fc800c3c9b351e71d02286a12148d1e4707f28088b611c3dbeac62530e4af0b2

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_bdffed9d5fa724a228ec9793722fc102_bkransomware_karagany.exe
Size

1.3MB
MD5

bdffed9d5fa724a228ec9793722fc102
SHA1

e7e8e400bbdadb0ac5941e75382f48e4a0609b26
SHA256

fc800c3c9b351e71d02286a12148d1e4707f28088b611c3dbeac62530e4af0b2
SHA512

6b0a9bd215383bd4ce200dc4c2ba11bdf4da12a6d79c650a54d2eff2432bbdd0513c737de0dc62d02b9b2d39b3a57bc7a988cf9ec4eec44a9e216be4f21359f3
SSDEEP

12288:qvXk1DSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:mk12bl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
464	alg.exe
1628	elevation_service.exe
5052	elevation_service.exe
4736	maintenanceservice.exe
2628	OSE.EXE
5080	DiagnosticsHub.StandardCollector.Service.exe
3924	fxssvc.exe
3660	msdtc.exe
1468	PerceptionSimulationService.exe
928	perfhost.exe
4696	locator.exe
4688	SensorDataService.exe
2580	snmptrap.exe
3804	spectrum.exe
3384	ssh-agent.exe
2104	TieringEngineService.exe
2832	AgentService.exe
4480	vds.exe
4264	vssvc.exe
4400	wbengine.exe
1508	WmiApSrv.exe
4932	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-16_bdffed9d5fa724a228ec9793722fc102_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18c5837bc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011b064f9b3a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e5cb3f9b3a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003faac1f9b3a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080247af9b3a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbe69df9b3a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eea5ff9b3a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3172	2024-05-16_bdffed9d5fa724a228ec9793722fc102_bkransomware_karagany.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeDebugPrivilege	464	alg.exe
Token: SeTakeOwnershipPrivilege	1628	elevation_service.exe
Token: SeAuditPrivilege	3924	fxssvc.exe
Token: SeRestorePrivilege	2104	TieringEngineService.exe
Token: SeManageVolumePrivilege	2104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2832	AgentService.exe
Token: SeBackupPrivilege	4264	vssvc.exe
Token: SeRestorePrivilege	4264	vssvc.exe
Token: SeAuditPrivilege	4264	vssvc.exe
Token: SeBackupPrivilege	4400	wbengine.exe
Token: SeRestorePrivilege	4400	wbengine.exe
Token: SeSecurityPrivilege	4400	wbengine.exe
Token: 33	4932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4932	SearchIndexer.exe
Token: SeDebugPrivilege	1628	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 5260	4932	SearchIndexer.exe	132
PID 4932 wrote to memory of 5260	4932	SearchIndexer.exe	132
PID 4932 wrote to memory of 5284	4932	SearchIndexer.exe	133
PID 4932 wrote to memory of 5284	4932	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-16_bdffed9d5fa724a228ec9793722fc102_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_bdffed9d5fa724a228ec9793722fc102_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8
1⤵
PID:1320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4688

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3804

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
1f8cc0396c34d8fbeba7fec2f6056482

SHA1
69eb57398b36cfab5e1bcaa65d2747944fbb7620

SHA256
cb4ac9f3411423cb03ce80abc93a7b7da9334cc1b8732012463fcdf684dc6d67

SHA512
a878b0286f2ac924d41b1c8c5073ca528f5177fb59f24f360737e453703be5371384ee2c3c44f6e608a77a25e506a5c48186eb62d6beda0f9146844be0f74afd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5d87188e88b39691412943b525d90c59

SHA1
5a54f06191dfb8ffee335980210aa062de63eaba

SHA256
4a840a06d20fe2597643cb19f27abe61e696a98f6e75c8504abe12ab3c65f577

SHA512
8cb0318973348be22a1310beba456e82d471c70931b17e140208855bce3d888cc9afdfab2c2fc7bfdb1be9966abe8c9ab22188b196083304cf23cf7bd8bf1668

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4234b20ef4df30009bd6cef1d8b9204b

SHA1
ce7935aaee11c377f17aa3420c2a59215ed15c4e

SHA256
3e8b3dca12c964c64d4b09b4616dba56a3384662aacd699a146eb51eb4efb589

SHA512
f758555f1714e5975dd364a442163b93d3db4ccf1fb9dd7b30c53414e8368aeba39ee35a99e2390968dbc37843e7ac497ddbee1b624601d776e9ef12a85bc23a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dccc6628d3b89e236787f772e8dc3723

SHA1
5bd3439f741f51c48bc02867d6418856fd3c5d86

SHA256
5dc9f6db3abf5b312b20b3f1674095117b4fd6ad70f2e103786c4cf911e4ebb0

SHA512
dbc8396f989d2a7555091cb69ac8043deeb5f59d326e2e50dd81f15a36406b7efae0549d4686e4f03ea573f5cf8179920ddfbd18a4a93051ab8a485f5e1e16ab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ec94764c637f50ce94f30f9ef473d4e4

SHA1
0b8b3d77dce45657564c09f352b10cfa2675eb8a

SHA256
d08cc3d570cdf4f640e2d623d8e0cc110a0f33b14c77871f8f8ef3a2b7704b42

SHA512
0cc2ed5874516fcc768d775d88cdd6bfa0c985b7cfb6202003279bf78851bd0821cb4f28657ff657ca2005231b1550fceab5e406e8d2f7c60a94181ab8acb8c2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a2b17727328f010d4f637c9b06c1928b

SHA1
6c390a3da3c3478389cd6fc3730b8d553a20445a

SHA256
66a2fb25aa5932b83762d4058e6c5fbd20bebf51e0efb10a4058463dcfe2d78e

SHA512
b5df28119a0466248fe6586a85a2a189d00281b787b83485796f5d917f9962cb1e911c5134178a96b5f51ae282ec5c17b2011a95e64b9f0c05237cddc9213d0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
43436f7d998a09830c9d11a2c8035446

SHA1
1e94c7df9716c7527622b64479a0fc4549e56b93

SHA256
b08e83da3651536a97aa74214a96ba87c8cdba5a04322d28e11db2e7f6c3f784

SHA512
62315f69f34719a55d7e9503bcb3877ce311d82dc46e639b85a55cb36af7b06db50cba91422eabaa636618d0be3293fc4e5eaba537c21807e6584e7e2cb7c820

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d1263197c1de2b33bbae5cd93f6168d9

SHA1
35801b9d584f32961c1b4f1901cdd7ce159a4513

SHA256
5a0f6e38129120b58b982992eba79a570bfe87499d1660c2561d7a963e105197

SHA512
7b99eb6c49845d0202d0b2460cb3e51a99130f288d448fc2dc356abe1af11b457db51e8276677c5b01ba39f20881e7a76b054adbdbf307b4398455f666874364

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c6724f550087e61c93713c6fab22640c

SHA1
7740dd9ba16bdf4abdc98ddae27b925cf4771e62

SHA256
46b099b9ea84d0c2bf1f4e7dc1ac71c3f98089a325c27f54388ff77fef184f71

SHA512
a87a9d5893eb72cfce315a9e6d1942e8997d61d33753bcdd4608aebdd87c9e48ee74de449371b5c6a10cb9d0d2e0e818a76def56281437b3f78a2ca50187eaef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ef2361c995ff84e457bc6a7ddd306b8a

SHA1
595a0d14970fa28322547688256f9c18fec16248

SHA256
4cc3d9afe3841927320d809c34a63b87ef9301c0aa60484b86c82b4065c0853a

SHA512
7fc713b12e8f9d79402c8ac87ec23443e2780d5b579c0be844bb92d63043259bf5e17f9160a2905103731792b19d40c8b8a9836727da715e73e1295dd269b9c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f36e3c2d29e06abe377cb93efe1ae9ae

SHA1
148d3e67deb3fd77bd3a3abc8988917fe3da8864

SHA256
f6ccd8cf321afc15b09d2dd9fc6908081d1b26be37a6c9cac8ac6f908af9907a

SHA512
54e6a9c78b5ac253d351bec04fbfe80c86ad4c6b01e9ec059b9e9fd863db63557f76cfceed8147d57301db381e7dccea7c422f24ab8d93978a70be296fac49ab

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
63ff91aaec7cde6337bd26930f048219

SHA1
188789b29cbb12665a6cd726652ab5a449223718

SHA256
54b8303a597a15dfec08f3a78cce4e1ae148788f260382ca85b6a91b59e6064d

SHA512
74469e9f274a77637d12ec3c9fd4fe260888390fe0cb171a3fb95408e975239df9b344b8ec4786ba3c5e16bdb6940713ec1a0d87eba605545a4a959934c70da9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
748b5c4dad66df9a9557601521e394d4

SHA1
260dbce389b87862777a919de45e07725fd4e6c0

SHA256
b55e2a2171cf36614e0a703b6bba2d002c84f2b450fac1ca324025951efa6fc0

SHA512
22b284a941d317c12d138663c9021d286836ae2b7733e7f03454faaa6d82961a3cc72f14b57d6fe2359c938b960b79dbe1f512c773de038be730cfc162b19508

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
1d159e5ad7b2dea461fcb19f3d6e98f9

SHA1
d11a7906d34963ba3f03b71b11a530d81846904b

SHA256
985fdaaa2cd0bdd08a7442ed0997b0391bff22866f1d6974fa7854cb9d12873a

SHA512
48be50b4902836b46d7e1ed266b0c14e4e9e9a443f64a93a26320d870cc6553a7849fc73e7198f67967d98f9e4e9db8f972ed3f2e503a0abc3ce33ec64a51551

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c0e6c8fb6c4df64efcbede3f87438e97

SHA1
6a28c82376c43b40c4a3e08c96efcebe8af129b1

SHA256
3534bbe5570455ffd089d941d279cf29df83e15e884e3bbef898a21e4342ac97

SHA512
67b66778ea05f6ed8872f1dbadd39216f31f8488833f7b34a481cc506cf8ee513470178f2d357ec962bdfa1ffed677a36f61989eb9f843ee973a1779af279416

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a334c946f002ae1e8bdcaf2c32b2f4bb

SHA1
a6dd3f67b8ddeef55848e17c4de7474842c436cd

SHA256
140aba963a8c7b0979b93f69f60ffe6756400b4931779fc7a088d1dfad397330

SHA512
d9b18c7ce1d010f11d9e46635e8517d040cb93085a87a5b0cba1148067b16a2a54315051342a40f441c57c14b6864b1bbfac388975fb0dfa56d91de9db18451c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a194eaac0a5d800a70888bd59b1e3592

SHA1
c1f05f694a536d88e5b935ec9ddfbcfd1848f361

SHA256
f37dfc8d6c68aa666947a96e22d8b60065dbeb4fdfc8b3dc1e1c81424aaca6a7

SHA512
7c9702f2414b8a22e8c9ecf5a8c0caf848583e8b88914d1fd0868ab4822a8f058aca89f134c0c358ca57f8d0d1de7d32012ad11ade1ebdfdb2cd1473b24931b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c053592989ee7be01a3101dac48ccd87

SHA1
de1d947358c1b35bfc0252268df2ca748a8902ed

SHA256
e055767f4821c1e5873fcb35ebee91a0c1217ba8699a7771abce71d696f9ba8e

SHA512
4bd26352c828bef129c02170cf27735b8c42b466be6e9b568ba20e35957879b4c9e6c2464abb053072a62618ec0938e70ce3af1ff41bad04745276ecb5bb7e7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3d1e7a1213aff61a98256aa013b0bbed

SHA1
83fdb1517e8c45948ab56bbc88f40955439b5e13

SHA256
82b022d4a76b2743175b36ad7d54195a1e9cda3aab769b5702cc5a57d909641a

SHA512
0edd6a6901b5199e674a890235886e4e1bf8c024bb3a9b04a4e0413548988dae2810e995e1a0d5b16e36965da3cf0f7dba7f7ea44ca935caf1bde15ccab71b93

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
39c508d73151a1530af26f579199e565

SHA1
9c661da5abcd5f18e78bef3c07a6e9ba6661d6ad

SHA256
46309e9401823d8bd0812f94fa5f05ba75b734703a2258b01abaaedd61b21cc5

SHA512
10f523a7660386919a9dec08df8392a04563a67dffc1d6fc546aa767e89709a3210edcd3984f148994ae565fa81eb560cb5e5a79048342fab1345ad950f7548b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a8533d7b1ff0f9968e94ea6a82742e18

SHA1
43139289bf2064f566d9395a8b97db009f5cfcc5

SHA256
f8d09c5a9b6b44e296c10fbe24998e501defd72b6a2b3ca30b7640053af6c28a

SHA512
41a525117977918e17ce6da4fdf32a38f4cedeb81cf9f9432d0384d5dfb98077a26d5199f50043b298f50e77d462845bf657ede89ce447f44f7ec2f5344e2950

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f56a0acf6a290df07239c409650f3b20

SHA1
20cf2f0d8d584af85b73d8b10d1c4ff4f01b0a39

SHA256
14753a181043a8011e23d7a261e7206aa66deb00d0325fb8991e3dee61083839

SHA512
6be9c3ba268a907b9c1f23c1c33a2101384d22fa0515223f0405048ad1253a758d1a290312d0e7519bef1f69e4356fa5369d8afaca1725e355dce3d4f6ce2682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ab9e39c971dd90b6c4506915a39b4121

SHA1
0b9c2273e3c2d60c9b1f07a8591adf1f27f57180

SHA256
54e6cd8d79d8bc1c934deb4b74322aff89e5e043ea800ce538bd1aed75bb9bfa

SHA512
ea887642ba162afa270e144b69db8a669e46ff8dcef6030f7861c4ec5837d3c3d8c2d6ae72098d034246fe9fcf53d2c31ff51cf4aa410da7500bc7cd74259b2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5b9dcbf6fd68c2d94594252dbf5edc2b

SHA1
e0374e3725988052645a2eb3c060c9d84c9446c4

SHA256
4ad4c78a9e0e11b11804dcc4078064b757dc554f67360d9ac3543b70cd4179b8

SHA512
743fe680f4ec16de1aaa5dd48833436193700054dc8fc0653a986fa6c2eae768c00eba855f8f776fb86838faad6f7f34995272883b21099e6853d09f3b0f60b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a1eb0ff068dff240aae2f9a89a665a9e

SHA1
cbade139abbf0709ee07cef67a0d8acacf88a988

SHA256
144ab4071170f53836e047fc4f587b9718899c295530f6223be2729b5a18271a

SHA512
8b7c161f9babc0bebf3e1f13fe5ea6ddead3570e70c2007c502b438c4e4234ed4d919df1c095f1745207c61cf519f01bc9db213453313ab77793d91f6d261006

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f1a4f11644005cef01cc09e85b52dd1c

SHA1
e54c85300834711d0f2b66c1fffed2eafadceceb

SHA256
4e2099a0a295df4fe30d9fa4a04e7375b3ad1953303eb47e048572d3aaed8f67

SHA512
5fe74a1144687d2d09b0310f265289cc051d503b3fe307c382ea9e20df06966b879d835287c49ca1b4d7376635e875ea07fe5b541827af129aed171936864602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
aa250590b15c00d2e0dba8798cecb6ad

SHA1
509f8379cecbac27c9e100a0be5f6d2f8ecde60f

SHA256
6f51db5dfbdfb49341f24661434d5152e7d86c6e73c61aa6ead249c4c07aaf85

SHA512
bf49fcb2f476cb43a1de3e53068040f5b585025330cc716b8521faee1def74a3c3d30dfd161fcc0c013e794e5b56a6c95f503f6ecf6fd329c5c3ee3e35d4f7aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
34a929b6af194e2aeb201d5e9ae38d73

SHA1
93e0ea770db7ba208f9f47d5695f693397e8b010

SHA256
2197009a699a7d627fb8af904fb8756ab09ce1a3b4b64bd420a42dd793711a31

SHA512
6791dd14128fa2d370de5d8280e293ba4cb45093f4fb7218c755d41ac303ea432903946d0dcd87edbcaa56fb5cef55f0b641c4a82e5eed742515fd9f74809af6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7bb479f59c8d6bc31abc7721a63cc601

SHA1
697ce1cc9472f713ebcd06c0482f1f7420779071

SHA256
81b2c8ba52b15e16f1411105d83a2027b171b16e8032656093ffb28c2d3c3421

SHA512
8858c97c04f2232da49e433be57f00938d96e3a63ca550dba656e3ea075c82ce02cc479388488afea268e5248914f3d1efd8f8d8d70352c8b04ef5243ef8e462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e88b1a2b42ae656d9d7a78f7446800ce

SHA1
c19350167c678474759a5492f417e76859161d61

SHA256
30d4f78069de6c07a40d9efbb73dad2a7c4717d6f187749177b8a1f42df7a193

SHA512
c0e7e277ead2986536d493c0ecf99db20fc28d577a667ea80f44f5f8bcd6387d0a5426f6608d6b42608a689ee0f441b9176089f6054bde5e95afb8213c79179a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ac2b5179e2a49083dd8900782415bd50

SHA1
b6eeb5a33fae6ad144dd5aaf95eda801bfce46bb

SHA256
7b32a1a956c7bac84afd9c9717382d882a7ac1fe044280c3bd6931d5e0730265

SHA512
0459310e192d4e324116aa10bae51c8189c02dc56fbf3b22d8c2e686f27800f8458ac45fd7f92c7222af2ea5e369ef76da9d5cfc994e576354b214659688fbb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6678303fffc86c1986ee575a2f5f5de0

SHA1
29141791a904ac255024b847b7205a99b662193b

SHA256
e0a7978f7df09bee709f0fe2a85919f0f073d13614691f481f1b0990508d3c2c

SHA512
09ca945669b36b2f9a6458b0c0209d026a71ec7db342334a46ac16b2994dee6aa39e1e84cbd051d3a9c57f85b30cc8bbe73c4604c777e249938b256f7fbf95ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b04f752bda27aa8b8d177c82d74a1d37

SHA1
3f6951c26cb69523465a3e50a6189ccb387ab2e7

SHA256
a4258106d0d2c047d8a9a72a239ad30a1c381e112c30a0443f045323164d262f

SHA512
41492e9a08cff109e3f3d02ed65ce0601b975eb90096431dc7d68adfb13fa185c653bbaa9f8c5de76543add0d4177bccce5b75c5cc49e2fb380d63840dd4e6b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f0bcebb021e17c8f10cbd1efc41d2c04

SHA1
29f826a365ad768cb6458475c8a07b6a415c5634

SHA256
d0c86371fbf73a942983710b4775ef2a6e63c5df145e8a5eaa84c83f5c53f8e2

SHA512
7d1568a00c26002a93296d9d460b8be96baefe10659c76ab39f42ce346fba3fceace971c5932a1e49beef1ebf5990a62c1dacabecde97b3fece2947e37d77996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
e65f63e58c7d130b94726d3418f9235a

SHA1
8bb36d1d1b1323409ecf8481e57df613267cf242

SHA256
bde8e3c1b28e28a1cd8ac666799798c40cb08b51a306215cd14339b20a843be2

SHA512
08cd1cecf2a4aa30d890dfcb6bb85da6ebc514d40ff40495194b6ced090d9475e6197a79adfd681ead5cf3230f30b89213cacd15a3563ee6643e2c4726d1aadc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b57c32868105b8a5291302436f0e7270

SHA1
e4e23dddfe9d448f86b352759d4a301963c35d29

SHA256
8054716237fb898021cf7ab7d26ade3cf80dc1c38b6ef2cdfef70c9224e33f99

SHA512
541e72874b255fd2e3fab6cb17fdddebab41a762f70b5da7ec009bc29cf64a53d92aaec4b4bdeb119806703dd4180e4707a570b8c77079644369e779f7ae43ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f5c2636b1e78e93649e6b1de44dfe8ae

SHA1
92bfa092b6d28727b3288f72a3e5c6029a729612

SHA256
2e9a796f848cb4e2406cff633edb7a01038c9901e5ae1a9b29544307db3100b2

SHA512
b71fb319084dc22a5ae9fe6b73308919a63925596786d271a86f531a7e3f2a7c600a4fb7eb25164020396c6b914964ef128501292cfa53c4176e4d01bef73396

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
99d230a9b9300f27babb4fe8278ad6c1

SHA1
bc563914e492eb623ea46071305783cfeece3bc3

SHA256
50a9a607bf862fb649882f781deba695cc792262c7ef696b68063b26a3e38d0d

SHA512
6b4d370633e758f6499ffb9cc27eb855eda9015463b6e5b073bdaac9ca357da977e5a3fc15e74d6cc91bb4cd4d602c735ed15fcc70431490d02c7af8bf4ad41f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
ab3d7408eb9a5fc6fd76b201123f8e6d

SHA1
776290260c3b02a04be0383475ff3e20eb88189f

SHA256
1d2639ac93d7a14a25327cec73b684ab96af84a7ec17eeb59789fe94eae9cd73

SHA512
264e9e41e2fe5c537985a18d58f709901dcffaa05d6e1b98f0dc2be1d430e0ef7dbf7369b53f57b87d7806be695cfb7feea29d1c846e33eaa50f75cdb747f91a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
63dbb4c422c40f3344683e0c465c9c15

SHA1
503502357f95dc003b12bea5ea987da4c782a3a1

SHA256
6bf2e62b646962d86a46259a99a07ae4c263b33ee413e5567680c0e70469dd8b

SHA512
e07124eab3a2f798b2a2b4574742fbf4be1f35ade9752a48f3f48cbc4e371677b1f313dfab04b4eae3babd4782509f346dc58cce241c828b36138577237d3d9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
e462e3e652d1bba9bb410c9e704f910d

SHA1
82c4ca9b92750ad4e1714cc3f2f8339a9c01105c

SHA256
ff784b713fcc2de072043c43a5eee10682c069b37d2009d87cf591cc48b51b2d

SHA512
c531b0a47f3c80c8e21e96f8d337a2ec542d51f6e50b1f52d0d277afe81dcde24cc627f25649c99343cc2ad01dc4c794a816e005f4cd37a64d082dc5a61a242f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
9d8f9a6b2539e385112e244632279fd3

SHA1
9a94fd17b681ecaeff26788cfb1aea23d8ba3900

SHA256
d4f032027c93c4c792f53c9c0799b1e659c9b7751558d6b2ea6e33adf1cf00d5

SHA512
52d2bf3117baf2273b7445090f67e0b2ad25df4effbf6c062fb51977c17cd4237905bf5fb2e00a2e8885e9d7d9b975b478d1e697c28b645114f2b4dfd54241f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
c950aae9532c9394277860e540db1c1c

SHA1
db578cd1d82bfe6bd50899c64ddc785e01691296

SHA256
ea14db346a0ed6a32a9ebc3d33e88deb9acd8d547813d073c143097de8fd54c9

SHA512
47d3295659b8a46f816d78d9c1c7ce3dddff3200f1dac3d7073e467f518eeb41ca0bf037e96c166b3fc2aec735efbedb75ce4431321e783ed1d9fe24864f9c0e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
aa2d674a5710687a4f44495bf211196b

SHA1
bbd456fc4aad4a3625aa6f0ba559b99eeab1608d

SHA256
5161cff0aa1ff99a6f13e6fd5fc5f0c403a5b841c9c0504409b152380075b1ec

SHA512
af7496cfa0fcce4baec6836648357dde7217843189cd97288cb7013740d31cb9f3fcf217c9ba089da073560881a21ac874f5920a6f2131073188245b5702d690

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
366bfeb3a6495a870d16b63323fd988e

SHA1
4e05d4db358053bdf14fe289a16d2e4aa7210362

SHA256
73e3c2cd781f4b46e0397f7333246e373303696b54a5ef74cc2828eb4ae38396

SHA512
7906d831375d0a1bd266787c51487a11c9ccf68b1ef7e67b6a34cbc001f1ce3a271bafd1ca03afd720741288a31f48f5992ef0452626cbcdb5659eb039095e39

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1d1b48eb4802cb2ce13c1b9ec147903e

SHA1
01d7ac3b223d58f3a115a79fb20bc85488925584

SHA256
4982eac16f91048d77802f417a68b57dc6de3abdf2a1fd522107a7abe1bbd258

SHA512
b3f87fd3f1a1c4234ada77f066dbfd327a0b8ada6b198ba90a3e68e0071981ef68ba4e320472f800b1773865bb31efb75a5079bcdf3d77d882be4f7fa145f73e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
eca61132b284ea5df1d360057d018639

SHA1
e5719c72894ed28b9a8277d1d0f41fa0a5374c0c

SHA256
58641859edf9b9cd8c3cb813ca21c32ffd02c7db9e0642b5f1c0e2899ffcdd7b

SHA512
8e4e00fe3ede6add0cbc3d0ba7139e1d1b465e0ef4d9f129d3a24dfebbf690c6bab3c931a2106cfb1dce3e22a2d944076b6881f98699fbef74000f0f1fd84a11

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9ac2c71a59b257151ee1baad7d5305a1

SHA1
50a60f99f1fbc4e30c811092ed85153c7b5b278a

SHA256
a80fa298249f372ae92f09546928087a171d88572eda388f2fa82b3d21b911db

SHA512
498467526642eebe3005533b92980b511645323e29893640d38ac199f9f2f1a9f3ed1dd4c616f6b79833ecf21baa63622a177873dad40e2b24525369b7dc00ea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
981a3bfc5222f05424e641f05ef6181b

SHA1
81939a17823784d12b54e735463ca1d35fc0167e

SHA256
8bdd47672aa79a63c0fcc4dfb77692158d5c2bb40d3e0e0f26ae9d465ce770f8

SHA512
aead33846ce237b668e90b4dd6225d99f1a22f68e718d78acb13190cba577306a376a05f4ff02b9b176fd287022e886f0f1b3211d3549bb0864436816a2dc1ba

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f56f4f19126b39061e7fc1a8c350309a

SHA1
efa961267bf652031d37fabaf8bea1fec6b5884d

SHA256
cc7e636be99c6b6d0ee1b16cb9ea5c7efd6e5b03fbbc7ceb90cc5bd525cdd6a0

SHA512
e62baec94889617d825d5808823a2f7f6edc02702b3ba5df351b89b07310562adf26074a35e1cfe4a00d45519f701f69a0f5b97f07c8a71c40d500a531884a5d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c974bcf20ea81eafbdc28203e8f4e5aa

SHA1
63657bf5fdf1e848f0a377ffeb5e9ea853017dec

SHA256
3171dfd840c905da66863d63892db787e8d2e229f801597ed81f03c976d2f569

SHA512
db3200c9a96472f02f1814bdf192e15c2f98da38cc7c88fa77f8c22c0f50bbb6c01299e0fbb4e0bf3b36b6a585bbcf0900233a31fa7344e292c5aa53b65d6f89

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f15d3dcab3ea6d32f2ab5dd557973378

SHA1
7e63011aa643ca48a9e0e4b0c316a5840c45056d

SHA256
a8e636d6ff2fb44542046b63a529b5ef4dfef9c1866063507e315cad38b3ba3c

SHA512
123125efb2534538aa41ccf8918199ca126ae827bc197c94c56d744f8466dd054ad14ac3374cca89b364a6d6c51e5edd857060f3be441c8c9e694104a6a3438b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
453d53a7e40dac58dba6bec593cf9ecf

SHA1
af4cd353f1763aaa4f519b43a5d47e26e55dc199

SHA256
284be2cdc5c17725226ffa7972c8b1d482d1356ff38d26257c9f6e70a56d3a4b

SHA512
657784ab1c244281b7bf0eba082ea76e5e185501d39193ef1c779c5cd1c99f2fca0d93188cd191cc4c4fd7cf626f9dbd9a2f20ed5d9fe0cc236eabd63e320858

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4519311a9c16c1c97ad6fcb28cbdd815

SHA1
935c853ae6cda5e21eabd8a6bd119257ebd4d3b7

SHA256
96555451a1f9f2f11812a3b8096897f867f167d029e05d37ea0f3719bb00ea92

SHA512
86bebb8b0108edfffeb2d1ad2385c74fa74450f41766df4de5de7dc5480a01a8feeaa2d1862997cdf4388a2e785275008056b3b2ab0bad8ec09bb5be0fdb2b21

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f79c741627afc1cf63e7290e8e4c7e55

SHA1
a743b2664f838b34a68438c858b82e956f216c24

SHA256
8807bb4b526f97f018a91962225440c04fa113845eb592764e24cd26ef1dd4cd

SHA512
95d32ec1db8b6128a2946dd0b4b76c2962b7c32c1c665c27c3f2654d51f3075a90aa109981833c75b0028bdf7e79308ff0f3ac5c8b93e719e43a9b7f33289e3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
955bf8b653b7873196093eab9d2e8316

SHA1
d5b01fd311b69a3387e4c47fa1da9f8e1595634b

SHA256
7e741f7637c355eaac62b550755e9bffb815d8f3cef78908f641c402eff0e709

SHA512
2b927c6111f8779aedf17d501a1b99c3bc860c258e10253fed9b855bc5ed920ee5fcd170ea9eb908375fed2d5cd5afd755cae531991302aff3c6a86489ea90d7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
78fd1bac9653f7bff6c595ced01c921b

SHA1
91ec07b785eccafc2706828aab3229f4ffc0220e

SHA256
648038bfd128112e3ce22556bc5f5ee34e9f3038b48744ce355b3dc544bd37b1

SHA512
0bb31a7eb56dc1ae6a4cdd34b8d9a5af2c6a315bf9e47a5b943b8b45af1c9c30f59a4e0d895784a96dc51c04f192e0d621ae011514a3357ac806c83b7d84fad4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a370bb0c675d383a5e3c0e97b81b2636

SHA1
4aff23032f5ffb560c9295ecefe1814ce2efd920

SHA256
c1dcf19d89a26fdb34d5e7cebd4f40200d86458d04e8fb84d4ab8856fa058aaa

SHA512
8ca64659594b667d95610d36a48478ed0941a8a54d6188bceb89be5c6ce32fc9c24205ff8ffdd33fc046192b13bba1b4a614f8e25ef138c3759bab6947fec241

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
55a5eb2ea51550acd74e63f46593cbc7

SHA1
8174c0c9d02999a0af0033d83d6831a678f2d39f

SHA256
ef3bdcb9fa9c37a177beec3eeb9cc2b9a3d2da46f42479e61cf1038af1725b33

SHA512
c4cedae892225beaecb2b7f6fa6f7d17e593625d2cc0b4dc6c7da8e2b1fe2d255d2944624dae0b68867732def06ddd8ad1658443c603cadbca5000a688242e75

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
030297ab8f1ef9c3a905b387187f7f71

SHA1
6c1186ee0f5ceccc4ecb00365d6662a707021f14

SHA256
465d837adcfde1e433ca6ef642fc0a096ded8cb60cd30789dcb9fdb232b84c1e

SHA512
acea049d56de6fecf820c78090ba270682992e69c49fdc0556e00a806510fc44943a3611747c31229658f7860c79182e2ec0a443889b6ec6cc5a023199593562

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
61a8d68d94e48f4022c8e9870467401c

SHA1
9fe6d5a77ffbab8faaa0814bd9bfe82c446f2e67

SHA256
8620beb668fb9b1937f2e9dd47a0be1070de2671a151ea857cbb847485811d72

SHA512
7a759a4491f91084937ae8d553c8b321ff51ca75c29b6857abf81374afd81f5fc95c6649636dc149cf35daa0133468247e67c4597f8c3f871e0a611195efa982

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b50674fa21e36e6909c7479aa19cbb7e

SHA1
fdfe7ed9a6ff692481b675d9a82df3d6ed3326dd

SHA256
f88fd6e768e1beb0ca2bb191faef6481931bfe396f1a3f0243779312f5373780

SHA512
495ee5967d14a5335b3077aa7f64e9d92ba1a0877c4c33cd7d413e0b128f0ca651fd4afc1974c142390822ce7159bc7b1723f5432d99927bbdd0229a1678c72c

Download Submit
memory/464-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/464-17-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/464-231-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/464-19-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/928-293-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/928-403-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1468-288-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1468-391-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1508-656-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1508-416-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1628-26-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1628-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1628-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1628-35-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2104-650-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2104-362-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/2580-328-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2580-516-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2628-236-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2628-72-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2628-60-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2628-66-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2832-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2832-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3172-6-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/3172-1-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/3172-23-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download
memory/3172-0-0x0000000000400000-0x00000000005F3000-memory.dmp

Filesize
1.9MB

Download
memory/3384-649-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3384-342-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3660-379-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3660-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3804-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3804-648-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3924-253-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3924-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3924-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4264-654-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4264-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-655-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4400-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4480-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4480-653-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4688-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4688-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4688-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4696-415-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/4696-296-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/4736-69-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4736-71-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4736-49-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4736-57-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4736-55-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4932-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4932-429-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5052-233-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/5052-46-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/5052-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5052-38-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5080-353-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5080-248-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5080-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5080-241-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download