0759e2d33ef8c89f03262364d45644e2af2a1f96175dce63007415675e86917184ed2d02e41d3546135f11cfbbcc53f93a71bc1e137529186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
07821a8a49b3f61df6ac4ec757f45900

SHA1
1c34d67c96c525d8ea9ac8c6eb8a8a2d71ce80f6

SHA256
dd3a11dd8563db096240f5f1f5034ce390964954aab6efd76140f195d0216dfe

SHA512
3e523231e994ad85b0be23137b81b78a21137ab81a784e3519e947c3f2ecd9a6c4dbc9230e1a3d2d57a3f071e5b05aa2f9fee300d4910e6add35ef73ad8768b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
ec9ef4408fee497c9047f5b054ee35d0

SHA1
77da2efccb4aa106f1797c34db0126f685660793

SHA256
0de2100729e537ddda46c71181d6c5f0ad768d1c2f0c332b99d4f8095e775119

SHA512
f320186b19cd606bfc01c7543ac2e993f72fdbb8b86b20a65d2afefd47531ebf6c529c2d79f486f53fcd9e6b4a27035815d5a5879b233b06b47b76d2f5d69272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
ff3417eb2b4d9a70637cc4ecea93c7d2

SHA1
01b1262a7daf8add022fc627f0d6f2d9f7900f2a

SHA256
4415d77df1defc9e1987406ef51a9334a6e641b59eea4b15406d361748644ef3

SHA512
c05ffeb226e5b387cfb0b8114d20076919bfbaaee86842ac33e2d4ac22e28ba56d7e0c1de7cea3b062c80eb591b9fdfe6cc1ac6b457716ad9e37b43e822ae0b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
b756c3cf3caa8205c6ef1a60a76af7f7

SHA1
ee48436d2d5e471c14942c1f6c3e4c200750e0c7

SHA256
b40017f899073b9d03eed433c1de6b352336830b712f7fdf9dbb4ecd43906f35

SHA512
4f1375506639fe51754f1da5c765125807f643ded3a9544c13ad9445711b9faa2bd7d7cacd6e060e90677687e1de127c87bf9cd720f1f858e06a4adaded54115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
9df03c51b5717897d6f62252f50e9047

SHA1
253c9834e5255c27a8254602e937b69fdef401df

SHA256
4a4e8ab553460017659a401347e1ec3e850410c2032f1e71c7bd6e678f33bcac

SHA512
cc412ba8d71df7e7c0fe259f6a53cba5f577c1def325ca81c620b4998dd43205e55c16f1a8919dfc632a749825f6d0f44d451d32340d0eea71e6cc1348f7bd57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
5c0c50e52929b70b02132eaaa9e259c7

SHA1
8d7ae58a3bd37c0380aa5d8c07c41898c5c29c2e

SHA256
59ef88c7aacd0fe8fdfa3f709d00c2f927f4a42a080bbd9e32d5479a4d4d36f9

SHA512
7a65476fc5bd4f5a87d7502cbd166535bece512ded9c1e31d29c32a36ee85e9fef341d4a3e2798fc5c0512a9f87f66ddbd3c64a6b7c610d9a884f1298e2047a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
dd921a8c0e99934e9723df3ef7ad652f

SHA1
4d932125541f4408c5a4226112e4eff7465cb3f4

SHA256
cfdfb96075f883fb9017e3436656e41a15c140ac491babd699b8622451a42d2f

SHA512
9afb0ad3c5361492f9852893031bcc781ff0e4aaed04569078d5409310ecbad1af549ce3ea209dac641e1c0421dab87651cedcaae1ecb4d1b9503d6cf46e9052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
ddb08cd6d45b7fb5ad2ab639b2bff28b

SHA1
9330e38d6c2f2cc60af546fe8ef12d8da3d98199

SHA256
5ff2b54535de7995af549ef104eda4d76d6ef32db99128eee3168b626e5a00fe

SHA512
45cf72d2165445446fdf0e5cec91e5e11afc92bc43c617b81f5ffc0dd17802ba5b50444ec1e70105bcf41668669292f5913413e94fafc87f11ad7fcb63397ef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
f9b0cff4082f6b840d831736f4f94f18

SHA1
0089020dcf5ac64ae32579d79a5946c51cdcb935

SHA256
5b159dc16958ce43d817a55f8b3d119f0831ab570ea2dfbb835c8b5fedb3e7b1

SHA512
c4883af6b7f805281a3e7e816960b3cc8eff1a461ef180d116e12e36a9b0abf39475a96379cea094b70f129280c185826bb02b8a4f80491f09eecc9fe430356f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
895c627a9c9d966b215a696b2577b2d1

SHA1
167d43a0db3cd1d52d2f23325516f36d378541a8

SHA256
8350b7dd117a4af2c3968dbe679b6d88adb046322b10244262371cbc95f7ef9e

SHA512
5262accf20615f52dfd35548a2bd327a983de655d39d96a7e2837c28e37e8d60b76ca16c2cf829acee80f36f5eba76d5ca084619f296ddc14d6c82067c1f7db9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f4e0cd4f33ed24333a0895c8f7ce73ff

SHA1
38f8a90c40601d616c2d74ad823d4127ab603e40

SHA256
c7d41a3871ae9b9d97b791b4c275039fb0c7517280a982add5b11bfc4c96d804

SHA512
b2d77460ff6b3a3c81e9d99e01508d4ad5c845ce16f756e0f97cd5043b2ca69babbac3c55e6be6674e5aafb46e0a06dbb0298acb8facf84b032d5105632c1225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
bc1ab9b0991f79d23c1b6c278f583470

SHA1
929c6fd08d45e26dba1f61f9e65a3cdcd17f39af

SHA256
a327361eeef784c8fe55e177022f1c8ebd1076ce6c0ec9004755e2428670db89

SHA512
ef9ccd8796126f9f8741ce17ccbd580b3c655a1cefa555c2ed56170e418a49370b8e962e40e28026b370505717e2f9aab12cdabfb015e41b19ca230c4e72072a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
ca291d4657e34b236713769531ffb7f6

SHA1
95a100dc27ef744e860438a7b13bb71369a9b5c9

SHA256
589aadd411838e61635748efb4951a27a184dca2f23e22b2cee57b1f777ac351

SHA512
04129537353a8d11fa8fe3de023b15f534680434ee273d7c91071b3a48332913f18f4506342e6653e1888853d64746d738b7c5663347085359cd4ec089ac253f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
0b52a8b5a46044e29799b248c21e1f8c

SHA1
061baca324c3f35e804063cbddca0db9d7c61fed

SHA256
67523e3b97c34f6c4eefc2b3c3ab2e131a3b3bc2dbf8831a241678c293b6a466

SHA512
9052e0dcab045d9e3d4711a18529e1ffcf0a018a4f239a77bb0e7e415f2b584a53eff5d79cef63bf4e2035c4228e32baf57d66a9562dfc6723cc2b122b07f367

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
105aab10341774363f2fdefbd8fd4f30

SHA1
e6a845a596ff3a023b1ae85b2df91ed54bc3b047

SHA256
8ed1a28c65cfff0b70f155cce15bd69cdbd1996f29c37df7f25dda258441ab69

SHA512
bf68d6b5e42391cddcdc22c6f2ad1a1d31c63e5967a81699dea3f3b8ee5b8f105cf948ad669402b23b9bb960602862ca3cec24e739257373015d5337329febcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
584870723bd146f2ed51c89663aeef05

SHA1
30f56c140383ee31df4617679ce9d53955cfaaa8

SHA256
7ae1bc842528ef6ab14f605ef8fe080d2ee3ed56badf58d3adf27c9ba51b4242

SHA512
bdbbc6218a363793e8ff792d8f849017fc840ef7fd838712da6a8b1a663dda7b04c582ee95f00264e5daaeec01223ca59580d3ae81869cc5e83571e17468c49a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
163a24940732dcb569a53a12f0397b4e

SHA1
85fec507702fd72d662f77dac85ab42f955cb348

SHA256
521526d004d4819bf8f2ffad2df22e4a60d5fbc30806ca5a9b09c929c310e613

SHA512
18892765ea71448d9587e2779df4e4fa811784e57aa7792a1c652118e92c3291cbeae1dea34c230d5a046d74e5267563d6472aa1eb4fc9fcb78ca184b63892be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
57437c84551e69ea56b4f4685a5f5f2a

SHA1
af1356e8d261bbd3153f181c3adca98f4ae9289a

SHA256
fc2ccb93e303107cda0c12abda52592ae392896983e961addedafb35d8b0eeab

SHA512
912f20d6f4a76c82d29c89128ea965659240da10c393a579f8d3a9902d6a9c3528eb2d334aa9a12f7f7d3df151daaa377d35160aa81cd206420b82a5c15edb4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
a7a1f2af018131ca81a235ee9cb90ad5

SHA1
c84cb1f60787d77a0b1b310b9200695e2f0803bb

SHA256
cfcdb3a2963b71929a83729d3e4eeb3b722f6034168c6d07c6a3fef2bd329004

SHA512
f04c73cc31fe852a2aa8e76a54b914cb4f44ce0a84487e1ec5fd745f60273334aab1b012962c1ed54e286c1726a6bf4af6672f6e75c22d1a9295eecd0369f763

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
35de17be4584494140d09bd50c06bb25

SHA1
60a0c6f66b2a511f81a0c4154eeecef6a85f36d0

SHA256
e889890a24675b13c1ec07afdb524ba75076da8bca8cbdc224401fb1f8866e3d

SHA512
2aa5b0026c39820ca2243146649141cb1601c4ac69cbbed0c5d38c21eda9562acb66a0dfe826e66fa85dcbeec95ebac6b98182c76fe4a98b2afb8c280708de93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
1ff874fffbff64c66408795b49451ced

SHA1
845e7f9b6b206fd5cd10dd591b4366beadb39617

SHA256
ef5c36cac167c9a9ab253e96306008c6a9c04f1623b3e96f56f0d178ac96fa32

SHA512
54cf9d96564e62f73faf3cf8384a0495a60a19086ba3c6ff51cb0b5c5cf1ba7503b796637ada102551a483ab9a262ea53ac263c10738a7d4506d37217592e31d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
b006962927191a417224b3135fbb5279

SHA1
552f7e63e316cfcb30a71bf01bcfe5329e0ba6f7

SHA256
6395c0b72efc48cb5d6ca5af354e2ef025aeb725b5f7cf6b0f40377e6400abf5

SHA512
adf25137ed72e34feb1f6917a09528192cdf95d203cbd6f13627c48efeeb4fadccdbb8e88ca9750a8f749df028e6d4189baef27befbd405fdb04ae9847ee8105

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.4MB

MD5
e61b91067d157b0f8992b5a4fb941a81

SHA1
07ef2de967d07c2f6f2d20950d8555347e62053a

SHA256
7592062a886bb09337b12000c5488a344160daa803026f7e28e71e194cc31cad

SHA512
4161309167db321020013b8526c4dfcf956c159e7e458e4b96dab26dec688af13105e5b0dbd209e4bdc7f2959ea6e2751204b0ee8e8019e67c07be0ff656eefa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.4MB

MD5
4c741c369834481dc8095a88a5669da6

SHA1
ce0e52f208b8417bcaf554342c3b978d14484bfe

SHA256
d3f07f68597aa51c8ff46036b36eb45eb2c48f593ab7fb316360cc5d10967563

SHA512
c39a29a9427a993209a8d24a0cfde931eac92bce7e7c7c51598a832d84d9f38f8baac165e8dd30a44bc5ae3a7108f6af4572857ebd6b697b2dfcd9d3803f118b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.4MB

MD5
31064125f4b48fbc0219f4ca15a6a940

SHA1
f10e85f49eb51dfdd9360cd866748bff6fa2b4e8

SHA256
1d4d0d3b31b54a954aa9b04ede1286e7f270ac0c46e0c999d841d1f254cc43bf

SHA512
c7a80d168ab04e257b0c00e1aae4cd51b7b9fb6cc15058bf8f5eed2d75f483a6879c29c76d97a78dff9b1afdac51844545d0a97260569f93ff1a99996eabe00a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

Filesize
1.4MB

MD5
999c42d183bbe3f88ff459c653adfb36

SHA1
bac0dd86dbeb68d18445e26299f2ecf149dfb6cd

SHA256
cedbc6bd0f76596e26fea95ff9503ee63fba6d0e5888beebb0753d77f2caa15a

SHA512
fc2fd5a0b2d7f0d2426d5fe3c16f232fa058accc1835af095c4af78916a6a6dc7768f9f2fe0dc8ab4822cf7b40470098f3b62cb31aa20969e19543b7b27a6fbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.4MB

MD5
abe25b88b3efc7d1fbe33162dc300c07

SHA1
ecaa902731eeee087b2e79c55903160bb4198287

SHA256
cfdb718f5da5568d96e313292c6c9028688aa2046fc8730b1e828e38b627d929

SHA512
a1ab8bbb7f178f90a74fc860272bfb6d383eb170e2e6c94d31725487978e44b3dc4078b5b8fcecf1bd8d3f86c8d0e277150e1296f26afc7ed1dbf3bf1b7c2d99

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
5ce8c5f49e9aff4d21ff139b96105c5e

SHA1
fc7022ab213635743d06daac9975669ce9c94126

SHA256
1c6e1298aace22b94a0444563e63a753e01e71c3bcafce5bdd43026f2b25a6d9

SHA512
3f5c12702e1b9665d84e909ed5082ef69872a05fc784de0754534c03c48a1c41328ee7b7288f79f9044d42ef8018998657dabd7958a54f6fd0e7a18ff33f45c7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c64768284a541028af1f32b79c75b01b

SHA1
cb6d0a382a5f704ec5f702aca9f28aa61fda35fb

SHA256
0e42e505c0b8f785938a5058c6eca3c25f6322acf1f19562cf8b707aed0677b7

SHA512
3bf3fab0368e34c122a4e9799ed4c6b0bcf0e712de2e7b6e76dbbe73b2707c154091e72323e49864f3b3c297b9f36bfc5caf22d4bfdfdb841b0dc2aa736ec042

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
caa7236d54d2acfa1e6c39db7d31ffe9

SHA1
1d9b261ec0aeef7483d77dc4ca7e8319884eeff4

SHA256
0109121bf8240aed635f1b715af9ab90417633cee82db35c92316cfce654e4ce

SHA512
43cdbe06b0ba221a59e94638b44c99a79c791da0c6092739c3797457cee17e195b6e08e5b75fc59bb27858c4631a42a879f737b5d11acbe68597aa339e5fe603

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
c60160f87b27b691cf13b1cb657e037b

SHA1
93845a403c3ce0a88966c51830171fa244b1b41f

SHA256
b2413ec2993acf7ba185f36f82393a60c74e6ba12802510eded5e7bd6f025867

SHA512
320501548327ea95d6cbae983b92abe9adc5ceb72a895e1ec6a0df8464db43d9962a3c3b2eb01af1905db96b1234416e4f5f89c3679e55f8c55f8e939f6e6068

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
964c5aaa503869bde5b18e0c3fa58392

SHA1
8492f866c46ed994effba48610578ba1bb283e83

SHA256
7079a2182f57d7a59dbd83ced56e99ed97b35af788daf41c490bc877be130a08

SHA512
2730843dd1431a191571bde38c0ae58d7c0b47c6104de25d289e2b5d92b29bd70278816bf4a2f57b3130992d71b753c228e6e586edf0af15e4141a6f4bab4d6e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
95333919d5b9257ec1c5e1d1145721b3

SHA1
ad1a39117d60fcbb8be294addfff58f6ee1c1731

SHA256
1dc3f68fabfcd99ad636bd9fe1a8e5fed7ca46dd35e63f80ceea9bb55edc28e4

SHA512
33ac63704b10383fad63bfd602aa317a6024a93d53c53f3299159fc1aea0d354bd04129eef365e032c605d8f71ccbcf7635e74d612f07508407bc6d0f5f40763

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e800a630422c45fbf064fcd65e890387

SHA1
cd55eda0c1b045880e6b75c9c45c8ae4bf55678e

SHA256
8f952f380de1b9e41861bf3d48576b84fe346bd9826b8920147c25883ad593a1

SHA512
39168210fce9d20b1a779ea66eab84a11c02bf35d95c793c2bbf67e254716c3b5487dec89a09f9bf396287fd5063b327f80a2b6285424b63ccd021ffd88a72bf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b0dd79475b8a87b79676fece62d0e36f

SHA1
3f60884727e12b6b71302fef16563da1375c8eba

SHA256
cf29c8400d3372f66bb2b8509a011614f9d51499e846f459cce6e8aed9d23859

SHA512
721b7d40c4c0764c07a353c8ba5db4c35c6be3cd315dff01af4ece0d0001b4cce6ba8d5f2a323357e0483e6d1477c0783d2bf87f6e5d489919623b957eaa456b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d479495e8acf36cfdbc08d383a80766b

SHA1
451f5fd4ca739a151efbec6f03bcb1a7f3387c36

SHA256
859a6048228b7093fb55361921fa1530380108236b1a23bcffa284c2db1c9bca

SHA512
1145bd459df6c0a94ed608a210d27b9b60848997c69fac67d5b3eacd777316b80832e5e3e3d4b0a471d9615958ea42d4dba143f6f62cbd3e2c88e07bfe23e2e6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
86a57dc6756a3a45c3169700eabf5490

SHA1
009279076124dae4537877d0a0619a561165bcff

SHA256
69c170c29684b0ae1840fae4d304089da96796521fd1227b44ddc7db7e606802

SHA512
1423a0426edfbe2115aac2fc901a4d414e441df87f7095f4e5a9a9d29c37025fc672c333ce9dd10f57ef7855044e0728ba4bafb59ef7dcc702f186a24dd7b977

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
cf2ad0a929a5918e784cab081d97d436

SHA1
3024faa11fc82f4d123c218fb84e1a30bd815ef6

SHA256
0788c2df68dde207804f24829db5a453ed588efe32fdcfc032d7ecf14964c8eb

SHA512
d3a18c5e90b2c47e5c9d8b1031cc35c1596918e2c196d7d5f9d32e33b4d56d1d55084fcb83a4e672da090dbbe6fd88a19d29529f3e0312c7b32adbdf952cdcd2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5931540c8399e557f9ac12cb46a41f16

SHA1
6f5a0786f35866d8f3f1cee68e4133a00dc4429c

SHA256
0a6d9462d6b5bddc4e068fddc8b5ddeedd15e1f88c12141c2803a759ef2fa447

SHA512
2ca613962ab36072e7269bf0074e00d2a1f9e0d3b6759d04a3b9658a34188e552d0dcc2ed4608c2d492f0e2b30a68406cf9dc815a482fac1b0c6904c023ed779

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd4ab001d782330a4f5ff2ea8811187f

SHA1
550c5fb51846c62fffd2be68ed9c6a73de38f230

SHA256
cb5763b7250a1672f481621096d16c5fc9d7b49e39666a683bcaa18f7739d5b5

SHA512
8365133856fd4d02011b941ebbe87b0d686bbef04ea2e3a915ef5e873a6cfdb772cab4783641d0c3c4f3873f56ceee3fcb5e96059745d1baa8ecb4096ea4009b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f9d007a4b68357409857ac61da28eb14

SHA1
b8be2c2a92879d55f004db9268f9505ef2cbcc71

SHA256
7f92d65fda89eed8c64b0ff820065c8b6c178b49f4dce99c8190d5d94b62216e

SHA512
b2a107f4f170fb0937490e91019a89f6d2f1526d242f2366320845186da383f74d4f97ca2d7f419569e9bb57fc70706f056a18a3d6e02af9a59151112f58b821

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
64b19746d433e931c45a20f2bf010ddf

SHA1
0d5090c3318acb495c01d6bdc72ce60fecb87260

SHA256
aaa8fa0d836b895b4e0cf73fce15bf07d47ba0759730d553ce623ef41e598c25

SHA512
d6a14c799e7b278c146781a7c57252fd1f5b24f7e7be95168b47d00be2bcf70888ba1fecf438ed688a26f1c0ea04e2dea128011ae2a46573e2ff450cd6d1dd97

Download Submit
memory/668-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/668-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/668-38-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/668-32-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/880-402-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/880-620-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1012-258-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1012-380-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1012-257-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1636-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1636-619-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1672-403-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/1672-621-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/1724-243-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1724-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1724-242-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1724-249-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1724-254-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/1928-67-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1928-84-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1928-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2176-401-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2176-275-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2200-234-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2200-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2200-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2200-20-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2408-381-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2408-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2576-614-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2576-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2584-610-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2584-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-341-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/3508-617-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4008-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4008-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4008-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4008-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4584-324-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4584-611-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/4604-413-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4604-290-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4660-2-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/4660-30-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4660-8-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/4660-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4868-362-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4868-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4944-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4944-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4944-61-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4944-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5008-615-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5008-330-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5032-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5032-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5048-301-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5048-511-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download