3073ba65e34420084bfbea9711114af6086b469d0586efd36e78df5d4d2a6cb0

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 09:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
Size

1.3MB
MD5

8d06b3590ad1e85c025a64e44fea41ec
SHA1

32cfe5c4df62c7d5407164442c5f40ec784606c4
SHA256

3073ba65e34420084bfbea9711114af6086b469d0586efd36e78df5d4d2a6cb0
SHA512

b115747dd528a77f0094624d25f246367444d75426588a967f24c36fa87030975307f6fafac8d9c4541377ddfce404db3887492949b024db86a7b16959dc361a
SSDEEP

12288:wvXk1rPMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:kk1wSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3648	alg.exe
4164	elevation_service.exe
2724	DiagnosticsHub.StandardCollector.Service.exe
3484	elevation_service.exe
1896	maintenanceservice.exe
3676	OSE.EXE
2412	fxssvc.exe
928	msdtc.exe
2912	PerceptionSimulationService.exe
2376	perfhost.exe
1788	locator.exe
4692	SensorDataService.exe
1476	snmptrap.exe
5096	spectrum.exe
1612	ssh-agent.exe
2060	TieringEngineService.exe
2120	AgentService.exe
116	vds.exe
4832	vssvc.exe
3608	wbengine.exe
2008	WmiApSrv.exe
3684	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed967bc5c8648821.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be375005e3c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bec2205e3c6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a613805e3c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000139a5205e3c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c4f0605e3c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4164	elevation_service.exe
4164	elevation_service.exe
4164	elevation_service.exe
4164	elevation_service.exe
4164	elevation_service.exe
4164	elevation_service.exe
4164	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2260	2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeDebugPrivilege	3648	alg.exe
Token: SeTakeOwnershipPrivilege	4164	elevation_service.exe
Token: SeAuditPrivilege	2412	fxssvc.exe
Token: SeRestorePrivilege	2060	TieringEngineService.exe
Token: SeManageVolumePrivilege	2060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2120	AgentService.exe
Token: SeBackupPrivilege	4832	vssvc.exe
Token: SeRestorePrivilege	4832	vssvc.exe
Token: SeAuditPrivilege	4832	vssvc.exe
Token: SeBackupPrivilege	3608	wbengine.exe
Token: SeRestorePrivilege	3608	wbengine.exe
Token: SeSecurityPrivilege	3608	wbengine.exe
Token: 33	3684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeDebugPrivilege	4164	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1444	3684	SearchIndexer.exe	113
PID 3684 wrote to memory of 1444	3684	SearchIndexer.exe	113
PID 3684 wrote to memory of 2256	3684	SearchIndexer.exe	114
PID 3684 wrote to memory of 2256	3684	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_8d06b3590ad1e85c025a64e44fea41ec_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1896

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1876f89e3171b339f34408f95b62fd45

SHA1
dcfdd433fc0dbe37169541e09f4984aa4ac2f48b

SHA256
e6930376ccaafbf647df309c26a1605dbd47a551c67473c6e785f5f6b478863a

SHA512
9bc48241c3d8739672776ef7f7f07e2c3cfd16f2561207e5f88e01a0aa430516aa44b111a7717ab54aec213f8ad4cd10cd42b71628bd2e9c40df2d15fec8a1a5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
aee70ede4ebf68fab3fefa514daba34c

SHA1
9b817c90fb6b1c8b31a7615f7aacc4cf11186bed

SHA256
c1e0b90c4ab887c5ac7206e3f321b87b05ec81be8bfcb071a63a04a15db3883a

SHA512
9f86c645813205ce706829b18ca4857f5bd378540876a7f50addf53a5f00ab3497d0ae9d9230779284fa18c0fd09225392af52d724c773f1e3590d1c48dccd1e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
da25aeed39dd82db2f69aeff64a3fa4a

SHA1
7efd42374b92d2661bd81f75b5c1bb9daa25883c

SHA256
6cbb4864c8d4aa31091f2dc96f7ae3cfd6ecaadd1bdc99d880e0687b9dff58cd

SHA512
1b7b72b2d532ce7f920b6e12cbbaadd4405a78773777f5b88aa22355e6dfefc090dbd3a5dae1905bdb5b368fa5e06059c445435a9df294526892dbc4776174d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
45c5436cd997b5371f04ae1540fb3557

SHA1
48ee88b6f939bc3f46e98eebb8f76eb098d6c5ac

SHA256
9b0ac40d3aa74cdb3aeffc46faf5dd6a0ddc64b03f9c25ab7816a6640b5c8ee2

SHA512
7ebcda02918b76c8c5785b355b92d7e1c4056b92f653af01d21e133cffc85001565ee2dd42d012462840e777bdce9dfcf1fd287d7c599cdbcd875bd42c23b6fd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c08eebf2c29e6eac74b6b6f6b9db36e0

SHA1
abdf03ca967b8f29a1c8784bd3b8f08f935fff4a

SHA256
a866327ac46640c4530ff10f13cba86cb63e1f59f2936bf1a68bdb5f58d3ad0a

SHA512
fbd641303ff52694911e2a333ad6b4d2f413e628a00be4ecb52231fdb1f1109ed77d9841d50443c004ece0ec9dfd6f71321dc695258be997e8db0a1e2ace6815

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fe3b32c8e30d5ed7e9a32aca18168afa

SHA1
1c1c0c6b08340ad13a572a58456bb91b05816738

SHA256
08c7c3f7bae880ba6aa7fa1c66007b855096efd7db97e2f377505450a9eb8c8a

SHA512
5e05640061bf6994b4d7fec312cf9f0cb9af371d202cd73e43e96852ea5383b9685bac98f80fc4cb621da7bb7313ff424dc9c650c478aadca13b3031d15f0656

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6332f4c4757b35618c0d8e85b0e39fcc

SHA1
1a2c9d46ea3f909629491f4dcf5035f1a6a64673

SHA256
ca1c9839124b1cfa57755d4d25a1f8bbe76f096d0b6cad7a9c8bce3968db493e

SHA512
913e4c410b5ac43d1134e13814b7efddfd9c3f7f7071561f876bb92f4912acd8f857b56d2a451b65d03ec93a4cea01f03037d65345fb20685e07f70d03e7098e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a7079bffe84f7b7ba406c9c4f7564faf

SHA1
58ae9fcdba12392107f45c90025980f7bc833913

SHA256
2ccf3f6a32720d9d9f6ebc012d29d400876cdf6b0651e998505e555df345560e

SHA512
bdc5441f23abaef31592cd40f82d07a39e4a4724c36b89b303ffcbec33393d3e12733380ff249b34a369508259a8cf18fa1b3908d662b9ba7d6fcf8c8d853965

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9831279291c27ca29af7fef1c103efb6

SHA1
07da35d52d49373041b87762c8f5b4d9fd48bd75

SHA256
28f27b1f48f3d957b2f649d4581ba443658e1a55ab73876814d5a655ccb68b81

SHA512
502e68519341bcc58cce3d40cdb481d97f532f84f6e41ac4fd22b3ad0c369f36c0610f5e31ae4bd87c72cfa660c50d58fdaac1b19fc253982eb018e87d3c221d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
28c093af8f57af3eab7e0f6ed665f39a

SHA1
0db426e397a0b3dceaa356be2e733a692737da74

SHA256
bc631641e0c0441ecf7703fa11351d3a867363c56716b435ec479f0be339a619

SHA512
1899c92e739310594419567434db05cb6c0d37ff755358674cc0e3728ca3ed49a989d9dfd2bede2e5628ed4bde18c678c2dde2e9dd517b0c4c92950db57bc661

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
20f7b85382e62d4c48d4325acf95df9d

SHA1
2949970aa5545f1d944e522ae3068e77246d552a

SHA256
1a901e22e3f826e373920a497d7ea3cd3f03588533f56dffc7e3d74dc9f0a9ca

SHA512
74f1fd2cb93f42b3796268722348afb45f74ca4e60781abfa70591fcd6bd83ebfeb4b92b92f689641bf5f5b6d5f7719aa634aadd7161820c980f2e6871de4d74

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8c1a3afcd5cdc16d09e1a9148cdf5eb3

SHA1
52dbb255fc8a3feea2d4c5593bd40fb089677d4a

SHA256
be394ef8e7f2c8afdaa678af293e5d752417524383d3e7ba40d35cf1c30eabc2

SHA512
6ee38b0e822d12f8eca788e997728d8b5e192fc0b35df13f9b503e1fc90d1d2fe9642467cf726968ad7ae256036d1c55382c9209ff435448b0843c6acfb01329

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f8c482afc27c8354a037237ca49b1f72

SHA1
9340aadeb53fe3450cd48e8e58ddbeca25b8987a

SHA256
5df4d6d68a527bab72e6eddd30b744b5a0b3b51537451d912c7b35a6cb80c7c7

SHA512
a1d2c725af787aa8fd4c4ebceaab107e26ce33889eccf4cc4d4e22b6f9c26f55808e2cfe5f7f02ae42bb8440ce2f0e4471833298fa556f7595afd198e53a9e97

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
e6f94f708c9454dedac402ab9e934301

SHA1
971101a9e01bcf25ebdb39c49dc0a37a0533340f

SHA256
0c6b9de289d461a6515a220ddcd508b15557c200f343064e08e4992c02aaa74e

SHA512
32a767f3dea56e43a2a7a7a627ff63e79390bf0f39a8cb98e44abde0a27730d71b012c2d3d6d933f4105ebd52c5464188b38bf759c44be363c76a583f8a9f941

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ab48afb66efd995e862feea0eb997703

SHA1
080c3e97f38d018e0ee17857488cebbd4b46f616

SHA256
a98fd1c3d95339cd4f3b91afc3dc7135dd140e8d854df8b4966fcd81692661f1

SHA512
063b5796e6eb7eb862889f482be04c12e9cc3c62e5056ecfacad550329f4b3f2b2f67aa63f00be8932d60baeb5711960b5b043d05f483560c1f74d07e91f92fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a6bb5f0d2aed81302e654e2bf72355d8

SHA1
473f53cf5077891d6d5cde870e3aeb91be3e00ac

SHA256
de740374e89b52fa84e4d1c80389b44d53281b7ddcba7f2f88918e4d446e65b9

SHA512
3541868cccb9b4a3d115c595347afdc1f413351497314d98d499439b16b63a667ef90be5a6c15f428256a62f2f5eb9aff174cc1e6f83ed739f29018d8bf5c927

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d958ea89dcfc2198a3e8254e7188e869

SHA1
4e3c0c8126e71e588e89de5c518532f556859b0b

SHA256
d37c998a308ffd2ffc881b46a4318df9ae88b3c2b88c2b4c7c81ad08fd57c1c1

SHA512
026004263183aa1a16383df312ebb59af3b634591e99ee3bedfac814025409a48a7b34cae20bf2798df691cc881ff68d4985eed27266a27bc993c29308aa7023

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d8fc02212fd84dc3efbdef5268bc75a3

SHA1
8894edc6fb92847939f09475ee849927ddc00ac1

SHA256
f999c3534a7f315d7d0fb7017e16b7521f5fc1348a1b8c670e54702814305f3f

SHA512
f635e05ac9d988c8b8bd86ee7815d1db933122d4e8048ada94ce45fdbf67016509b6246e463221c46c35ef2c3bca71b797271968de01cabcc3668ecaa09c66fa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ad08dca41711dcfffa70dfef06b7a182

SHA1
4ead5e459cd17bce754c6ab39f6dc499e3be85e3

SHA256
9046999c3b8431c33ee71bafadba1c985082c98587c2742fc4e4aafbc47c9e0c

SHA512
09f21bc56d1572f5eee5747db303883d2ffd9b2e5cbeaef600f7477629c4dd2fc93848554ffdcb7a017d6cc29d02393d7a0685be734a5e65ac81a6ca954afbb3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
490489bb3351e7ee41cc298aa4c3ad77

SHA1
691445f2f0ac4fd9e1afa8095047a6f9d6db12fe

SHA256
32edf51ac8c235ad2abd5bc0a8969866b3b1d7f7fcac494ea4718bcbf758cb0e

SHA512
60a6746362f3755c941012bf3ee232ca9461d3ad2850f142cdad01440811bb79f5b2d311ce3b3301cd47678c5f33890e24cb5893341f4ccc9ae687f72635bf2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
79c3a2855926e1de973de884efe68ae4

SHA1
93281ff874cc59f099692dd907c006b9bc915f88

SHA256
49befcf1e37d652d11401c93fe2fd8214a2c10019b571e04833b9113fece5282

SHA512
59d3132d7b93ca2726efc2fb82331d10f34d8e99c2e3ffed77d9dcc998e69b59bd266396539b8393f64fdd9f3950d34d875cd53947bd23a58a64c8289116f4cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f4c25bb9cc63c74035e4192bee55c6c8

SHA1
f58b404ad6d5356d23550170860cc3f3859c7e33

SHA256
fd554c54b940460c8085070da2c2efc3da11918dd4e43c0fc9ef83ae1b2d56f0

SHA512
11f695c6c13630d6a1d052fe1b56e8e19f98b59f31ad74573e6001f09e1bcd43cd9605997519f0432cc1e50b22d4b291acb9befb187859c33d145cca16b2e28c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a06eb3b198b2f296eea863ba828c5b1d

SHA1
51676ce86ef9f6d1432685eb609e10ceddeb4488

SHA256
44bce434a06cd56cf35a6364aefe51b7b1d07577f98d373a333a8364b55434a9

SHA512
4940887b5dcd42b3dda9ea15f4e6366ccbbcf3399285ffdd0905065b8846b13eabff80a54c6722ee0491d31adac917bb61d6f397de1e0b7ad74e1eef26ba7c38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ebea9b73fafd2486370f17edc93e3413

SHA1
0d7e16e9206b9fb5368835e219729f733cbaf38f

SHA256
c4720472d4650eb03b655f34fb159e232d36feacaafc0c6c260e86b4e01653eb

SHA512
8d03c427403ca20d5a8a46c686896ffa29129ced21e09b47bd14a2adb1b73c828695e6983e9ad5221ac6fc6d51fd5e9efc9d2166197b9b14bc9c7905127dc2cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
90d8849949e6f30cafeb11765ce78eb8

SHA1
9a1dfb593d1439f5ff3d6f8ab90b65b4a00afcea

SHA256
be3e632dab4551a4d0fe103379104777d383ce19d8dd3b8e7811620baac28cd7

SHA512
18ba69d092dd1ed78557da632b2db210ff47c99723c69b19e438130129674c079e879c2dd286b4d4cb5ff5360761e6864f5d6dc35c66acba9b07cc6c5b4c61fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2c669e9998a3b8808039a7d950109c8f

SHA1
e05f37464750da268831019ded2b10138ae2dc3a

SHA256
9b7ee21cadfabe466713636178fae986439e9d5a11564941333e12c8fc924b17

SHA512
3bd47765e0f8fa43eb6b774a2fb1b7795bc6b1f64abccbbfadce294b52f399aa0cffa5347b0c5018b0962019e71b9590a13a431595e56df040d220e0fbe4bb18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
318e10c3509482ba8f3021c0aadb97e6

SHA1
0f7e187b8ec4e12f58451e67c7ceafd53ce9cad6

SHA256
51448a88506a981a6b6a00374d3be73ca1d3d78210d68f505a8d55978a27d29a

SHA512
c74c9f66e9942cdc71218511e0c3504b4bb637743fa6eebb8f6d14e746b6990a8b02cafd11ffcb9e51b66ba1c4713e1a73af7cda1b76f28f633c1587fde5801c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b9dee878b53597c0f4cd9bf581890d0e

SHA1
378e619e85d83a003eac3da78066f42d8a20f0cf

SHA256
79ffca38d33e986aa045354981ba33137fb5b5aa0194097e47a1081ffb74069f

SHA512
b2fc446bd259de5c28797c56eb4c4e58aa071a908091e45eb4a3430af0af816fd8560a2f2f30d72afcb4a3c0f5208589c6e49259241e7aae6676b899e6289cee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0c88e0cb176bddf6aeb1ea6f42d03f5e

SHA1
c77a5b6be8b5fffbd1890ba2c1dc71c9c84b0beb

SHA256
df0b0c2cd07680ae7067cbb8bb90c1d20df12f9b88270340194b5373a2150409

SHA512
a6e073e812ec135cc2faf1eb3310dba310281d34d6711825999dfbb74893eb5125885ab97bfd43e947edd5b662232a826ecf89eb49f9928205291e9d2b8e4e41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
db5e6e6f0e0cba9d518ee1d5028cd68a

SHA1
f8c8f79d406ebbf195269b9c5e18325e5ea835fc

SHA256
1f5d4daacaede01c93bdbd877691337aac7246b5d741dca9a97f4386fb4ac04c

SHA512
72762ae8580b8514593c5c739f115eb7dde571f37b2e5e4e3afe5c75545fa64ce77559f942f7461ff6c47052a598f54a84df24781dfb99f1f821ae4749199ecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
12fd3aaed1e771e518e55062fde20493

SHA1
492f259c1bb1a571899f812845c50eaeb00815e7

SHA256
39a4809667c9fa07aef7e5d2757bdc08aeac7f1bdf600472aeed81ebac31f803

SHA512
e40863a293fc387e3bde737ad60333b221ac006d0a87542bba2875ceb9826da5c3535ece9b75fb39df5cc38ac3a4fcd04799a99c8c9a95baa6b7b54d9be27632

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
05bcd9814287b28f51ea41182dea26e4

SHA1
3df4fa57a6865cde5e9f2b46f48fb852e3813e95

SHA256
81f708cfc192159de86fede170478316f197c483cbc47a8f03cfc40d8eec7bba

SHA512
2d176d60951fe4877315cd1848e58449388e7bfbc29192595170fc6a2b4fbcdbe38a728f90ab070697ab2ed957e0983dbd62fac29d8d320c61bc6b1a499e7035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
10ba4de6bb5a928b170d29d5bc49fa4c

SHA1
e17eda118453f5f397c313687a9cc2d40c1cfbbc

SHA256
da89d342c381df82690b00f5fef4e26041040428696a1ab11438889fc570c950

SHA512
a5bc3dc61d96629c4914bd85e389bd920bebe8770eb051a986ef08f16902292ec6e749c1b26a150607f6ffec18f52efd4346a0352196dbe4d0610201c64386db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
21f01f15d95f422c7a5d390375c3ce3e

SHA1
57945658fbf4f2b2e1fdb553185aa2096289e2cd

SHA256
81a30bbdcc03d011bb752ce2e0db99f9befc963abffb8a37be2404c187830039

SHA512
0e0003099eb9de49d19fc83ab7dd9d9144ddca195b6672b4be4f45b1733c6d3549eb4c5dfeee2ae8b4f5ef6006959adbe1fc58c3502e8893ee86e84e5e18e6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7508a4df57dd5ec9772a9db98d0b38c5

SHA1
ee3d131a95ec0a175a38c69e8e1e01274ff40e45

SHA256
c55180a05867db566b215139633f488f233f162a2b0534cd21d84ee10287179f

SHA512
541bac40f18246b777c8d717724f9b48d430897797a10c8201c34304c40cf3ed4feef024dcb2b2cd2f3b8030b489bb47b5fb1b8f1b282dd88fbb0801facc4584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
fdd11fd12ce97b2a13ea86a212da7b68

SHA1
c75249f65e30758802ef6db544c2a893dd417ac4

SHA256
ddbd1a08d0056a00255377b363c2d19663837ced4d33ae97bd4a7002eed1c6c3

SHA512
8c0149c0db4fcdffd28b63b28918de53bc5ac8f7cd793a7f265aa747fdba03591ef6c83a6b44c160884829e5cbd2af72dbb9e1697f5557f8152851caa1b0b185

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
48bd4a32e42c4d5752d4f06e2f9ee4b8

SHA1
16765a902ace9a14b23073fb872d90d689643a93

SHA256
6071d83e386b3afbd44c52880548ee09fd11dec4a898f5b0dd8dab47b6170072

SHA512
3ed8e1098c83480a141d6726b705306bc784d16dc8df98d7584fc261cf0893b58120f42c2bd09c5af9a1b0e039bffdc08befa8a7378f24c8b406ca93aa52fd38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
d35cbe56879885b1428751ba9ccf958c

SHA1
8a8f34bb07b3696c501f9165797347cee9307bb0

SHA256
c5ac6fefcc1213000406265236c4856e43d41fb43d47e2da1fee9c73d0ef4417

SHA512
4dcd3bdd400e4e3b85d01b8454656c0edcfbfa44b537d054d62976f4b2a5f271aa8b86ca42104cc853427f6bf5871a51a97c6c4f219003ee2dc9823e0cbf20dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
2ea2805f322908b54521fa1ba396f09f

SHA1
209f8ae84ae77c98e887e2708d5897704c825436

SHA256
ebcaebee698f526d2d2997e1278e0b279f72b0732d7648116782aa81b21c208c

SHA512
ef241f73f8dc9d4e2ccbb345492f83dd5bdcdeb766d0539dd4bcae57b30a35f2687425bd2164f41cb78de6a967db1e83aa91264cf2824ecb4504be44899803b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
044d9251cf34f2fdbb665720046a78d8

SHA1
ba1fb3fe3c1857c15a65bf666f936c984f80f7d2

SHA256
eb885ccf2140851e067bd0155e3f6a5e57dbb01bd61888535fdb46912a271eca

SHA512
0d3b52fae17d9206d39229f973bcdcf4888c582530056b4d91428b410f07c728beef40817fd69eeefe736dad18f25eda108855d01b58d2a51082b12c681382a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
57cd808bc5029f66259a68f1f19f0d6d

SHA1
642bc8ea12005f1f9b2ddcd0a9e056163673100a

SHA256
3d73cb13de4a0491ea0b98ce6ef89cff80b1ca3fa43a8e5dca5303df49d66ea4

SHA512
c3abc4083c24ac792a8ff84b952629bbf64432577733aa88cc71cb3b2c51a36eb5f38af1689edd0e94e6969ab88e6c44a95c086bae24ac82b092a8d471067a76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
a3ae2098f8d056065d77d49fa80c7079

SHA1
7676e44433624dd135635013e4b5ba25805acc55

SHA256
89f08e4b6a8a912d27f6d8ce368248729df4c7eccdcbc1e419fc8f56a2a9249b

SHA512
a2204cdc1f3591852903b999c6b75828c0fc4ab6169c51452f046c4a19da9e8744d441be9b248c7b081c55ac93c21e1cc4abadabd39358ae8e645cb5bde66684

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ebb2534e8a9c5bd9a1f6454dace3d689

SHA1
db59b0e33de76e81f85d2e1d68857c3122ed8dff

SHA256
e939c037bf74b39f33b0a4561df362b2f23edca4b21b6a81d598c47ef17db3aa

SHA512
53d09352f64013329eee8bccba02dbb2cefed59412c56d0444dc38878ab03060ccef5a1c38780064443a54703b91f98aa5b3e2514c84a88308c68eac74eb6ef8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
34c3681dbfc5a1f634798155560efc4c

SHA1
264271e4d84ac08761b49c24911df59b8048b864

SHA256
99b9e8ad00a9af5d5b301be5db26641b1d8e7d9081b9b6648a9a6d22b85ec289

SHA512
449c50a549e13aa72dade50ef2684500ff3644f80c98968346fb4d4e31ea947388f250c45fd860d45b903c9281694d01ee64ed06883e390b59aecd05f29ee8cc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3e1aa1bd52f1d074379b9d98cdb7d993

SHA1
b34cf91771614790609c8c21f2f54ab6edd6f495

SHA256
1517477b75803a5440bdb19c895f478c2161dbc3be9d1a52cff282bdc1b3ebf3

SHA512
f922fb39d71f5a0f11b94aeb6cdf545bde8bb2992df215cc1e7e41b48b83fd8211217f2c0984b1a3ebdae8bedfd540e5cab82fb846dac6ef00a79c8252ecda2f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
847d1d0896a72ed1ccf5d4fc561f5fda

SHA1
156a43750481c6887800f60f633d9c223bf95acc

SHA256
09a81c52cfeaf1ef86d6cc5c13a15ace19e315f312341e356cc1dd5bcd518f69

SHA512
1eb3bce31fd527d0ca7c075a458e886f224ab69acb5ca5ab44bb51dcd8770c49f1b827ff91ea42b28ba72326adeddc30dd76fab2efd40ec5a6923b3ee93cd0ea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f0aa3781a6a020bfe6aa2b02c8027d28

SHA1
a516ac5f82db591a5c6dd68b4a621703d4b73443

SHA256
017fd555d718844f1b81a59083f6cc8e6d27370fa0de773027e65264dce1a366

SHA512
02dae48444e086214226f42761b3dccd3ffe3db6b09cc96f30a2e4ba6252a7d165c2301bc123d2fb81cbad488242fbc2eaaec626c6c2aefbac012c2eed4bddd0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d653a82e1558f16501f31b8e163c4eb

SHA1
b761b5e790d1f7dcba436c105390ec0217d7ba0a

SHA256
eea8e5d5146771f3d728c06508187647d2d5a39ebbf912aec5a31859e3f2da8d

SHA512
639d52a2976f7ff577b607ea162ce0a237504e4b65a3bb1926f924961d6888dbffb904f982ac6ea8961fdb9fab29dcc8841559c77246e6348a3d923e6562ee2c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6416c42f977c2196133428413866a44a

SHA1
6cda5baeb3777ad20071291f96b5a68a7d51b8a8

SHA256
186aaf793a67c6abb9fc85835fb96203aa9225f3cb223785d58c529d8cbac83a

SHA512
81ff42a17a0a70aded3bcdd261a96478af58a1d5b34dd3a9429b04ea536730a5845bdd97895a4afd411cf5c1309f96446122d123f2c0a049c132a15a25a8db84

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
2b29e684616d9eb33a0b72e3133926b8

SHA1
596404ebbe84ed154a807c31f7c23d4034a830de

SHA256
f6f9319ed91782cf0df3a2b1b427b3a812c70aed2012d5b020900ef685cf7363

SHA512
db00a8dfb52ecd6e15902aea94ca3f011c57d74bf4cfa8591de78e628ffe479fccf3e4b2e01482b887c8721988e1ba06090e93396e7d9466146f9a2945010aeb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5cf7c2813886a4d805aed9e841a6ad8f

SHA1
a52a4203194d41ee60e9b9d5f78d8eada3ec01d4

SHA256
43e719ae42a8cb8927fc44ccdad3532990d0eb3e2f1e7dffea3b060e5164d915

SHA512
d401ce060b8feae6d4dc11baed731e9934e390e936ab694c3d5fec833f14711ad36f2ab0225d43260f0b5386e6d870b401d125856974fe680f19c2d6cfc2b396

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
588814e57d74ed21a9528b84c201e12e

SHA1
85e26ea52f3c792f9fade076657b8e3bd82b8d4c

SHA256
8739444c462454be9c43e67d7e56bb2d31ffdbc492a63db888d6ade77ec1e39d

SHA512
83011028704c2aaa5556f7bc153bd1281656e61a9517928ebdbcec81414a101a7ca82bdd3168096d4d173701adac19ca7c02a44294124c176f0a63a001152ec0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
36b32804819a141c0aeb536b752e09e6

SHA1
b74e9a84f2215b2c6cbfe178acb4c9c9eb9b479f

SHA256
ceb93fb78af87650e41a44a7e23006e1079197d0fbe13ab7c60bb6292342349f

SHA512
9dd32280cd8b49da9d2e685cf28b9d2075844ae0260856b74548946c80d6bf0948801d61afd81f99476b2d39331dd019b2f30d5ae8e05d7c00addc18012e47bd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b7e09500f36ff1e1e6cc2db3e4e7637b

SHA1
7aa8271eb3b98afe2423d34ab7029f972f53ebf0

SHA256
99581d2b81fc1c54de2389c03ace7bf737e3032bc20df3f3af4133034ec08488

SHA512
09a52477289b3630e02a5fca00cc85be2afcae90079b14c4617eed3a9c71824e7297b6156f0ed2d7b4c41954f6902416150061301f75ad72999ba096ae90f197

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e34d7f9a5ee2d4947e79a6e6c7deea7

SHA1
f8f156dffdd718d23c0514eceeb78975b30eee14

SHA256
06abde03830ce59ff30c68e52d563ed3e19d06f9d8aa154155352da4d6765705

SHA512
905962859aefac90264f1525f1598ba36776d140f17bb9cec9d6395114add9c5c39ce4f2396e3cbb746ac7c13c778175091392a596e8fea3380474e6815058ce

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
bcdf79a047db245a96fa2398cdf22bec

SHA1
f5784aa5434b04a2754b90307e5deba31e995270

SHA256
c0e3900f19beba9192546a9906a184f2f3b45bac12e45369c5fbc46316313be4

SHA512
eb75cf0eeb5e7a3e15a1d95f1b0e71783a0c35d12a9aab25907d8adef348a44b954dbad89504da315d93bc2e5987dea25be27c4c20ef63a214c4706d9e58acb4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7986cd7e010fdc22219efaa2c9642c87

SHA1
159d0473ecfab9be058e924f68eee328f0de700c

SHA256
679c198ccdff667d3259d83eda65c38c61972a3050b5a1421ef10118ba4a9004

SHA512
7488290f215532216d90fc18981013f5280f9a507ef0d673c3aa8ceaad0a8391764e0a85c6e68a9afb6ab7609bc04f6566ab5daef8c1d185955a0f3bb7ec8c7b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cfa5bdc335715a0684ea9bfc6c726952

SHA1
c5b1c303aca528b8c28fb5546eb819260101acf3

SHA256
e41d9a25ccdc1bb9761867ee813aacd6bec84b2db32ad0e75eacc694e2941b1b

SHA512
da0a6ac2cb3e6fa7f2040bc2f584d225ceb5195090779fa9cf3f66f0084c4236e02895224848e829fd4486bdba1d195db721e9a40b4e427d50e1cfdcabea9535

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
549f8f232edc93fa57f9ebd89a550b04

SHA1
7fa1a75cf3bf36b635d053d05ba25323d719be74

SHA256
bd65c498367807aa0571d66233cdf4c3ed875de441c74a93a412d788930f55f1

SHA512
cf258c1af21d941468e170776e8f21fc5180902376d5ebc6df3005b33584017034a5a1a422521ff336c90aa9f3aa11e824afd5156bb46cb47337db5103621bf6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
7d850d2b17470f1d1a34b91e880432eb

SHA1
381b647a9c1c707ee2a16f171568c2beeb5bf0ae

SHA256
75359752cefabb8b1be67fbf40a2b5b6b7945f6af9cfb55b44839915a8d2fcba

SHA512
d92e82adf62981eab2f25da8e32785939f2d9f3fb2f1d4c029ae182d0c5a85fbd8be795daf3804121950012d8268c5833e684331b9634cf7b3f96b2c0894e40e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ca2dc50ced959588ad84743cad9841d1

SHA1
2945c7a03d833ff717f122ac67eb19be654ee2b9

SHA256
f05b58df9122ad9c6383950f8a1b995e7dff15115ef7c9790cef59f666eebcc2

SHA512
4865481f58f24f2f924efebca58ff2242af21873d38f7510b6eaa2bde5cd4099103f55bfc91a8488139bf0d796f6616f50349e5e18f5093efce07ab77e216123

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
92f6da18aef4ee8e1787564c8d423b11

SHA1
d12424624b88e7c9bf770f0dbfc66651f8c70d08

SHA256
eea8d216509fcf73692b40a25d54aba840d3f6a0c976adbe0efc3493e51633b7

SHA512
af8cf69428f940705936616b0a977c5749abea85c4884bfa2d22347085276fc47967016f396dec73fa7e77437a68808e182c92a70c701c93b14eafece0a3da0e

Download Submit
memory/116-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/116-699-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/928-388-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/928-270-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1476-337-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1476-625-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1612-694-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1612-352-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1788-306-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1788-424-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-74-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1896-72-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1896-76-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1896-64-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1896-70-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2008-431-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2008-703-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2060-369-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2060-696-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2120-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2120-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2260-1-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/2260-0-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2260-28-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2260-6-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/2376-296-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2376-412-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2412-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2412-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2412-256-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2724-48-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2724-49-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2724-39-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2912-400-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2912-290-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3484-60-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3484-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3484-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3484-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3608-421-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3608-702-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3648-246-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3648-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3648-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3648-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3676-79-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3676-80-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3676-87-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3676-251-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3684-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-705-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4164-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4164-249-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4164-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4692-691-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4832-700-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4832-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5096-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-688-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download