858dabdee38151a2ebe4394a36953a1982dc667f6ff43245d44b5d78027752eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe
Size

1.5MB
MD5

5ded43f3c3fd090198b375ca1a778dec
SHA1

1898d92336a63a470ea7281be3f051aef2645805
SHA256

858dabdee38151a2ebe4394a36953a1982dc667f6ff43245d44b5d78027752eb
SHA512

b27eb145fb85309428524449d38e0dbb63dadba9e3afaf993a0688173caff01bfc2b6f671b476026675386721fcee9781153bd618fb85724407f5b770f948f89
SSDEEP

12288:GvXk1yfgus8fju1doi6UoMUf4tRnT4SaV0qeLzSmwwY:ak1yD39MNTqV0Jxw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3516	alg.exe
3360	elevation_service.exe
1668	elevation_service.exe
1176	maintenanceservice.exe
684	OSE.EXE
2396	DiagnosticsHub.StandardCollector.Service.exe
112	fxssvc.exe
1492	msdtc.exe
1924	PerceptionSimulationService.exe
512	perfhost.exe
3644	locator.exe
1900	SensorDataService.exe
736	snmptrap.exe
208	spectrum.exe
3304	ssh-agent.exe
4616	TieringEngineService.exe
2976	AgentService.exe
3220	vds.exe
1140	vssvc.exe
4224	wbengine.exe
1996	WmiApSrv.exe
2292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

elevation_service.exealg.exe2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\21656a8db4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cad89a4edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ddbf5a3edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000729f19a4edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063f0e9a3edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a2823a4edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ffd78a4edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005152eca3edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d63c17a4edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023ea65a4edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
3360	elevation_service.exe
3360	elevation_service.exe
3360	elevation_service.exe
3360	elevation_service.exe
3360	elevation_service.exe
3360	elevation_service.exe
3360	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2968	2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeDebugPrivilege	3516	alg.exe
Token: SeTakeOwnershipPrivilege	3360	elevation_service.exe
Token: SeAuditPrivilege	112	fxssvc.exe
Token: SeRestorePrivilege	4616	TieringEngineService.exe
Token: SeManageVolumePrivilege	4616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2976	AgentService.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeBackupPrivilege	4224	wbengine.exe
Token: SeRestorePrivilege	4224	wbengine.exe
Token: SeSecurityPrivilege	4224	wbengine.exe
Token: 33	2292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2292	SearchIndexer.exe
Token: SeDebugPrivilege	3360	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2292 wrote to memory of 4956	2292	SearchIndexer.exe	SearchProtocolHost.exe
PID 2292 wrote to memory of 4956	2292	SearchIndexer.exe	SearchProtocolHost.exe
PID 2292 wrote to memory of 1988	2292	SearchIndexer.exe	SearchFilterHost.exe
PID 2292 wrote to memory of 1988	2292	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_5ded43f3c3fd090198b375ca1a778dec_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1900

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4956

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
6f0e36f89ac9048c39508740b219360c

SHA1
0f95c3b2867374e52f5b3b4c7888e05eaeac0f0f

SHA256
e2928cc04c08ec7b567a0f996c0eda3ba6f8a4583fa13ed4c44d075e2039fc91

SHA512
188a0352a4e39a4d710512f6907dc6e804abcaa98584a01092e8bf85385b2127b29e7fc260bd6fdbd0d919f33be982455604597f595a60133c2e5c3671f55b05

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
ef6f0849ead01265f9f062773bfed82c

SHA1
ce5aefe61f63e00d7cbebcee795d8e7c0c19d04c

SHA256
9a639e0e2887d2058f46c2b656f0732c851a9b213caa7e528a58caedf6b4d818

SHA512
a695d12cb8ac391bc30d7c6ce3c5c308f1cd3c227d2f0037fb632cb910411be7e747764e2c36710114024750c6240f33330c14c3a56e18692b626fb317927f16

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.9MB

MD5
db7173541cebca4f7be5c6785d8686df

SHA1
ee57ac05a354c7e6dadd791f5dd2e390c5a659c2

SHA256
b958f68dc2f80db21254f38a95bb436ccd5d9c38d4327722944fdcf05ebfce63

SHA512
b932ebea9e155918fb79c274a8bb0df8db07823a20127191fa3ab9144b121530203a13a22524c5a1c810a7b7b11c1281ae6049d8d79e9dba76930fd752c6f256

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
30f37e9e7a3e6cd024ffae6dcc5d4b8f

SHA1
39f47e4131e81a6eba8da500d399f7e49a7c0a8c

SHA256
d48ae0640058f10b142491f07f29b6b120f24994da49f9dacf6958ee3fceeac1

SHA512
cfeb22e5002f9f01da1073a37b1a66f6672909f5da933ce649eddb1f2dbfbb3153dd639a7d1c45e429aad00f7f2fb8f5beefd9383f42d4f27c7f0fae24fd6f37

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b78d4c287ae4820f20f49ce850017a30

SHA1
2d8778cd302a333eb22296843b34fec212be52a4

SHA256
3c069843a6be9e62342a9dbe2eb2a362442d9004ab973a2010f28547fcc1a101

SHA512
7c7e93cea4e67731b2983dab15eda270c8a9ecb8f8d3a855e2981e216332e65c1583179e7e984ace074320ad2ec42fd3b054735e4e1782e7482ae3171e7b1662

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
50030bbf4ec0612750f2463ff1d36c9d

SHA1
bcf978f7ace53ec90eb2f4585279178ba5dbe4cd

SHA256
f370eec9502adc243c0c537ff6cf59b953d99301b11e702d1011734e28d7eead

SHA512
4a7adc331efbe64243f6224e0c8a80825c76043a834884d8c95b6639c4b80d4b4080aa8a2c3b91f1fcf47fead9d796dd9cf30492c348ad813e975b5b83b46c03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.6MB

MD5
971250bef27907443ca281caf0d06fef

SHA1
26174626685b54e0d9f9360bcb2fda0fd44bba94

SHA256
ee766a5703f4f428cb26d49c3285feaf6bbce166080f29696d88244f6bf3c712

SHA512
0b544050ef6e147d3f60051e95a43556dcf43cc8f39580ffee5d8f202bf6837926375e6ba70067790c60e91e2e6e687e2709bbbf37e0a459264854040812503a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
98872ad90674eab3eba1b81630f0f490

SHA1
4905661446e538ac64161b078b7a8b593bfeaf01

SHA256
993a9561291d06be09182bf3c7db708140f4f24d040b5c44bf776224af15fc2e

SHA512
b1473f8fc047ed86b3687dc56fcb0fb6c6f92853984006d76377f898d3ca607a74b321b78623dc80135cdc05de7046cc86724dae2ada68e56e9f580b899fb799

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.7MB

MD5
472729a41444238fc8494b394745d268

SHA1
3c858e23e1cd69ff8c6d6e8c8ed26a42506f85f3

SHA256
ca79892ea928fad5230483cd32f283be636298c00435e92e9d704bbbf45b308b

SHA512
03107bef06b40c41cc5a4a800469781980553b5bf4b499c2df8b2e88973e772d603b8324729acd8b5e104dd1816298755067e78b1977adc4142eaea7958a00f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9ae09def9807e4afdad25e0d41b43d98

SHA1
22ad0332ccf064eaae794e4cfdd676816f308116

SHA256
b059c917f758421a6b47c39eb051e3ff533b95a57598771707744088ca93c3b1

SHA512
77c8006762ad72988e587d0dec4f6a0354e80aaa48607b24a3173a23cc7a129d1ca25025eea1aa2094433e46342507910fdf640d33a47d4c137c79e4c7513494

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
d25b314f94e668baf7d11b92c8328781

SHA1
a4b00c018ad1e21f5216049eb361944194b4bfe4

SHA256
ba00cf8c5cf54ee10488a652ab6655dbc0d18e87988e4fcb82fa1a272de7e9d5

SHA512
74800795fee3040930a27220108fd005d63395fc46213d0adf26b295f6d7c3b0ed76f355ece8437fe8e5057539e1aff58880eb918df0aa86a1e972c6c381f8fa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
e98a2e0be8fcfee9ad7dbc5d44249b85

SHA1
fb7c46199cb882872ed505e1d92ce660abb1f811

SHA256
9d6c9d2e232a14b148eb457c0b2e3ea2a194e9512686a8bea194fbccfb2a0f63

SHA512
cf6388a7ebb032372a35dc0bf15428b73ecb463d6e6fd63f96fcdbfef4ff7235efdce468179a88421de0c247746df530110d8dd1123003ed146d224b659be77a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.6MB

MD5
21c71f44fa4408f2315df932db29fbd5

SHA1
386c0930879fa0b01ef61691d28c15f52488494f

SHA256
5082e8a0a0a33abf8b998947b3773c6c61d3cd329c37ef5a63a4792df3b34546

SHA512
f3c7adba4681401eb12390d7a3043d3fb528e2b2de80dca330b1d9a833bc4247c3201b152b12c5b4095539ff78aa135bf641ebc9e81b6e7a8da64a9609bb651c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
d7902f08e75c20272611d2ae3e764aa1

SHA1
bcda6e28e2730ed31a593eeeac3ec72e6b0f39de

SHA256
2522bebc3c6f14daee63ee3ca2ad9ae560fec72fccc27f9cbdcdeb7c3ea022e3

SHA512
09227b92983692cce5f5b5ba5758347711a80cd4e889deb896767e1ad5379a4c90212cc738c3297a78a73cef8b2d765072ae124f4e31af720a8c965ed70cf136

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
175af5843e1e26b0e8b44d19ccda6f05

SHA1
5b1522f4bcb76acbe6d6ad2f523e783bbdb1caf5

SHA256
2d9e85ffd995f2ae18cbaf760955706cf3ecac9744034c7d39c087cecbaf323b

SHA512
b7fc6cc1e98e8d9459b597e076d77c4da93a53cc4f6e85de11cb455e5405df1641c3fe1b6c9b5f906ee0c46ab26ee0a13303822f9a696a284c6f7f461329a717

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
202d939edf2fec6cb10744dd2a2723a7

SHA1
6951f9068a1f8791729b319db2f8c22793247c4c

SHA256
3425dda7c3a87e8d768a2fae4faacb2989c859e64ef63495be46c926152b9a6e

SHA512
b5fa68345e6ba686c43b1f966f90b11788851928d10ba25d2954426141e12afc98da0de7a3a3da9e3d431d49716c2a461aa9aac5d984060b9c0de51445bff02b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
5ea8800e323d93fdea3ae70340a994d1

SHA1
72d30a8db633fcc7751c6bb0010b55bb21f07ebb

SHA256
b1c8f3f9a4d240b080485a46b2ee9589392f49f4c5104e8a61cb3213154e6cf2

SHA512
f20e6e97db38a6b2114b7e59c94e0f9fa8739412d0ea9e4f480d535ce4cbb52b44fe4575533b42a8dd627763003212ba1b62f3835ac30922d79acd083300094e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
6655a5333d54186241e4edf2036035bf

SHA1
5beff80edea5e5206e65ef7ed11fa32d2653c54f

SHA256
e5ed1295ece50b6bb2195e72d7fc31950b0f2810b4542ae884acaa73b8a050e5

SHA512
9d8c61188e89e8e53c7c2247e82545eb0263bbda8f986f3a16806fcf857daca472dc8d7db2b3e41c4fb2b9846c8d86768a22f33d8772b9f9b78399b547612fa2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
10b867907611efe6fee626776d021e14

SHA1
ebcc57b0348fd68008fe6e645173cd8d269af7f3

SHA256
dec0af62c7050c6f0718a0352c8fb80e66b3ff86b5e05fca30298aea1981d4ec

SHA512
bb7b449d76cf7b250d4ab84f37d104997c8602ca766f1ab30ea750e848e013625527e5b2c4a3b91ab756d36bf0ef9562f0d57042944744f0d19d4c1c7125fd14

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
d9cb0064ee3635cbc17e815aea481aa4

SHA1
c849ad4c2c1143a8dff6b4ef16166ee4b3a689d8

SHA256
fbd63644c43a36252839fd99217d7e3e18e593b11ba4fd35143ad6806b2525db

SHA512
302c73ea28dcc86fffd2ffcc71d86a01467bb3d6b858739836fd91255d8fbdc3a70e9dbfb45d4ac2a8a0be5c4826814352ddb8fd2f7575bdddea6e74e5636ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
feb337cb4ed2fcf72e31d4a95297086f

SHA1
815883eb6017e23889872130418cb396fa0ca8b0

SHA256
84ca15fed41e5d994ddc5603d90a90538bef4111726c3dc34d043ec4ca5bcae4

SHA512
0d4dde3cc19a5222eddd00027fc83127ce28f5bdc15c5ac1db3d755f983a47ce5aa73da150b0b3ce2003bcc9813ab157a2d5f900b071d139fd4caf426ced0173

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
dce0e54b61e13f1f5720446f425d43b4

SHA1
4df5b2d431b7b88045ed1e774cdfc40c7364f996

SHA256
6d42a860082aed9b4dcefc16a80e754249420b7280679f317b0e69c642830ac5

SHA512
ea6110b923f1bc7d54e6d43105774d2f45fe7b307ef381deccca42a94de40ccf2afa6b2a50342c02e65a2a23e9a0cdde728bcf42db9a37381a64f070acfc95a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
76512695450215d277fc00e3bd053b6c

SHA1
297a695eec5bb5fdac922c62c5cc8d78123920f4

SHA256
ae965058dc71b0289d17be51eba70c026f338e0be726d4b927e2483fac709c95

SHA512
4f74077d1b1eab8bbc3f55cbb197bad7058c8437408222c267761aec75b7ec5d092459588ad68aabccde5193f3b5775f50d2385ece2736550d1668539e0309ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.4MB

MD5
3ab57641b45b3866d33d324ce70ce538

SHA1
0dd07eb92abe26240a4b6a319d4a71c4393a9f04

SHA256
96e3a55b7e21593dd6091c731cc4598bd8f5dffc41cfddc55f1bd368c9550211

SHA512
4be710a046b52f94ef2856329e15e517c7f79e6a7925dc7181d2f1a1f615c262690432c14189a44833aa4c07d9958e149ecd98207925edccfae640289acf6947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
81ea13a302a60ad4bbeff8c72b940c3f

SHA1
729eceab280140561b42bc84ba7ba8752c7c2ae6

SHA256
02fd2b8fc323818e45a8a54b74fea9c39370aff5bf860407167c2ff3d3560d8b

SHA512
be473a9cea39fc2dc90e9409e6c2d9e8203ca76b54ae8afe6e01d9bfadb59f33c1b1940fa5dbf2e0c98dee655249655f863ae4934459b9e7b710b9c604991337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
a6da1bca89fc2b314ed2b5d1d43e749e

SHA1
560242bd44a6b0b8e19c431e23ba1050ff4b7f61

SHA256
3d06224c2b98def9b2fd1488b4925671392b1e3b5f51bc4985ac77c8c1cb4466

SHA512
2013077703defb4a6063ccbd74524562ec037b2e7823ae164f84d01a41eed7a6efcab0c7a9d8c3638eead927ec92f4be4e5c343821bf06b09c9edceb1d908d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
b93c4cf8b755553a885e58ba017323c5

SHA1
7078811f51fbd4efadec510ac732e164e8015232

SHA256
02e51ab966bfd70ec8c75c2fbf231dd9d4a3bb5eacf03f6b16ecc0628286da4d

SHA512
4b6239aeab649430b019d34d95d10fa14cbd2ac8e4e5156ea6ea68f6eb82f4ba49dacbdbe14cb340bbe127193d255d61cf573edf1617f45c5239e26856c7efdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.6MB

MD5
e295d8cbc985973501a43b5df816a949

SHA1
c8aaa1f4d6edb4722600e41701d51751ffaa4a73

SHA256
6a12774989cb0e46a79a4461ca35dff41055a7d879a1e8b0eeed97520a3306ae

SHA512
efd2dde13d0765f4898ada0d74c74dbf897fb5ba3d1cf1377af082e3245264f367b51570d6560a364b8c2981bd991ffa528d4a93d3b386f4c0ec63a1641ce7e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
ecfa2d94cab5c7b2fd5b85fcad017ea9

SHA1
029f16f5e76965d5242c2bd7bd609f0ec066bcce

SHA256
a6cb8a92b7fe403f248862d793fedb93331c484bb7edf14ae498a7c9fdbae3be

SHA512
971de0f50801a970d48590a133c765df429cb84962744fb8e8190869ed9aa7b83c2c110c3ffabc4fcf83f28738e03a606d32e14decd8d73725cc953ed6e345a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
b0662c4fe11a834e505e32446b49dc06

SHA1
d65225c4ceb7c38ee033ed8a2845dddb45d42c5c

SHA256
20d201c2610159f2e2dfb68e4893e0192cd8138532e67e103097218fd7ed5ee8

SHA512
9ea0027ddb8c66a5090446cf3c44a46dfc30acabf6e480075d373ab27a267e1b42b9c46d2c53a6f3628590213bdeae4cc006b622a9d83b8f624e51fb68eecee6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.5MB

MD5
cbfb501a19f721eac232ea62b6353c73

SHA1
ef119c3fcd8dc4a2397543613a383cd73a9aba60

SHA256
b6b8891ccee05e6fc3cafa29c1377b7efea972119f1e5e6032461b9051641cab

SHA512
db59e73082a9a5765cd0145d8b3034b6a1e7adf9d9d90880d050ec19efc2ebf8c830bc84e392d53e163a013a1196abcb590c37fb05ff363d8f55f7374f025ddb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
77c672a093ca7b998de491edce639c83

SHA1
dd9f45e9dee72a20c897a883ff2350b7150bbb03

SHA256
d0ea1994cc5f0985694ecb99e69e60860ec6ff2c55882d875b7153ca3fbc8437

SHA512
613b3b07e41d9d9872a5d19b737c665e387feb6ecc3cfd611f64fbe0ce404c78ec1330711e8d6fbb86043875c51444d43f7c5d1cd10624f7bbdcf6361aa75093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
5c6a9b7a8af6d60a612e2302cdb7b1f2

SHA1
a1701e264cb2f78ec4083cd0d3018edaffcd5a2b

SHA256
33569d30e22f8b09f39fd3cadc670afeb37942970ee78e677c15cec6f8ed9a82

SHA512
d3bfa2ebb96e817d73301f2b46846987f6fb7528e0b3933f0b2a2a4a49862b4ff7868781110eec7af9b8204b2e446b8976e69334d1d0aceb73a898e5df9792a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.5MB

MD5
1b2f7e12e623a66fdc63ea0b3b22962d

SHA1
634ac1203f475a7382c9b1a10357cec47db74c4e

SHA256
4d5877221dda03992c29844e2d932292830fe7094bc10c40aa5e0e8870658e96

SHA512
a79fb72c8d5285dfcda198ccf74491c4a17caab051dcb779e34e7e2a9cc9be3cdc5a771c6a2c3a48f5bd9f04ac5ab561918390a815d81b4bf792357c834f2eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.6MB

MD5
b54857022ddcfacf0d07bccce2a1c265

SHA1
26026a98a943ae6b24cd325635bbd1f18ed75711

SHA256
1887f2434ec12f337bfdc4ae03b35b448af60ac3acebbb9cc4f00f1a5b8e6998

SHA512
c88d1853bb819db91f35427d205f1711497183d9b4700198b85d5dce72386e25f20781e284e6ab2d6d24a2e64738921b0863966d5f68ea70bfe7b55f29ab97d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.8MB

MD5
40b6f5f074113ae590e8b6e06a12bd56

SHA1
3606f896e0ac307310f41b69fd08afe96dde0c23

SHA256
9d48903d130eb1abfd35bc001652d1b107b1dc4d3b37ee2ca923ea367e69e76d

SHA512
e1ff55a6832d9a15bdaa4dae3d7749fa7a4a363ed546744f265976680bbb5db1dd34283bea591c8af7b8db0e2cc93a48e66a19a5ef8977f82224dcee2259c939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.4MB

MD5
27423e8d4ee6a216eaa6d2dff1f51266

SHA1
6ad3259e7705d6e316680bb8f8fa670b127e59ed

SHA256
a6bb71fe091c7b366c97dba646760b8d25a28d7082bdd38b1db149e5f4afd2e1

SHA512
6642ab9b74df252d17b2ba9040f760902ca07e0a4874cbeb8005977b2af6016e764f28d9b20606a7218b754f01e377549de24b5fa5a7cf733e2b928291c316bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
1.4MB

MD5
9fc97ad84e356a9c2c6234a37f9cf238

SHA1
f0d659a83d28d2934dfa18da9394bb2166ef550e

SHA256
9b51ac54d48794c79cc2a4e7f25a027e67597d75cba7191524cb851465913d53

SHA512
263e7aedf2d630248776f171d25b833db2965eeddce56c35e0280a41233563d5e1d71c9992d3520d599d7efe3cff9a6980a506cfd25e55d6e6fbfbde4e3084b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
1.4MB

MD5
fd574062c1b0366edaf7e166757342b5

SHA1
2d30a3e2b834673d2449db6a5d0584658e7e698a

SHA256
b278a340e889e62f64ab4bf0854cbac2da04ab057572f1e9103ef50d5f26f221

SHA512
4d15565f481d529015c8296554c8b2700dbb97d745a7f73ac00dc47546c85819fb27c8c060d37d1b6929fea928902777f1a3592ffc453458f7878b81d1a1f917

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
1.4MB

MD5
3a5e370b254307e5185cb7a4891c6961

SHA1
7c39e5b3c41b86e35814dae7027ae23fb1cc5a1b

SHA256
f969303ea5298ba755b032fea6ade97e8324a8d91ae4f18bebb6dd3451f06d41

SHA512
0a8114ea6f7f4f05a8d85e8b85f8ed45628eca218a8657087244a2b7cbb619b7795d1244fb0508cae2807d7ad4ca6c7fb156b16f764c5ff05ef7a36ce0ec4c25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
1.4MB

MD5
89311fd013396464fb33a2d35f2f7aee

SHA1
6363e1b39ac64e07e429eba6b9a2a2c4c78776f5

SHA256
ab33741560fb8315c85d6c19f5cf99895b3b44899e65b598587e64d087c6436d

SHA512
41806b4a5588fb7198045385094ec8069b4019545e5f56b019121be44799e5887ce41c2e0390c6ce4f31aa32b4f37c907d5a125bbda97eaf6a2357566e84eeee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
1.4MB

MD5
2a8d24dc16271cc9e26092ecffc7bc65

SHA1
ef6d8d132bd0fde1a56c49f050c4ef924a51a57f

SHA256
8053ef271962b2486e2983e548d77b5371d5d94e1744b56c4550e8e92e5a41c0

SHA512
a12a4944ac0d983eb53d1d66081f139d989475e0805963a07d87c8fc8e3b321a8788c63e2fcded98b74d132a9a2b43c6e62382013cb088ada98e6207e08262b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
1.4MB

MD5
7c5061c01c640fba783971d9954ab53f

SHA1
281e4f53269f69c74d6e9816341eda952ca42fe9

SHA256
2da104f037df57b70f1e1c737cbdfb5e07900f2fad5a35357b3da101858c69ab

SHA512
fa682207b16a6d6936fd13c73cf6e77ebe63709c47b00a8759c5d3ca300b76c5888e391c7e190d2dd1b6ee3bd4948465e3a02e4b34e781442c4cf3e2dda2696d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.5MB

MD5
bec51e9362a52b5b6f6e2f07f3a90f05

SHA1
572f303cd2eb978e602c0c26c95046b3f08b16ef

SHA256
8b22aad1de68a3531f9e616f2d678172d2a66074bcb326225d2b1f2a21168027

SHA512
4456f5c5346e427945a8c87895c0d4f0e2a3326b3ca8a2625d0c6468daaf95e425498de4b4929593e936f2e4d1fd63a347c5364f3638372c92f6e86739b5be82

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
9a1e02d658fac3c09fb55f019916abc5

SHA1
5c8e75fe541c5b33848a9dcce521169f4870c820

SHA256
cb1a566bcce0b468d67a309e1cd1cf357d418d30daebf3244f4eca2792a2657e

SHA512
fa0222850604e806fe14981682cb7a054091a86348f2bfef54cf42ccb4bda55fadd15df1e694a4149fd6eeda30a8ee0a72e9c142998e9add99d1c08249bafc7e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d36618d02967652516652bd1584824e1

SHA1
4643a94ae14abbbe2dd410086ee0baa7a80a0aa8

SHA256
359c879de16af1ea2b49455bd8fc3e8236a3419803302b4a35120372fdd7da1b

SHA512
8dfa28ac526a6278046f175cd9afa8e1e006d17855ba530a3eb8bbcb05da92ba569b4a31d7d943d0c1fe01ed2cac5efa3d431f852ff85d47f6ab517af6702fa9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
4ec462195e337a83896ad9b467a4002b

SHA1
1b5cd3565e55c2cbb5ae499178d5f6bac1aabf8e

SHA256
c5f52c91cb5688e466dcd72a1f18c4085099b1080e00d2a0ec7e95f46ef50978

SHA512
389bec954ee6dcc876a451f0bc21c860a0505c658ab876d4805d7e6503a9bf87fc7ee3ea803dd5b07c17cd7641125638cd242c9add29e5c337b057fd76ee7bbb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
0802a38b3d2b9aed4192b7daed216aa1

SHA1
0b7674bcadbdd79bcce84cdc3239790202c2b85e

SHA256
1d628a192d1508e7fa27462ac22ef61a58c7bbe60b682191f165e62a1643200e

SHA512
d4a1afd9b3437de09752fecc83b5f8db30ad325112b54b8c74c3341aa1a6bcdf64ef0ab137432f17e73e0e837783b184901f3e8477e5c40f8a50c6b96f44e683

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
826066d95419ba830aba5546b4588246

SHA1
3d58bee2ff4d3cb3a035315bd2c86bb14177cc08

SHA256
1c47a90f8240cddd4cd707f9f67d5bae3cf6bcf1602203d80564b2c0a81685ab

SHA512
5940eb1f4fec465b7de72959d313d7ecb7fcd7011c5ac37c3fa687c247b37fb25c2cafba5a753c255fde8a535cfd921b880b5a4c92b6435fd3f4a29795ab8eb6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.7MB

MD5
63211a7d25e9129ce0b865c9fb0c9f4e

SHA1
748e19cdfc88c40f23a455dca6c4bb4472a316a6

SHA256
2a8a7a79e9823608ceb8dbbb6a1a04cc4c4d067ccf9c01e40c4ec30a61571dd7

SHA512
4d7d451ff08ffbf6619edd514f43dbfd5927a7979ed4ee52f88c81caa0f0c1ffc599d6f67eac40b06e13f1d6055d227f3c96f1a7338ce6cc4da6fa8f388e0c98

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
723eb237e79b1ac35331ccec57f8c857

SHA1
dd80cefc61101760e526887bac7784850fed2bba

SHA256
452bfac63acbcc08a32911ea6bc509416779a7c537161bb04536568761e5ad00

SHA512
878e451dfd2cc4333393b807aa9c2b9a3244ba7dd6c2af8e9d6566157f4035c253acf4fb17fccc3cc10147ac20304282bdfed6d4cbfa9bbb0edc90c349aabe9f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e898ced2bad1b07cc07637129a473886

SHA1
e5f81b3647492b5fdd10547744dd7a573d8e5614

SHA256
fecca60ea0011ba123e17a5a5147637809ad12aa400f7d325f2e542343b63ce0

SHA512
7b4c9818d699fce2a36591173fbc1adf4bd44106041aa7864eac3b8f984d965f4353a91cc6f27d29af2455ecfe0385db1688a900f9717c9d696ff3bd54d0a9b6

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ca72cfe29ee76f56dfd5773c519e35e5

SHA1
92f0bed64e17f530a5b6ba1b8c970975cebfdfc5

SHA256
c8335a8c6bbe614e64cda23be4d5519c9066bdb3e7758e02c0d1b746baf2927b

SHA512
2d577e47aa01ae1181ab06ebbc419d7c18f25f8fd9c9d9110336f99df8fd6417c82d5c1d5316b18cd3797c653d3e49c69162c57348014826b07ce4e2433b6f09

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
85918a484b05630bc0044ba66e19fb75

SHA1
0cd3d420ea6fce352362a9ef1892c8777fdc4faa

SHA256
4669a750975685e66808e8e07ed0d69ef0aa434c303bd75906e997bea49259c4

SHA512
cd4fe4e43fe98ad22b380412a4080cab806e7ce9a39fe6dcc7c56aa7e19b5b49d989d795740225b170282b50b9a632c836e2e6b35dd4b231ffd611c3974ed859

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
c2da8e96167293d0e57b8bdf22469feb

SHA1
7f62c25ffbe1abe7fd58ee9e8f6c852ed8668c78

SHA256
1cadc08e15a5396f76fbb3007cb20a9126d431bfbaca103278866fddbbfa4514

SHA512
a5c9de92550736f23c61b2ca4ff044172ae1aef3d3ed3caf884c1b11b86cedeefd33c07e896a9c0eb92878b9f2f6d46fd94c66af2c73520fb9450a086d02b7ca

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8231e93878b02697895f00d9d4246b5a

SHA1
8a414497085388541b26c4aa13e8df36c09c96ef

SHA256
4fe3b312c653144a6e6f87f6e15c6c1d238c456f1c43abe027292fa4d8985891

SHA512
1936f956d8bdbb0b9a62af551948baea56be4bc96892bd359f2c2868995065e36e2903ed76ddbc7632f32f6df56fc1381cb9576beabe7c0c7eb4850cd85d8ea3

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
c1409d52c2e1a062f20a0a1bf9f29925

SHA1
1ff8666506c47052d3cec0a2c665181fe700d391

SHA256
31ebbeffb76671058354b1ea0409b7e5e2b626ead2f6ee24a96f98e722d88bb2

SHA512
9278962af039ec56ff79746f55c1d9e6bae85aa77fa2e47918d937020f9bfd71a9e3436ff239a90f660ae13fdebfdaac14a31f0c8a19e96eac01228d6de4a2ff

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.5MB

MD5
7e69a36a3bec6e3e98c22bac71504ff9

SHA1
9ef0477c0fe5ec4b32dc0f8e63bbcffc75fefb08

SHA256
cdd5a3671663408693de67171981e3208899280005c7251f32f9b4cdcc616edf

SHA512
e24a32e04bd055f8f37c5c1f18a008591224fc802f7b73403d50e29e4b72e458237c2975b12b3e20304171faca8d0e0e0f0780ec52b9beddcee855d8ccb4b278

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
24ba2bfc80834ef1e3e2ee5f90caa47d

SHA1
c7921b553823e71952781014b8a40313b628dff5

SHA256
1b953cce2101edee5c9bdef11594f8afb0cc803ca2d67ca80cd815fea2ace62e

SHA512
e86e23ce57fd6bde9f21024989253b632cb9f12c9de9340789936baaa1c93a6e2bfa2a632f3e5ae5b69f950f5f8ca24be8003f713d774438617dbc402106da6d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
629534aee3bd0daa2897b100151c66ac

SHA1
e5c93c00bbaf74c1e655101231d6d6feb91c3442

SHA256
656d258667a6e5f8c5dcde99d728e04e29f715467203a95a4dfa377020f9ada2

SHA512
30b0f8cfbf7efc4adfea3ba6911bbd738eb6155f6198a135bae2f3c21cfbe004abb3f163e4a4db33d6d1e95d59cff503b6f88f478fbc27ffe2cf9ae3b71ed597

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
856f9c1b0a6abec645d50deca3dba635

SHA1
79df9b00096a20ec8708341a247ad59d2821e218

SHA256
f0dd963175bb4de6ad92617ee600b9639322224e16d6292fcf42e56eb90ecb16

SHA512
676bb11eb8173c8fc74aecf7f505fb305e4d15a709804921f04443a4e9ac258d7fc46fd01c4de5a603b2bb11393e6da30a38d982bb45b75dc6180b03efac0c79

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a7b5ac903c0b1f7bd1ca0e7ea1cb1e1d

SHA1
08739dffe14d659a21320c6a57106ee025420c06

SHA256
f18f0e960cff30a5672e408242a184c6d35c7e43fe2a4f00644d1b906e781cb7

SHA512
971613cc29ffbc7731378a7689dfd11a65b0a9be51fc71baed1b087962252e549fdcc02123491457e0a6dfa92e9107f054ea9ccac8ae9ee1ee7436e4b7c52b0f

Download Submit
memory/112-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/112-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/112-253-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/208-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/208-605-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/512-410-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/512-293-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/684-69-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/684-63-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/684-80-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/736-326-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/736-537-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1140-399-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1140-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1176-71-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1176-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1176-49-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1176-236-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1176-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1492-267-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1492-386-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1668-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1668-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1668-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1668-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1900-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1900-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1900-435-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1924-291-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1924-398-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1996-615-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/1996-423-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/2292-436-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2292-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2396-241-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2396-360-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2396-242-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2396-248-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2968-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2968-1-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/2968-8-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/2968-25-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2976-372-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2976-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3220-612-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3220-395-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3304-357-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3304-608-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3360-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3360-28-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3360-34-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3360-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3516-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3516-21-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3516-20-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3516-231-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3644-303-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3644-422-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4224-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4224-411-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4616-609-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4616-369-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download