ed7077d6e4189a592ab983e71a9b1c846610711d8249becf2cdf45b30db1b76c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_2b93125a4dec496e2b33c95d3bfc5316_bkransomware_karagany.exe
Size

1.3MB
MD5

2b93125a4dec496e2b33c95d3bfc5316
SHA1

6c6e3edb658254f249b609e8563800eeacb1e485
SHA256

ed7077d6e4189a592ab983e71a9b1c846610711d8249becf2cdf45b30db1b76c
SHA512

b2c5146a6c7f2325efc8113a8d3eb821a466e0404edb1883e42247f8c1bb264c84b21927bb2bdc0c536b3b5b3f28e75bb172db8a7ed112ba152380bb2b65d715
SSDEEP

12288:VvXk1P83AZQxPq4yqZ+kM4rGwSvyaY9S/TG50IevAs7q6s9UtcQhOUVNM:Fk10NxPq4yqF9p9OTG6WiqUtcQX

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4608	alg.exe
3084	elevation_service.exe
3964	elevation_service.exe
2428	maintenanceservice.exe
4432	OSE.EXE
4732	DiagnosticsHub.StandardCollector.Service.exe
1552	fxssvc.exe
1584	msdtc.exe
1952	PerceptionSimulationService.exe
4616	perfhost.exe
2744	locator.exe
3952	SensorDataService.exe
5048	snmptrap.exe
4136	spectrum.exe
1920	ssh-agent.exe
4280	TieringEngineService.exe
1804	AgentService.exe
468	vds.exe
3508	vssvc.exe
2876	wbengine.exe
396	WmiApSrv.exe
3224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_2b93125a4dec496e2b33c95d3bfc5316_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\932f1d8b1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef34b10bc5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000130dc90bc5b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b48c40bc5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f310e0cc5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009193100cc5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030f7f30bc5b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d458150cc5b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0415f0cc5b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3864	2024-06-08_2b93125a4dec496e2b33c95d3bfc5316_bkransomware_karagany.exe
Token: SeDebugPrivilege	4608	alg.exe
Token: SeDebugPrivilege	4608	alg.exe
Token: SeDebugPrivilege	4608	alg.exe
Token: SeTakeOwnershipPrivilege	3084	elevation_service.exe
Token: SeAuditPrivilege	1552	fxssvc.exe
Token: SeRestorePrivilege	4280	TieringEngineService.exe
Token: SeManageVolumePrivilege	4280	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1804	AgentService.exe
Token: SeBackupPrivilege	3508	vssvc.exe
Token: SeRestorePrivilege	3508	vssvc.exe
Token: SeAuditPrivilege	3508	vssvc.exe
Token: SeBackupPrivilege	2876	wbengine.exe
Token: SeRestorePrivilege	2876	wbengine.exe
Token: SeSecurityPrivilege	2876	wbengine.exe
Token: 33	3224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3224	SearchIndexer.exe
Token: SeDebugPrivilege	3084	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4776	3224	SearchIndexer.exe	118
PID 3224 wrote to memory of 4776	3224	SearchIndexer.exe	118
PID 3224 wrote to memory of 4404	3224	SearchIndexer.exe	119
PID 3224 wrote to memory of 4404	3224	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b93125a4dec496e2b33c95d3bfc5316_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2b93125a4dec496e2b33c95d3bfc5316_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1584

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
be9aacfd535b8e03d06dcf3bac3b417a

SHA1
1769aac6e2c33d43263ae191e902d8a5ee576a94

SHA256
31a323d40a07221d12cea5a2f26786c386ac307283704cb25ab3224642625cc9

SHA512
3b795314459fc77823227fb2951eff07c9bacc1bad9466d5047ce71af8e94a57abc960ea47d7b131cad72d942e58b228650ec8616c259d438aa215dc3feca60d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6eb106d5941261ea8755bd9b2c97c1f5

SHA1
3f62553ca67e40ff974e07d1ef401c2006115540

SHA256
cd1d89ffc5bd9935befd71e0125732bc5cfed4b6970b7668e8a83a2a0351f0cf

SHA512
b4009247f2681d045ede1684534b60ad2753c27bf24d9b7759eab2a45c9cf6846be23f3ee9b951117d060135fd7f475cd0c92d5704730ebf792a75057a514e09

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2c658d83e48244acfcd1b38031c2ceee

SHA1
6fc57f35f021fe97cd687f8cec35293ffec4c25d

SHA256
30de6ba11b878001732e26f63975449f0d4316a03b3240be9ffc45f6f879e9a2

SHA512
b22c3777b14f79452bcd8fbee04c0fc7d828592ee7d646c71e6ef62a02356ed470b7ae208a014fc37e6f1580536aa5cdb4317707cc09fb97f54f9799fd50d784

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7c37db3e68c72902197c3fad728bd63e

SHA1
1bb621ba3d79b0b0f2e39d4e7aca28d1f9ede918

SHA256
995df4357719a7f8ab5672c97a0418ee90e670deeef940942b0863a05f9c4b91

SHA512
c649555faf22560d6dc6f9e4bcd0e4aa507c4e32224f1724ae399f7c76dc2d6e1b7b5074373a8e080e03d30f9a413885946aae469fb482aba453d46d38208382

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
14ed35383466ee161ae69313b0d919bc

SHA1
7495f86f1fa37f49c2265e372eca005af8159f46

SHA256
b17f17e08f45bc0d603e6fd7f8c21968dae38f104437fa6678fb7406b5065184

SHA512
77225cffc22000bfedf4de0ca7691b4b7b18245193638da5f21ea228375abcc9845d6007743a9c473d4daec75ff028753916f411658dfeb1c41e3f38ffa60459

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f200a942c7c4ab40207a21754b579ae9

SHA1
5b9a3274c146e502460cce225af0a1b7cbc5730c

SHA256
8f9e09a3c11b7ac2ff87657f99fd58cbac1fc833164dd704080f721ca72e8c45

SHA512
ea92f4bfd744445046f3c2e3cf55ef77793a0077c16e3af5623e67da7f789fcdeb79f8f36e54ccdbad796d6fd49f8c79351e14f439a9a46d5e99c84438e9b5e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
79427d09d00f407c6e5f2c52a4956ec3

SHA1
705097571a28fabe27a0391b43a4d14e429ca893

SHA256
752d72953b8fd8eb3bff5e319cdf1f9809ac43850174f01b2840d01628861f03

SHA512
eb64282ee893286737ebf05a9688b828e13ee24a2e7202f7c0c14ea25a393fee4529bbe1971f03874b552bad41eb1031c27f73d8000a1965b56540aeebef358d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d1fb73dd29ae49afb042b07e9c0504a8

SHA1
472132196c613dc324f9cfc1703eb240f33e641c

SHA256
05e1522c0e19501103d0397badc75d20b13969406b8bc89b3e38210d5246850c

SHA512
26fcc0ec58cd585eda51dcc95f1960758d68ddbc716625a9b81efd391dccbb0728166f548a3f391512cdd7abf8d849024fda4659596dfb8c13d00db7973d6e04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4cd3bf66b04d32da8a7fc889b0a3d18e

SHA1
11438cf41b19aa4115a0e698b653423f6ca76711

SHA256
aa457b78120a17fcd9da7d083da63d491ed219357141cce67a686bcf1f9a6ec7

SHA512
d6bc2fcb02c3a1fbd69522557ca8bb76dc938f90b57392b17c5f2371abadbc4efbb51ec0b39ac6601a2259611b32dd96ca246102a24b0c87005903a4f3cb87a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
24dc61d0d730fd4cc2e4829e7cff6ab8

SHA1
817f1c3cdd16ee948da3d4d3a1154a4c5163d346

SHA256
0bb26aa25479cddd8d8fbdd885cc4a5ca80a93ab8d6966076abe38b71e2d61a0

SHA512
d6279d128d2771d8b19a69f942730f516092546ad34cd4de9a5bd81b1b471de61ea56c16e235262124f2eaaf92ebb43634eef32657bfc46a2adb9046ba73ecff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
29479be219a2f85c5f2caf821013c933

SHA1
70d39bcf014d1d7a9f0b0253395432aeeccb4ae7

SHA256
49aa50c66b3c1184458a700df6aa226ccf3a4bb6fc11795ccdcb8412410e0eec

SHA512
e6dcf5a429fcca8de2770ca037231baa71ca83d2bd01a75da95b4d080709e62cbed251c7526f0a351f0512de0d300a0069e39ee812021356ec3313018a562dc4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8675f1ebbfe51ef182b7299b46534843

SHA1
7b5dbd8f9c4e926b767117690c214aaa36e982b3

SHA256
b639ade3aba454f8c9a18055bf95cf1cf642446ecff01314b00c4defead34826

SHA512
85f290a70980df2dfccca54466bdc1fe16cf8a2753b124364541ecf7ebbc5a753aa3ba241720a0c0afde7196867603148e08de0c4c6c40a76ec98fcf31d09349

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d57f45c6c53fd02cd07d3b83d065cd74

SHA1
328bd88b2faee73a08e55b17d5dbc81c8877797e

SHA256
5207bbd46744f1d72813c9b01b2d69beb8246c80abf3302c4af8738066afd892

SHA512
5df59c96b68dd194e3205b0e21011693e25f19b3aeead30d51399946f8c868e4454518db881c4ad915fa9b9d86960be3239badea27fd40e6fad12b4a069bea87

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
732a8a2a369916c72826eeef5fc2d8e8

SHA1
fb12428c14ff6c2bfd7a9ded31505e0772b1d9f1

SHA256
edbbb0d6e1f31e7b2bcf539fdc05b2c007bbe81b93f7fedb301b1510ad91b0a5

SHA512
cfe0b822f63198872bb1e3208d2d40e511d470cb5411d0703d4498a05f21da90aa4024e4940fe0c17f2eca061d8ffa3fc644545004cab71f527889db7665d4ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
689bf80ac18094b05bd43af5d034191d

SHA1
85fe47e909fbd24c5f7ddfdaac78cb11b7f641fa

SHA256
82cee1222d1a4d200858182bfcfd773a677ab69c292a64a3898698aaf1e4ca7d

SHA512
461ea9155db3d261697f8cfc908223d73b9b73b324baad90632e6c6bfd2725a3c0ce6de3084aab608de27c8b9dbc403aa6449b6392d1d22ff72d141630065c1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5c854cdec2d5eaf34464236a8d466ff6

SHA1
4d0b9774731b2c4be95ce227180977959d5e18e8

SHA256
a7205489e4b44c3f98edb9c87fc244c02aea7ffef001db1bfb85c327447abc8c

SHA512
06669d4aa45cc04edb6e35d4945fd1ddc01a394022e86bd5af2eadc58b8c83ae68ad830587deedbc0503448cf4ec5f2c763bbe81b73494535a640a9616aa476e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ed73e418acaa26e7300fc76a5b04d97b

SHA1
b3c58db08e84f4eb134882a1f98fdfedb26221da

SHA256
f3c046ee16aef2ea81976c2ac9c4cc9a8aba7884b12f23fbc208d8b3062c73e9

SHA512
8d9ad73c94c36ea05300dad1112f1da4a9391421408daac9841b7a51aeefbae1c8a2eb235a1e28062a54f58b6a76edc9f1854af558e2defa3f4c30684f0e55d1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d4bc0560681cc9219470c0bf89e47a54

SHA1
633fe61369bfc98c55422183b769693a29ae6a43

SHA256
d3ca69e539d0a1e6301450af4331bbdd4a0f9fc0a42692648f96ad0874720fe8

SHA512
3ccb1eae98cdc9ac12b6dd012a812a77ac32229f1523b76bdcdd6691ecd161fa627635c8130d06319eab6071351997a62bb6acf310041b5670a1c682fbeb3bc9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ee037e1b426099d22017f6570a5fb147

SHA1
88e5773b2470ad59d4f19209a178dcad2335c976

SHA256
14298ebbfca5c485604a7b09f9bff107105c89b4f73ee1435ad15032bad5326b

SHA512
93f199813ce0e8996048a26327aab86d0bee9de96d2b96819090d15cc8e9d67230abefc174c645bae2395eb01a09e50d12d7f0e9120bdf6e35fd41b2b4154de5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
188e922a537c3953382cebd88abd7a47

SHA1
dd846da824567ae643d48849bce7d8e0ca58391b

SHA256
dae703a8d8c7f9c6b5f73855dcec95cae366a680d09538ec2b4602ab907a16a6

SHA512
729aa9e00ab5864d826d29633e552f774e8fdc882e8d7083051398921f6340fa229fa33e1624cfa41a84133153ed1c2b5df13438f56151e5912e4b7d0cc43cab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
aeb7ff34c8ca19785689849a4df7ce73

SHA1
7b3a336a6e92335091bce9996424c39872c52921

SHA256
bc19c67b32859c0ce2cf15af8df724e9413e8d5a14fc31ed369bbd449f062318

SHA512
c42bc70c9f57b88d4f9208e7309a9f39c60e52aefa6ad37242ab20e65a4070198b5aa4cadae240cdf0c26974f21bd1732a565502e9ee672b844d7bb6406c87a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ff0a68b7925f3eddbc79850f28437b2f

SHA1
05140be815f6e39412e85cdd39b27e6577494b7c

SHA256
aac7c3998e4fbd4f3da063c02d5db83f76d5cd4ed23d5423063cab7a64ba4458

SHA512
caf594c397172bd272319a8eedcddd8e76cc63da505458e27815941319b3c902914196d6e664a3be5b099d22b7ac7484c16c2337913c2ea3035eb6fdc5e3915f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
97fbdc26db042eddbda7404abb4a64ec

SHA1
3f18e93c908eb7a19ee6c62309c9072d71073afe

SHA256
1f15846215f53d6ba88f4926ca59906727adf59412f32b456125767b9b41e36c

SHA512
0dee1141010eadd025fd9bc259911a6916d8119e1090fb096bf22fb82d5da15486f2cc07e040b0f5708993ce6bc371088f30832e88548dcd7036650107180ad5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
43123bfe905250b4170de858184052a6

SHA1
4534ed12d43a367e2af5d88a282edf32e493d4ab

SHA256
ad89b0f381967a4c09b47ccea23a64a2f5f52552832ee33cbf164a8a7aaff1f1

SHA512
7ce4631e7f4e7b6259a40de2daeb0b03445cdf506b0b25bbb2b599a76b6c873e0d3d6e4495dcb45e24f9af129cd9c5f77e2d975fb6bb8ee36bdc9425b0ddb803

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e1a41baba7dc7c528abc840cea112d9a

SHA1
a17c56453052b6415a2a3b8327d0cd9d1a243f06

SHA256
340285a6484ac2b8c7f6c4c2194cde7898b406ba5bd2e25055b87b3004138b96

SHA512
f768a2779768f1bd90af50e3787cb8f327176d266554885a7555c88621974c2ed3a3eac674f70cb22e096cde402ac7405c0bceb04468d373b9b3128a3ef5bd6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
320109716b3797db4a5cd8f528443dbf

SHA1
3ed993eedc9c4f0b7a6e3315530b06d5cc7a3946

SHA256
50be3b670b20e45a3941b43424794477a04f3b0c5086314c417752382d1e70b4

SHA512
382f2a43d22edafcce124087efbd7ab06ed734cb0b809be3015b171503511e5593d6469192416ea7fc4df5ac8d9387e127c2e645e5c8c146c0a8e220d21aba67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bd26fbe9c143594045726df20683fbdb

SHA1
3ca408ca1eaf22b6d4f89b339cc1e867aca9b05d

SHA256
2de403d3fc69306a0b5eae603d8d8e9b09657e5788fd74a26fa617b340efd49c

SHA512
78ad5d6150e480aa288d2d71d4bd0bbcf609d877a92a6e937be926f1c343d07e7886acb3ebc4301327de8b46128cb9b60217a9add8e416841a80b780fae2386f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
eead1facc0d2c961230236058ba59c1f

SHA1
8351c0383815d7da8cac7dfa01e9684f31ea42d9

SHA256
7fed6112e273c2ea4bfc696612bc88eb40f9be860dec82c7e94496c0c5563155

SHA512
84422a062735d0b04ce2e9173950969d804b94465f7a42739b231e8029ca7148364a20930a061520ebd01d9131943b916b6b74516cd81cf9f21c3cda3cd5a675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
88a99a6f103d3802191ad259a99e9c48

SHA1
2937956f39ec3b455bcbe142247ef25f7af6d6e9

SHA256
00d55ff2c2a32d60a3dbed80eaf9cd8d43864b4ec3e7dbd471e1bae5ee727c13

SHA512
5ad11fc36bf324ff523219bf2686efacbe48037e053e48f67f131cad6a318eef8863c70dd0f8be73e56beb32f572b9c80088478fa36f9837840633015dedb6d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ac1688740b9d0a5e7e05264b26a70b06

SHA1
94a99a67e8a81291e617e97007646c9b878da3bb

SHA256
d5000b3f03db0d5beaadd7cdecf23533842df8651ede74d6ca7c061f3082afd8

SHA512
69542c688cf4bb6cc5de0864fe5be848f30ca2eb5aa124bd474835f3f43ddc4f855dc426b7101b2c679ceed9cc495938904dc4c2ba0da57861183ec872fecc5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
489adcc1d32e1f5a03dc9d18094c4ece

SHA1
9530c2e846f2ceb79f1790f3bfb6efad7867f8ee

SHA256
eb7f7c23b0e6878ed288b098a3f2981f5982dd792b228a85ca7c0f3281561f58

SHA512
45d981a7765bc35c4dbdb63e1646ea6fd528435707da987f0aea6ea0f56d6276e367e958648334e72a33a8341ae9830ad6d1dd0b4cd34d180cc56e0fb18a41f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7640ea236c407319133aec63dcfc53d1

SHA1
9483da599efeb060fd1eef72b3837ec666200b6b

SHA256
2b91f287219fea3cbda083fcc671393e1a1212420c5551f2ac7e073acef49c45

SHA512
74e1550238aee87fc5153b51b227a707c8767c6c20f7e54d177ef57fe8ed575b0d838abb3bf71fbd857a6d84f6c046d67ca7f8ba4c3bffa544657a2ec4e246a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
29b0ce9a850a627562a0d4c172eaef96

SHA1
c2523964083a8667aa0c21b369992c5177f34ceb

SHA256
7e3750cd9a5e80d4a07fb799904445af196210f49bbd4d18a43520ea8a768b36

SHA512
91907f872f553009d128af83ccee034bff409f1445e3ab6a737537e0adefac548903447f7d84365b57829c67e3af119cdacc8fe9ed9ddc08aa742abec0319b52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7e8c2c935efa30cc894577e3dbcc3a22

SHA1
2e69006545c20ae7b1dfa295c0a480ee28a05b9a

SHA256
905aff6cb46bbc07cf0588cafab089a850ff366de4fbac7047244094eec9d8f4

SHA512
d6439ea89180fde7f826e13b16f03eee7829a51c060620b6b9086ee16d365b8b4c7d6ccea06940eca8c1ab3e5b44fc5db602b61f92dfdd6199da28c1dab9df0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5abeb0f8d53577ec2f4eb927e16439b3

SHA1
1853aaeaa176701e5524747995cc040f787556d4

SHA256
11bd2c563dd38ddf73ee28e6e982bf33d867ef16a1b03ec6fef287371b4cb4ad

SHA512
62f39c2766baad4fc55ec4a16a0fcae6cc3dfc3664fb6da85d54ea1fd355688d5bce5190436ac0f2090214fd6de392d5d507fc8e60f5d9914d3301cfa09e638d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b69407bf6529184819e35a2fdc3710c5

SHA1
dbd55aefefc56e0e8c5007320fc9d921f73a28e9

SHA256
6faff1db2b1bd5eea25363a64c4a7d9a87d43dc8fe3d7465b00ede033582fb99

SHA512
fdf799547dad64cadded5e9eeaf98316f8e8eae61b37b366c37840dcac547972af87fb4f4e5280553af980a6cd47bbc954c8f3901318825e5e508813c4baba58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c7e59648977ec99d896ac1fdbd565bb1

SHA1
cdc11ec8e317f27b5d050f8a2a834f703c90b2f2

SHA256
5d641b1b1616c33cd6cbf9456e46e35fdbfa0a58f45a2d9e2da3c7d7731e4416

SHA512
fb17c67ec4c55402db093c6bf93e92dc6878b1f08e419b5bc835123663a400678c0b4b6af519f89af2bcf9797faec2a90e2d6ed9b7d4fb42c24091f4961b6f11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
54fb92fe7b22c893ea8a19a8f7a5615b

SHA1
72ccb3b7277383bf16bb2023823c8b892c4efb64

SHA256
6983323fb4b6d26a8a0cd15dc4352b4405c540b1e095ade7b932a0a8a0e11fa8

SHA512
55adfdd2e5561a1658d1fdcdbb0d5afd7052917cde7ea79b8e5c84def0231ff67de506f1f95ee027eaf7eda0e2d8107786e0830025c059f7059ffafbb3c43134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
6bba03dd04df4682e766d3ce5b9be4e1

SHA1
8846344098edff6bcff39c3d1f3e7e83776dc4fb

SHA256
8fd33dc7564d584f88aaf7b6f82d7080d3f4a76c8a6bbf13ab57707ebcf71bb2

SHA512
294bcdd7bdeae21367f89921d31d47f64d744c2b5c9f394ef02d9d9fe215d78ef2c770dfe8ebdf46cc4384cef10ae9d5f73c75c565caa5850e976f0acb9f2aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
b48b949c6da2e724100bd7b7ada9fe47

SHA1
798543a35892c24b91f538b683e2b86707a0c9ac

SHA256
11511b058f36f2f90c7ea8b7e395a36aeb87417e61ab9b392037f65e4336eae2

SHA512
ca4bca4d4eb23f5f0fc3cbc47ae39edf87ef1db9953e847f2c05e5ace39779b729f37fb919eb796de89e3945d5b0fcaddac768c79e350bc09afe2ee869418bc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
658523fda6c74d4921c9ab9891fbfc5c

SHA1
fd388849b2f1f6e855d06d3262653fcb9601f10f

SHA256
93078caa4a22a070f81f86fc2d6abbe5b6f7530bd0d1cbe88641497df6122342

SHA512
1bc9ecd762bf255edae5af6463bd9281e03aedcd40915ea16c459b3b54e904808e4a36f83b16b564eff70888ca66104dc15fa6db4eeec9be32753e089a9b0b81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
f5932c1115d9e1b8463b5e1da07a5ef3

SHA1
368d76130ebf7cc7b55d1bfe49c237615494c9eb

SHA256
9ec9c2599c289af770d784d5172176936eb3a371f7b76d0cb1a70eb581ffb8cb

SHA512
a21951cd0a17ba932e410e88f1bd929f926a9540bfe63edb805573babf9702e60966d8fea72ad6d01de11ade26923e7134aed746fa531438d464c21e16e6ead2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
b02aaee5a96ca5790bf8d11157b0ea2b

SHA1
3d50a6eff20469099d8340b1f09348e11c63c008

SHA256
8880c41c7552df6673b586aa6c9062f1dbce441bfe182eab3150421ea5f8fe7b

SHA512
24012096461b2039f08775653af497fb9fe6d6a6b41bfc8616aa4e5d0ce0abb3d2709266e70b3da28d35b81962701c68c13f95704107cd8f383228665b2ba6dc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8581bd2a0110a076c8a55d8d00e52b4a

SHA1
009a99122c34ae6567125528d64f468b2b9c99f8

SHA256
c272e332263bbc2becd6d17b05e2fdc9a9fdc37a997716098ec3a1fc71813ceb

SHA512
e40c450864323724c1c0c0218a4cf6288f48beed9b3e661b4a418f9d8a44fce146a0e0270f05dec3dd6e3f02b8ad605275012bfebf20a286f7d0345e35257ddf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
169329f5a26703f2f430ed3ba30fa833

SHA1
d7b095611fb572ee440f081039c8bfbabd78f452

SHA256
6421b00ebaee981d981643ec95b989c3e99bfb9fcfab042a4353e95950d32c1d

SHA512
643b4fceef24c49717e228a4aadfb078aac8cbd96cc16e81aaa24add4d3e2aaa5e8d1c5ce38cd3c4a15c31dd6bc010b050dbca9fc822e7cbc2927db32cc7348c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e115c153b7ee50cf6bf16318243d4d2f

SHA1
9a0db10339ca372ccde43a779453ed3b6134d1f0

SHA256
5f2987cd837f194434b51f8a27baeb1697ace8fd73806e43d246a61c6cbc9b9f

SHA512
2d97590512c838c452daa11ecae019e2229732efeaa39bf142ca155ef4c2a47cc67ecb6c99a5564ace620cba3075e227f55be72c8b3c66c9b839b0185a2a4630

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dc294473e1054118bdfb6f7fc019c204

SHA1
29bee0172c1988e237b2a4d1da1c68263a956bcb

SHA256
329ffaf89e079f1468c3cfd59f12adea10fd14f6c3226c01afc831c0b41b5c73

SHA512
09ccd9ce1a1b1ab2ac6c1da420669933f7d95e726894f1e3e710c3354fab1d9eaa3c0104f7809eeba7900d375c8ad4676b14295bff8d44736b11b6db9e22a3da

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1c90c44c7c1c49d4975fec637d57ae69

SHA1
b59f446d88d2d8b3b30b21f17eb2fe382d8cb9b6

SHA256
8b920eb27a4caddcc79248c32286a07e24112f745f4bb3ad2ee9a9bb07149bea

SHA512
7043bd1e5c0d40b077bd807cef7009aba76dd79b481e8ea058bde52cc0ca63ba720e1b366f2c4a803d5729035758181d987eb6933e7dba68a5d191cfbb0c95f2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d6713e05b36b3af618a53e00f6920c2a

SHA1
bfe70027826ce1797a905c689fa6ffe9f755d862

SHA256
de1b45c67b70693337d93e211cdc76a2dd787e8d9b5c3f0134b52968677e3f76

SHA512
8f6047fb26c27f8eefdb12345e2ceb0a8014eb4dac89d4ae0a1add733df3b0858fc803c562cd91bbe7c0d18b867b32ae7a6816a9cec0fb57dfba097d338eb9a6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1e7aec50178453b3b395523f8d6a4427

SHA1
08ab957bae2ddc8d301470d1041ec06c0a273c1a

SHA256
ee1268458c33731b8d191f9509f48498415f7541fda57514661341f981474e03

SHA512
030392ab8aeb393362524c1cbed8daef8e795a6b6df223de5a226000a5d4d43c01ff2747b9976253d1bf20ffd1658c2bc6f96b4ad6df24804d3c34f1b6b43dcb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
665d8fcb8a5473cd23cdfc0c2a27b85d

SHA1
93a6fe648c28b65998bb34b42b51bdf6001f2db9

SHA256
5f40e83d913f60a8f0838b7ae04a56c7354f7cd669486a6cd9045fa63b3c7e80

SHA512
e57c966f7f4cf023d2a25a5a1942f88d116e9e4bca5f9d276927b1bfb8cab70668a08ffa1eb08f5091b2a66290560a93dd70fd9454a768261cce60d0e9bc1712

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
81547699e9a28d842082cc3e416981a5

SHA1
36c2f3890e89f6ac9f7afdc99ebbd21a85797e19

SHA256
5d80cc14f484968c1a9c9bda222f956d1d28ba85b8469cc6aa0c2736863d3a03

SHA512
ee946ab365aa62240f79fb56915e82cd279a73984e54b7b4da74a9368837072aab06722d7d8f96c4f6e3cb920da634474f6f8d49ad8e34fda20f1f91f7e5f063

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0d2b08201d472d2b088080416298bfcf

SHA1
52b0eba7ba2da64a4ba9eca580cd4918a8640cb5

SHA256
fbb8e9e5cab158c7094e4d5651218688f6fd1bd77a7f6a801fe68f14e07f91c1

SHA512
86b0785a3d91b76d4f30f13d7fa3ba87e1120c12f32bfbb327767f86d3c660613c237f9a729b48edc98cb450862bc9b819e9c8e61aa5fb15b15fc03b4a85b004

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fc58e969d14b60e162f16f105fae6082

SHA1
b9b0cb9caca2ad07c3f4294645384f5c342a72cb

SHA256
c4d83a276af676c5f61281335288afedada17ee4031b83f2f107646fc8cbc64e

SHA512
e0d76b24680ceeba288df80d94dc784e66cdce5750bf7131fc61bd9b607b4f4f0602ebb819398806ef932ef2c836765d250ae8ffb593dfbefae1b3438000b6e8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
073701da69eba55c5ec4b45a04a73804

SHA1
788692d700ba217ed6244a0ed7c2ff8830b24611

SHA256
204f4f00753ab4fc94427f248fa8b5baf6e0b821b00b005d49b5c8b9338e94a0

SHA512
6be750931494e17dbac68ade90644366babcc58a24628f6e8c2a612fdcd10a3d22f20806a4298eaa0d963e943178b49776f036c8aa60b8351d6bb85cef595058

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f269b9ed91b8a03af5fc38a0271dbe04

SHA1
0fc3b271ff9846a7518c0d2c2cddc329e65d970c

SHA256
ed1f3a8c85550f5749bfbfe4da53e8759ad9e042593ee4c75da90a549debb351

SHA512
f54876c8ff76b6b6c037376776a9c60348e104095ee74172bf2a2a042e819babe2fd230bdc731b2cd5fb31e0bd35ca4832e1460ca1d2f61b086dee5e55c08fed

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cea0a1ed86409d686052d06eb4cbfd32

SHA1
d563fa6da5c2fe17aa3c14b5adfd6969e3fb6ad2

SHA256
a1ac76353913ad11f2bb4023f07dad3f7a4d4687357531bf7ed451cbb9f65247

SHA512
84787fcb9eeada1ebff6f35b18c23658b4b6fde180d76c4283061fab4280f68846627c16431c045c347d201fa83e3ae3cd53fca952f27fe855c6d3509f7868e5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
904530bc607e96ada8e4120ac7da3d45

SHA1
71a665e727f116a693fe4bdcee0c30fe4dc6af6b

SHA256
6e8ac6fce8a531c5864b9bbff5325ea16a25c18cfb2415745f8b1338b052ced5

SHA512
e9b46b7fb68de03207a6f45d2d0485ff1c8b253739c4d2867a573350968758ab1cf858ca02c47f780742beff61a3e02352a1654a835d48c6ef1ea684f432ecf1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8e782260ad4af6fbba6d11e9e77ae7c0

SHA1
6824ee9d2263581b14ed65576b872e232a315ba6

SHA256
442f3eebc741c6031b9365d44282dfefe2177b41a43432f986ae0f573ee4cf8c

SHA512
16c7554110fede318b3796a0232554a7296cc48fbdf23c4c51f46a3bc4ee256412a60c2cb2f472f371301566a6604f067267d06e94761342fb099b358bd72738

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b7dd6bd18cad3618f03f057b983acaa

SHA1
7574123b193b9db31a0a9cd3eb6e5b1b28758858

SHA256
120729db18d38085e59cc426961408282738d68e86bcb5243d66a34bcae35a91

SHA512
7ad17f1254baf5b46840980b6a1ab6b4aafbabd6c8fab7121720f0b20e0ab06360bec77124b5e15193b0b6cff51c63faa0f6e4ff756c221fe7f4683d0621a0ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ab2bee0edf4456c55ef5c5e36ce22a2b

SHA1
25bc1236d14ce9b6affe2e9ce99d91278725bc26

SHA256
04c3033e70c7fcdf8e69bc4e0c52edb4ee3bb0f3be569db87b3bb73ec28b6644

SHA512
014a24fb750d09c4b3475d6e3c36c5d0716ee9e09c92a96b36273d5defe635a193b9be016fe69f58e82319cbc1547053f9681fef6435a8e50d41929af87736c6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8fa509984a72ac710e5a38410394174c

SHA1
b8608a5f49509a84035ae882d409c1b992adb4e4

SHA256
ec6395b58559ae62c74e86c48f6ca8b04faad853813d74fbfd9fc75c295bf648

SHA512
81dfc2ba118e0a449a54a42da7b2ad2ad505ca4de8b078cb2c85dc4477234108d3d49fa1d049b2284c9d1ff034542660ff9f17e694c63e9881a95fffe32ac449

Download Submit
memory/396-632-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/396-425-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/468-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/468-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1552-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1552-254-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1552-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-380-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1584-267-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1804-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1804-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1920-343-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1920-625-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1952-289-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1952-392-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2428-56-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2428-58-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2428-236-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2428-50-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2428-60-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2744-424-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2744-302-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2876-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2876-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3084-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3084-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3084-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3084-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3084-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3224-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3224-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3508-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3508-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-1-0x00000000020C0000-0x0000000002127000-memory.dmp

Filesize
412KB

Download
memory/3864-24-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/3864-8-0x00000000020C0000-0x0000000002127000-memory.dmp

Filesize
412KB

Download
memory/3864-0-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/3952-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3952-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3952-618-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3964-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4136-619-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4136-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4280-355-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4280-626-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4432-64-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4432-237-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4432-70-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4432-72-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4608-231-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4608-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4608-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4608-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4616-295-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4616-404-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4732-244-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4732-242-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4732-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4732-354-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5048-599-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5048-326-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download