899e2bb6c9b56257809dc8c912b5de68b8c1c4801f50ca389ba233a4c6e97357

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
Size

1.3MB
MD5

ee23478d9ad041844843453d30cc11cf
SHA1

1b5b0fd292f6c2f467a737dcf872b8e403b2484b
SHA256

899e2bb6c9b56257809dc8c912b5de68b8c1c4801f50ca389ba233a4c6e97357
SHA512

477b4662708f92cd8bd0f9921ef7f68a1f314974bfbdee2b7b471f8d368ad91da049c57474419762a5adc03e7b13e99e6dd640136abee732ba681acf0d67d8c6
SSDEEP

12288:mvXk1CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6k1CsqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4172	alg.exe
3848	elevation_service.exe
456	elevation_service.exe
3712	maintenanceservice.exe
3336	OSE.EXE
1912	DiagnosticsHub.StandardCollector.Service.exe
4996	fxssvc.exe
1664	msdtc.exe
1928	PerceptionSimulationService.exe
4924	perfhost.exe
4028	locator.exe
4584	SensorDataService.exe
4040	snmptrap.exe
2124	spectrum.exe
1172	ssh-agent.exe
1788	TieringEngineService.exe
4092	AgentService.exe
3764	vds.exe
3208	vssvc.exe
4300	wbengine.exe
4424	WmiApSrv.exe
4828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6ebe00c04a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074afe8e8caacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005fdf6e8caacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084fc15e9caacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ab1c9e8caacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009763bbe8caacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3848	elevation_service.exe
3848	elevation_service.exe
3848	elevation_service.exe
3848	elevation_service.exe
3848	elevation_service.exe
3848	elevation_service.exe
3848	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4956	2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
Token: SeDebugPrivilege	4172	alg.exe
Token: SeDebugPrivilege	4172	alg.exe
Token: SeDebugPrivilege	4172	alg.exe
Token: SeTakeOwnershipPrivilege	3848	elevation_service.exe
Token: SeAuditPrivilege	4996	fxssvc.exe
Token: SeRestorePrivilege	1788	TieringEngineService.exe
Token: SeManageVolumePrivilege	1788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4092	AgentService.exe
Token: SeBackupPrivilege	3208	vssvc.exe
Token: SeRestorePrivilege	3208	vssvc.exe
Token: SeAuditPrivilege	3208	vssvc.exe
Token: SeBackupPrivilege	4300	wbengine.exe
Token: SeRestorePrivilege	4300	wbengine.exe
Token: SeSecurityPrivilege	4300	wbengine.exe
Token: 33	4828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4828	SearchIndexer.exe
Token: SeDebugPrivilege	3848	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1524	4828	SearchIndexer.exe	125
PID 4828 wrote to memory of 1524	4828	SearchIndexer.exe	125
PID 4828 wrote to memory of 2396	4828	SearchIndexer.exe	126
PID 4828 wrote to memory of 2396	4828	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_ee23478d9ad041844843453d30cc11cf_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3712

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1524
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
40ecc9fe6f4761aecb6340316915ddf0

SHA1
24d00da511e36d2505448b444f398961225144db

SHA256
2ab955c417d860cde1d5751c2ada0958f5db5d6b3a3373705ea240842cd1dc0f

SHA512
dd4773255ebba4dec188253cd66d04ecb6f47773a5998d9fa09f8bf4ead5b42c4891618af9578690e01ce6a73377f79cf3f2ab31a56da582eecf3561d20b5952

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3b629ca0144b8a320b4b6d29d96bf0f3

SHA1
c05bcabef516bdc6ee17d434922dff158a304cbd

SHA256
398bf11d6f3628b4858e14ef85fa3e7ff8c7f06c707d0fb95fef83d966ed8e37

SHA512
4e2959f46e0daa170440c3162138b7916bad05d8dca6a57d8ffee748b836159642a058fef568aac343bcd34a5f282962c8896788178cabd6266e275c0b890e32

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
796c71226f7a63b102ce862ae354e9f3

SHA1
102ccff9efa66bf82a9f8956230f7da6e05987d2

SHA256
73dbe2bb63471da65c61b3a7d3b17c6f6adafc9ca857a9cdc8a90bcac66fe69c

SHA512
cf27953e684b036eae3c83282370478b5c135f1fcb3cad49a51908d41a76cb20095279eaafac6bfbf74a2f11433909e25f951ede4c37b482edafc63d298d9d11

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
49983313d09819b0873d949b1257b124

SHA1
f595f752121a5dff6bf6d8598ea0ef842805d3f1

SHA256
8ef04b63b77922defd3ddc3628bd1ecaef7db22b4b7cc972f874a3f8a535591c

SHA512
fba1e84ed13b0cfedac4dd3e044a779c327a7fa71335d7771dd9436ab8717f8ee6f6b7bcfbc426f708325d3787f9d7dbcb05c0dd51fc6bf49046042c5ae2c6a9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
63f65569eb19c5b65d15a7b90a76a6e5

SHA1
f98d0dc4707888c384dc32bc190b4a89c28ad5ab

SHA256
9e34606f1e2d3fe4d9308948dc9b0660e81fb13cb00a43618843b62949f7fafd

SHA512
42c411b433c74fb9ca35097276682c915290669e573c0b0f1550936b7f65a4d4a4855868d4aa0eac32b2c00be8f905bb8dfe9ee083ac255ee785a82066cfba58

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e89b516a2b6fe92c0118c61b44ba2733

SHA1
12a8b9759d3f28c77aeb2ad79fc71aa259d08d59

SHA256
3c00a5b6d0c03226e1e8a77a979e0aa77d5b842102474a07aa10267bd10e3914

SHA512
13c045d688c5ec9993f34425fec1023eb6cea751cb7378c23953993a735e0109b321c78f9856d90bd97f5594c09e5c5f1c3f171134c25082f8db48a8f784319f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
45de8c654f258ef052e28fca4da27e02

SHA1
770eb6c17c5634087e86b515996001239ea85310

SHA256
2d8b8c75f5415c8757281da361738ae68ba8e10490533ecd91aa657c01510523

SHA512
9e32681d4fb729578113bf4a69381707f3c38e86ad5d3e8d58e690a6ef0a24d16a473e510ad6e8f20d60543e2c40b72a33f35aeb36eec1eff25cdf988e603aad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
675efe2851a86bce0129a1b4c1827be8

SHA1
bd41c09c548c27078c94a67c9ca6f42fa6ed880e

SHA256
5ea1a870f7589511b304822952602adc047ca5376b1ca3f8418701732fad841f

SHA512
a7de80be833826ba7f9c5c15a460e88d0e4b95691c6946a2505be73f05644e7290a422bbd6e7747de2021c0eef803cc408af679dfc41ea874ea998235455ffd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ed1b4a80fde0ca22580bbe9625734aaf

SHA1
9db447fc1c89ac39cc42693c2d423da9dc4ce960

SHA256
26f29ad5d0c7cf190a9efd8380ff574d7862c7a2cb53f94deeadd54fd991734b

SHA512
8973ef386dfe12d8beff4b873fe89eb7c0e91e6eb96d46f2176cedf6a43a9b3b4c010fe4aedefe4f44643987979e0aaa53e87301afe5aaed70cd03c9346e5b43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0a26b8ee9befb9663cffedc67e453b18

SHA1
240be832635ae78899d4e5600c6a5f9be58b4a4b

SHA256
cf66e6a4e4a70d828f3c340610e9dc3388b536d913ffaa666c318494cf11d9e9

SHA512
1dfc0be03fd4540a315e88e3187fdb368fa4012d964899c56df8db4bcb931a504c959cf7bb6b9cf66816570784439eb8980c3b975b78f44952190aa0ee69e3a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc395ecdcdc682c0b003a02923ef045b

SHA1
2e91f5b767730a7059ffaddaf2905fe01079618d

SHA256
21485f4ae42c6bc96a18926326a43c7a0cfab566c8f5057d582791d20013e79f

SHA512
95bfb03f5d4c04372c1b57f3307097688b8ad4a45acf0349325d1e7410ea9729480a8c1bfdffe6c97323f777c403076bb14d692e4a67a92ae6ea12b9a5bbb82d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a45ec285c53d8db1e1966f87cfd32670

SHA1
cd8d6df81fae7b2d877499ade0f45c648635e641

SHA256
93b695b5f95b0ab14f841a420f50ba77196ab6bb557fe191855cb9da8f4f743e

SHA512
3dd49c7d7b80c635f6eff244bc24cbec0254319c4a0bf0482af1c5a7f3e13443827a642dab3012dac815be430dba72f26249f286e89efb1bc9e7d1ed0054e0ea

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3838068b8c50deb20304e2aed7687133

SHA1
beb875a16a35110265a3ff1ab461b75902594576

SHA256
7678f9cc746e391294cd7568dd03f60a8b0688d35fca1e331b89c8efb08e567b

SHA512
900c494dc32e78ba330ffa9089984411d07f719cb6df360d9f0a5ee9972d01b04ba89ec576a920b0b2581cbce4a4f9738c3afc107da2713f2175576e84ee4946

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2fcd0dadd5afb887e56388566d10167d

SHA1
2774230ba7d585b2759e83171bb083a33e643bf6

SHA256
b52d9ffa798f1c1680c381c035dd32553261e2d774f90f6c52f51dcdd37ee20c

SHA512
a74515693851aae6afff247a3bedb4e2bb3084a6965345bae3fb0336ab50f1a71dd1ead0b12d96dd3a89d78a67407b9fa8a02384960ef1d58abb54e8ef36b548

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
925d7c4c18d38284bd4b6daa342e42c0

SHA1
40befcd3eaf38ed0c3df36386f6f265a99a75828

SHA256
fcd40b6e2c09b0611a0a5f839e88944fc2c25a1b809374054270a611ba7c0724

SHA512
a105b00762fa3e5063ee2c0ba842eaba729d2bb5e4a0b360f48da8c3b37b28e81833398b17417ec4b174bca05d4554dbb8d76e22dc8a15d0c38d4b6dbe4dddf1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9d7c46de75026d442a71f587e84d6b33

SHA1
1f79df931db481e2ee121e4c38333ad021b37ca8

SHA256
e647195afb5e15252021360476098be9e3e0f14a892fa329a62d678d54fcc0d4

SHA512
2136ca20f46ecb56e19bc1a5322ccf1ac459030a967f8a5f2562f9cf205312491401f6d93887f9fcc0ffd94067164c2dc99d3edaab8257bff60273c059e8bc0d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b64a53a6be56c648970e57c219afcfae

SHA1
1a59a5d9c5d1b2282150d8727d9c5b0189d1bc17

SHA256
483aef2ba7e91b87935fc29cb17323646984472fd0f771ddbb314c52dce93ee2

SHA512
53dc0fb00e9badacff1b1a8179ffd24eb3b8121306110ba55f05fd3ab469d3ac4d88c33747a42c96648fef7bface1ebf137b923533d3721643a7fd396d6c65f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e8831a68ca88a25244795644330332f4

SHA1
9f70a09f2bd1c3e40e75c9733fbeeb559af323b2

SHA256
8a645c900ec98ab3fdc171a88a1af1907e89124f888d7607cde0bb274f15977e

SHA512
37e9e1aa61235b371757e675ce50da7f6bc66ad1dc698d6d4b42018f9f2ebe95fd3125019f632d7f549db1923fbcb1d9bf2ff4a30cb8906a74abcf6e9e734f48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
300ce76bbb106252af65c384ddde729b

SHA1
e2be8775fdb42259614226f631ef0f5ce3ee137c

SHA256
bf877c549ebedb1fcef6cbb6ab55cf7af86637cf21678406d2137839755c2164

SHA512
535c86175f49929a6b2ce41a3d8f3b65ac183f0c14df4247668fe3e0b5289e50cbe8b6a003ed8b4bb67a824a83ab9c242a5bdaf8313c0369c38288209353f730

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2d0f5199d7a78a7002971e4f38d11d5b

SHA1
cf233926f780753f867a8e03fa6386dc672cbf51

SHA256
fd85332865b683028fb84b7c02ac42b22ad31d3e6e15ce890e358eebe9dc45ae

SHA512
1c5a867e3b4f277f8019fba11bd5091a71f3c90cf8ff431ee50a2cab520b70e83638fe10e437aed2ae24c970f0057bd4203d3b102cb6c6b1d4c6a7fe17146b86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a09d6a172e2d90f61ab1ca8a2ecd0076

SHA1
104bf858200253117d761bd43461f7b1f976e544

SHA256
41aaf13b28a676f79fa9b2539d59a6a5ffb787513d35979cc3fa992b76454f61

SHA512
b2f8e9fd301de7350e9a1ebeaed7338957c457bc6beebf79d6aa5cf63fcacc059428008f199274eed148d3274756c28fabd4531e8ee8719dac77158c32404601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
789855dae1a23d5b2f01f48515ff41f5

SHA1
e4783c3aef9bd8e5020fd9897de458ea63cb5de7

SHA256
322f76e4ee8e1ff7517dfd9cf2b37158b8f114b65a624ffb4b4f7dd4d1b263e0

SHA512
594e3fef28291b239aba1e0eb5481bcace89aba4540c1ef9381b0b2f84157f1454339b6536f4b71bee968f980622bf8e1fbfd0b4c27b764eaa640d63c7c5fd8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
44e43e6ae3ed2116d9da2ccf01394a06

SHA1
804450a8c0226246ac17200b9c67b7581f38e692

SHA256
86fc248e3877348e8a779649f9c40a74225aaad0402cb3f975dad8ec26e9b02f

SHA512
0ca05451085eda6446f6af8bb5f4449617e16c6af30eab0152a60e8185e5dcba3ba9e7dc9781762b753c6674a80f4f10779fc4a6d60abd4e8b597cf3fa8baac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
10f4b846d65d001d2926f6ba18097b68

SHA1
12821917b4fca51d2fae37ac408ad7b5cd702831

SHA256
29dbb3c0c22abdebf1f0cd49b3db699c750a6a96ff5850d65efe7c96f6aada23

SHA512
804bf18697205ed9cfb1f610eea5ae57977a7678084f5cb76766d3ed153a5bd5fdc7a5dedb17da368e7382535be123224eafb1ee9eb7371fa5456b0172ebf4dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
89f92670d68a3a9480b95477df7ca132

SHA1
00999e5abdbb2e605db52c3b056fe797e186bfc1

SHA256
7037d47ad0b180dc68c70d03471522405c058a06b6340880c3a21050fb78013c

SHA512
852be1ddf840a4af9e7f83025044bce6250de7ffedb07c23cac0806df8f20e5e87fc57aa7a39a87b6dbac670eefd59d42e6f07989b75eb26005b3d66eb8a2b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f4ef5db61685e67500d053ea687714ae

SHA1
f450bbdd874f7eec97c173be84409e5dd72ca52a

SHA256
f238ae66ddfd11acd829b77deb604a5a0805c1d8d5abdce3a55a3259e12e0696

SHA512
dccbc7ce5c5ed53e0648d1650adc741e4454c93c58a666903b8f13b958670af49117c323ed9cb176b88c7513e1a33007d0c771dfd9b053c7c057aec0f4fc7d09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5e979072dd0017e9fb3d455172ce68c6

SHA1
06b6fd7b1a79fee56186da67b3bae05a4edb2813

SHA256
f7d9ed4a395eb76be2eb90292157f4169e832099546fce945a2bdebe7dc5ced9

SHA512
e957331e66f4f292c596eca8c4639457a949d57b2a2ccc57ac1e13a734d566ed839ac7c3e44ce0837f27245dd18a7edc5a674e945651b371a24d88c052174b0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
56b4811610ef48edda63a0d241a6c729

SHA1
65f44d0598947389a4cf7196da7a5bfcf8e39aa0

SHA256
6cfdbe96ecb9458191de48ac6ec68ce07059bf9197d59fe71a311b32fecf286a

SHA512
0d2cd9aaed1f5d4e33eaf1aa84aaa827d41e31d831ac025ae86c127035bfd81199deec9bb7efa2a6599e99043beb44416e15ad302c63e30905c38b1547f8090c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1da4cdac3868813b35da256ecd88ef7e

SHA1
1f64913e3fe526c624c2f514e4811f5db2347f9d

SHA256
78dcc051d0360b31ff75f30063d0ce2d177da931f5b7addba1954d63f4620668

SHA512
2291d0af7accc4f207869442fddd91794b860dfb5aee7692193802343559d4f5a7d80128cf64a9ebc460330ead553f5479e6303b6b3d4eceacd3a085f014ac6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d4f250e3b3f077db80e470b6dbd4cfb8

SHA1
a22adc99ed5b2c1f00c251ef6427127187c64377

SHA256
36dc5ddbf94779a34c0f13c294c597fc12916f4bbbbb88d7aa0d90dd691e9600

SHA512
4bffc86ece398a73027ac0887fec6c7453331773e48204dcf73c7f688930c3d5ad5b1f16a51f86cff580b0002c72cc6c7e1e3db362a278f0fa81663037968bb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0b2013def00e84df2d76b6048364881c

SHA1
694e1639632dddcd2aa605596e81b38b4121679e

SHA256
184a9580c7de0cb22979f7854147467fc689b4133b88b307578574e200402821

SHA512
852d49e42072981144f96f3bb4fee77b630103ed98328167a6c1c61097a4b08b342b906f73e9037c06b0f199d0b502bf561fb593494436b1620c65dca3bd4854

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
49782cf13d69450485c1341ef22bc868

SHA1
df2bba4768d60e12bb0dfeb15f8b3eb1327017db

SHA256
c1d0d77f4983f7dbec2a3a3f5c2f1b93e5cbdfe85b6701353eb70d149431be00

SHA512
91b6205e01c1bdd3a315679f1e95a5704aea97422733020e8a293bdffcb481885a676296a46d55712c2684750c778af8db751c9523668ef1c4bdfab2357b2a20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
98f7b319691d2fb4ce0617f6423bab51

SHA1
4d0215e14a3055fc959320ccef0afe10b02c16c6

SHA256
2c742908bc7507fdf43d0a3b88a74615f11aff6d9c2c66c8f98b3046161848e5

SHA512
0717f876359103bf9e01736b5258ec75e6b279749b0ad91b3b1e9b99c5f2905c3477d6dc78495279b8cad2b26de409e48817fef681e872a5dd879d7861dd5348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
df6430f7c8e1a23bf1389b68671aad5f

SHA1
ae17d19b1e768c6ae724efe829cc0309c7bacf63

SHA256
5fadbba20807cae1d7ea8c17d0a954f4a6547a16dc423ebcf9374024ed9cc28c

SHA512
aac85bf4e1fb6e950f115b62d77d98e803ad71eee7ff056b1545bbaee53034720101f85a84169f1c53d906bc9f1f4739b0e01b2fcb4194023047cbfd76d1cd8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a7ad62768f0ab8506dfe370b7a694770

SHA1
03bcbf74bb5d77c0025afc2310bf2a5dc9adb6a2

SHA256
edeeb5bf812fdc9d48c9b8f1842216b0edeba2a85ff8ddc434c7f7b6ed564663

SHA512
e9726b1da7a6987b8b60a54aadbf5bc6674d3e2118798e9291894ac0571696da3dd031eaf42c4c813f5ae9b7c014a7ba8f383bd5ba8627bf1eb3a4800ab4298d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f927f4054e2cc638add0b18a8e3811d5

SHA1
65b5f1d9327da4abc7c056e304e32a325f51dcb1

SHA256
77e6923a4334a8eddd0abb1769133c60bcfab82c813d40e7551202ba119122c4

SHA512
00e5f6e1c88f81d1b633aefaea06a0f37071403c4f677056dc18b5dc69c1739051e3de3246f9af190441bc698c3526766c839b99753d236637530385e600e8e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8fbdd40bb981f4ef1b7be4532de299e5

SHA1
f856296cfba368abd8d2c612d31522a368b5bd6c

SHA256
7a1f6fa3417541fa1b914b981726eecafc729cbdbd3e8607943a1b94ac5e39c8

SHA512
a43f285bc9d73c21de1db2c85f20319e8e025f99af3995833753eb26d5a5b2c4fc2a63e479be56259151affc4440c27c9f9330219f6723d6e314c3066c1358a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
17a41607455ddc095a47b489c41bd428

SHA1
b03c7156c694d9e536082cf8caf17ed1fca1fa3d

SHA256
8095439bedc5c8ddf26f112c773edce901b92f58ae4daf50ea541b3e2fa1c9fa

SHA512
c8b5e30340936bfb93b3c5c7c1561d1ec2446bc88bd4478a64ce020cf315fffce40eb8856feb81a0dd3690a39f8b3c38b494e2ec842478940497ef1c0dc0aeef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
ffc0378b37d1bde371571ef0fec54119

SHA1
04d207847d512ab71865828006a2ec0fe917d732

SHA256
bd05ff9212b2dcacae0319ee6381d14d04ed078d21aec5cff85815a9e9f73605

SHA512
7174bfe91fa892a7c3bfb33caf46a576ab8f00f6915f2f5b2844540ecdd82b5a521d2debc462c565031e83a1e6e9d8e1a6d55c97269303718a703706c1eb956b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
d1c153e55ed104abce73aa61bc3a7306

SHA1
690c200622014e03c97fffe090b146567b451c1d

SHA256
10c50cd5c9cef79dbba97d783091145678dfbd0e589af57b0db5f2e1a033bcdf

SHA512
b3672d9b8067abbbfe4f6fd6f208284f90ddbd19778e99c3d7b9476f8aca8acfde5d73b791969781cac26240cc35d1d32b835111a82ed051c376e59ab81eecbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
fc387a4c3202ef974bc2ea5645e2a3ad

SHA1
d8c81015704bfe57fdcaaa879ac9267d9b3d17b0

SHA256
eca3fb13d7eec22eb0a2a4b1a89742c04a1d493817d8fb3defdf87b094f3b216

SHA512
ee3e3333fae09bfa798163dd9079f889bea86696b1db39218762b5d39d93cd5acac1059f28125bb27087cbb9a3d666a8bc3fa29ed5483eba67c54d3fc177eec6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
cb2759411a7017104fe86cef9712c417

SHA1
e67f305db879279134255f696f7942c48cf7733d

SHA256
7fada852cac08a866e8ecae5530f691a758f105a3a818239b723c087305b9cfa

SHA512
19b3acd8c18ad3100a025ada04044c2286c60e1108a713d34b57c914d54f9e58f2615dd8a4b1ef3a7bf57975448140055c4fe05b7328f5365b30c5c831faccfa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6e3d4c5a8349ff5b576547b05bf17b6c

SHA1
dc0e52c0b68bd0928186523c4a4b225dc2e27c60

SHA256
8e7723a3243c0885fcdf374a3a591f43ab0c2f451f72eb9fc52193baafc86d6b

SHA512
311635dc321301621e022f43d379e54cc9bdec7c362e67451e86e98cad42e4eeac8ff72231d6c57a5c947308ca9193cfb0e212b8cdb1aee901e39f01ad1c23bb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
36d547d4b58241607861671925c04a5c

SHA1
6d239d19c1e885878b148a7a958c9906e853ab7f

SHA256
c927fe461c7e89ea4125389b3c065ba62c6d00fe6d4eeb12394848eaf8041b84

SHA512
55e7fe2cd56cc440b2178c1640a883d08853192f7128204f7d7dd1f98e5a053691784f252c176eb4e42678c4821b17a9f464af87a5c60422bbc7f1890cab282d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
55a1360154507b2a2563895c5df3a2db

SHA1
99e5f9ed01f24c00e80a343d7bd46726fbf60c1e

SHA256
5988583d616d76d171d92a46fafbcdecdd1eef75b4e6875355bf6ef905c5c8a2

SHA512
abe0f3f6cd5ad0aa89f5aec531d501794032c5e79ae181f68e01c7a76ab42a7e2fa6fcdcea7565891b93001c677bff32e464e5b1d0ef950c70aef6675d4b3fff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
269fb1f88b2a90a834c7bdef0929a412

SHA1
6bf4fd09ad709c6141e129c789da3f39b029a24b

SHA256
417e261c6a34a62c1fdd03a2ce251ec1af9b18302fd71712087ecf2959979360

SHA512
b6c5ead754af11fc3018272a50d546773c59327e30d92b5518e95bc3ffca1f2de6a9328ec7377c5650fefab73297f3c54b89b587656c3605d281f1f1653ebf9f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
893d49f37932f01a962eef70f5451f22

SHA1
e834c307b3ac86de6005d3c04fb9f4f8712c82ed

SHA256
b07d7dbd5b7cd9bb74af6b7da3836bb9e57dfea5913a6e255063c73b6a385e34

SHA512
bf8ea085fa6f71964688b4475da6bbc2084266e03207704f12bb648c800639ea3f6256d13fd115930f92f6ba7a0219e16665d5022d7d7cde25f40c6d472d3c61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
88f4e378014632c1564600f89a58d465

SHA1
cbaa9619ad9161f83ac331851b862ec0eb846af8

SHA256
b3cd689d3beb203391a46d7e091a44f69461ccb25b29818f62fcf5aa65d4e158

SHA512
f762e0597767be91a54c88109f91628e93af5b91c99b34f06c87d66b1302b75175ebd37c7a9e3ef1e24147e69c0a026e08cba73f23e555ebd3222a805e51ae06

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
825899dc321ed4deb9efd2063e7edb98

SHA1
70fee67ecf23f58ae57f48e1ae7a69245620dd35

SHA256
cf6d1ae5f8470abf49017887eed81ac4b8f348cca0e3521e68a9748e80b9d7be

SHA512
e9db066e5249caf9073e04040b84312c3692fd99415c7886a4e7c2add7058ea6ba72450f0f457205466b31ae7d17a0bcb7f5375352f1157d2f86006a84aa0992

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
46a3ecffefa4ad0101c84d8b6e4b42f1

SHA1
65baf6e08d3a61d82729785dbd573c2956e3313d

SHA256
e4b8242c1cbd53a1585149eefd70cecf274698257e3395860ebf6ad02ef2765b

SHA512
7f0316a91eadc3d794cdb9e8daeb78f2b8f2ecfec306b95ced78ca9bbd28888b989b0a36db2deaeb243cad6b5e696354730e071d4f47fc4d69dbc8bb20205015

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
be1f74750ec23ae8dbfecd8becfeff89

SHA1
8427b2994d90c8e4a351796ae638b1d2050b5e3f

SHA256
38fabadb9e4b9527ef2ac0c5b4626b7be2b66fb26fcba1f38df452910d5c5cf0

SHA512
d84456f21abe4b4a0afbeb3f87db119e000363ae62537cb55510f87a90d3650efb594f08cb6f1c1592f2af721722db712c4775315b527d49ab560a7734ca68b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6af87472ecefebb2d1aa9878cbef5a13

SHA1
a9819b03e40552482ab9762100f8cbdabfba5b75

SHA256
084341def9df811bd2201be97feea988e0930c48284658e4b14aee3d6b4b791c

SHA512
63ad43e360c469dff60a668a52b099d5743c660e3c37332fa51c7177c2c5d04c6f6677212067b25a9970842d471590f8150b39bef1fae636732c8e6b1827a891

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
dda5c0f9af60ccd57944fd05a7e9617b

SHA1
74bd264b759905f5b05fd2602dd596437d00ec0c

SHA256
db705558d56fb1f1fe672b104709b38e5fe416a32d5b82b973bf144dc6e7ce8e

SHA512
7d22f6b58e4f323f3be9e93b3a213de5ce9898eaf9f1d7c55b396930bfaccfb7d252f07d2d07cd129e67eeba09b41e51035b786f23cb723eb776dd285ede86c9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43ac31315836692b3059fa26f6f71827

SHA1
70cfb3a70afbeb56ca7d66e2dc4116a53a4f4dd8

SHA256
742c40b16fab69a5d66ca290b80afd52c6775bfd3502b594e80ee3884ecff879

SHA512
2794ebf4119c5ff23d4c7eadacfe950575ecdb0be668071c7ccb61817422aa6e2cbc31702da5afa8e400422ed0a8c7c6380b9ed5b2409c3284e7ae31f88c7cd2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
49050dcfc9ead1c8cb24973c06d9407f

SHA1
d4c4d0fa13aa7d6bde39c982cf0cf0396a46b098

SHA256
3b116146bc6ef4efbaa680ab17e439075451e43ebf141d02b16ce7fa02f85785

SHA512
26938f79a60b0cd52b295e8c4ca87c0d1e99e911913aebf3165fa10151efe4f776b952d94756eb87b2259909a584c2ef4ad84ff810bf5cb54afe9a3678b5293c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1145e45132b07e5a48bdb9b4e557918d

SHA1
54743bef778dd1a407a9fd3f8c9174f7ed4f059a

SHA256
9b07d2b16c9261ae21712e94ffad771bb118089bc469326ceaa91cd142202656

SHA512
9e645bdf4fabe31635102d51df10e5b604fb8edd5cdb7d7925dfe4524d59755bd075bb2d307b58a45111a6bbf936ed496d7b966c7e4580600159864ebcee922f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3336b0cbf6fd9664322c62ac094bc5be

SHA1
67d7dff2bf697a9f71995acf43221e8f9894e85d

SHA256
bceecceb50981405e62e8216e15188b6086987b15916ffd8a6654b03df1f1b98

SHA512
a23c845cc1d3c4d2d0e004dc2ef8aca412e56025e9854b0e439216e1cbd5d443f7cb2059748175e9226ee00ffc06d249bed173d627d5c4276f344297dbf3d8cf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f50af3e4b2eec97d8ff531b65de94b0e

SHA1
77449707815b1e7ab85e30df8b74a3e31f33f924

SHA256
ec3fef20ce5e45034d8591e03f3dcb7ecadf059db8673f60c1af619b109aca71

SHA512
4728dfcdbbd19cfab5c307c24fabb36276a3f7f21f040333c99d084f5a6b5f5ecd4a60417b2f99e2eda29074b7d92f5c18c9593d9f4d6ce473c689037b6b1913

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bbb08d150c9659b2c696bf75202e88c8

SHA1
31b19889777e4653fec5414fc8fe1f95f6c2118a

SHA256
74812e0f0067b0e0b5597185295b2eb7d46ff9876ca09a94a37a6dcf785405fd

SHA512
e28488ea032cfea6ee96b2d86635b9cd9e2e379b7018f672c19c0f441e52c8dca294b4ab5c439907757f6808e2ce5094f718181e1ddec4dabba67439a4bb7bae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a280cbe4ed933bac7a8834e8a6cbb2ec

SHA1
3e7df7236d6e07a1b48fb9c3b6d99826b30b7498

SHA256
b2b631f33a86e6be96ce3a0e9652ff96a99f26f9cf422e4071568ad4596b13d6

SHA512
37af39a8ff538877d4af16e28b1df2cb19e6d393f6783bf925998491ed17fe5c86f32b7843c688996f3993813d3fef8226a6a9a408753241611d25cddf2cd499

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0f61292a043c384d413faa8bcbfab9df

SHA1
a7dcf628a61ade182a60c5d2f3066d4a31036c4a

SHA256
a0cd7650c315283d9faebe4e61a4fb819728a2a6b47b123b369098518e32d466

SHA512
1b7aa4fbc3b6579d9e51097f286aa238670bbb5d9a8b0003625a008e117562a259002dcc691233934e8b99c833903538c5e6c28defdce48aa02b52bcdfb647aa

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ec381d31f2ee57fd5bd071c20002c94b

SHA1
9fe7fe7883fde653a2b26861bbfe8f9524210167

SHA256
3e29a2bb57bbac896cd4599daaf0c676e0428e03bea9392635f678e5c8882f66

SHA512
9d471b3f1bda7ffb36560989d808076a330d7fa962ee6964e6b07e02e85be40ab4ea73900bce1c13edc20f262fe7996122bfefd4eb310f76a8cca5772aa1622b

Download Submit
memory/456-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/456-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/456-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/456-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1172-604-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1172-347-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1664-269-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1664-384-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1788-367-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1788-605-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1912-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1912-246-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1912-254-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1912-366-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1928-295-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1928-396-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2124-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2124-600-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3208-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3208-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-242-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3336-70-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3336-77-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3336-71-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3712-66-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3712-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3712-55-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3712-61-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3712-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3764-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3764-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3848-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-40-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3848-31-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4028-301-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4028-420-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4040-327-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4040-517-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4092-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4092-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4172-238-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4172-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4172-21-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4172-12-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4300-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4300-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4424-425-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4424-611-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4584-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4584-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4828-434-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4828-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4924-298-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4924-408-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4956-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4956-8-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4956-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4956-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/4956-28-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/4996-258-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4996-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4996-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download