fab3acebe7d20b6086c7305f297ac2dbe846b1917699ac9c3cc45c03dcafa336

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
Size

677KB
MD5

90727caa58d20a1ab87b22e697842dae
SHA1

eaab5775d75f50b58e07f55460848e9dbf05b99c
SHA256

fab3acebe7d20b6086c7305f297ac2dbe846b1917699ac9c3cc45c03dcafa336
SHA512

8299526c6752a43adfc19aff20008e2430c02735c4ee2cb9d2151ed17e0703bdd6c1092ac73480364e297f428b1841f45f9621c0837733feea39dea18583d2bb
SSDEEP

12288:rvXk1yWCIkeRlk7ugd1EOFcNW2f+zRIxzA0RJ4P3Zu/t4ZJ0FSlg6BdLET7bI/IE:Lk1yWHRlMugdD+JsRgZRJ4fM430Eg6nj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1060	alg.exe
4964	elevation_service.exe
4784	elevation_service.exe
3640	maintenanceservice.exe
1236	OSE.EXE
3624	DiagnosticsHub.StandardCollector.Service.exe
2180	fxssvc.exe
4224	msdtc.exe
4828	PerceptionSimulationService.exe
1792	perfhost.exe
336	locator.exe
2480	SensorDataService.exe
4648	snmptrap.exe
1912	spectrum.exe
2080	ssh-agent.exe
764	TieringEngineService.exe
3040	AgentService.exe
3656	vds.exe
4384	vssvc.exe
1276	wbengine.exe
3064	WmiApSrv.exe
2540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7324b49ec8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dce7194b2cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e0a394b2cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027caed94b2cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001308ab94b2cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055098c94b2cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c587b94b2cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4964	elevation_service.exe
4964	elevation_service.exe
4964	elevation_service.exe
4964	elevation_service.exe
4964	elevation_service.exe
4964	elevation_service.exe
4964	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1576	2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeDebugPrivilege	1060	alg.exe
Token: SeTakeOwnershipPrivilege	4964	elevation_service.exe
Token: SeAuditPrivilege	2180	fxssvc.exe
Token: SeRestorePrivilege	764	TieringEngineService.exe
Token: SeManageVolumePrivilege	764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3040	AgentService.exe
Token: SeBackupPrivilege	4384	vssvc.exe
Token: SeRestorePrivilege	4384	vssvc.exe
Token: SeAuditPrivilege	4384	vssvc.exe
Token: SeBackupPrivilege	1276	wbengine.exe
Token: SeRestorePrivilege	1276	wbengine.exe
Token: SeSecurityPrivilege	1276	wbengine.exe
Token: 33	2540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2540	SearchIndexer.exe
Token: SeDebugPrivilege	4964	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2716	2540	SearchIndexer.exe	115
PID 2540 wrote to memory of 2716	2540	SearchIndexer.exe	115
PID 2540 wrote to memory of 2216	2540	SearchIndexer.exe	116
PID 2540 wrote to memory of 2216	2540	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_90727caa58d20a1ab87b22e697842dae_bkransomware_karagany.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4784

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ae4f1119ea398df526c0577845a9f4ff

SHA1
c6af7416544c9dc97174c100f9ea494632b0c030

SHA256
1f6819780148f16cafbe862ff1c46930ac55cd389741ddfbbc68f84f22124500

SHA512
3ce3fc5c4bd84c4a59a9353be271782e3c6be8f81582654d46ac6d31a7ddec458d2bbf644083149ec8dc3b8f7e8a8da249520ec06c69401bcc453dae308bfc71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
61272a3607c3b254e28b18a8fbef324b

SHA1
5f52ac1d759ad9256b34c1555d22327962aa77a5

SHA256
9afbde2d33ef98ad280f020358def8fe07ad719f0de6d38142fde7de91868b6a

SHA512
fa144e7f90ff214d947670431a06bc05388a9b5f65ab243f540f670a3b106cc76ad8b237116e6f2291f26eb0c589b48324d9547390d2cec46b63cc743ec0e8bf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7dd1e84c3af701ce0d50660d0a7599f6

SHA1
3db4043ab36ec11702da9b24bc27ebdda7787f37

SHA256
516fa385d2d71903da3caa3809bd193d0360d928acd0e8e25451a64f3d774a48

SHA512
ec12af7544b7d3d10f58733921f3880ff98ca0db4fd309649ab9abec752aa6ddbee90b62db2e6e05c0a6461bb3db09a126d067018921122f5ea35f5edf0b59b8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7c5228c5d68be1b40f5793cd7b6988c4

SHA1
2a76218a023d809f425fcb363aa4c1a78e03a809

SHA256
12e737f8ab86087431ac0a23952db068562011ac41f35e98f03109a18f85cfba

SHA512
26a0f4935e94d88a7034c6f68b85e5746fbd02b8fd61ff447c4780564017ef811d2b559740f5d7d533dc0b4417ef6abc03c052066fdb08fca7189579c33e06a7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2bd5a6302cfa32e5da6330da35384846

SHA1
e170081a6a26bab88ba6a6f3288e6ea73d8c97db

SHA256
dd9ecfaec42cd72099b63f12227d37c247a64a26902e7418beb92b002f093074

SHA512
a56ca9a1578882d9bab61b480188ef4882ec7f8eec55ba66b20b54a48f8abf422614a773d4a98abddd3bb495abe8f0d06c5e18ab4f7862799c2b3646105ae195

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1a67d8bc9f352aef0d8d572bf3b89cc3

SHA1
d7381dda4e6af64ad486bd2ffb8a92f992c058cc

SHA256
0c747735248d80b6ca26cebc526fccb6e1d211a2d6787ea901ac17dcb6014a07

SHA512
30e70ff2212dda37b75f763f6cf388acf7d1aa1280aed11e164d60d973f3873b571b6df6944a123aeb265d0d87566af744662329cb88cbe25527d3b4cff6603d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6f96de3f468534468660bcb192f50521

SHA1
afc46675e3246209d63bfaf83ddfab01565e3eab

SHA256
3ac1aea06a196d27915ae5bb9e3ff2ce15c081774c0a818ed1425305c7912bd7

SHA512
2a8aafdb9a06da5c0b088248fb084dfb4592cde4245e9cdb819c8ca2069f4c91358177f0b304341807b59af39702b892509a3df22add71c80b03c6afcfb38a34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ca3b9c07843d4994398a71806b9ecaf5

SHA1
7b950ced1ff431f470bb5281d15acd706d13131a

SHA256
af188641037f10f762b156aeb7c1a40f30ca2ef01feb942cdc4c82eb6acfb2a6

SHA512
6ca56cd34a438a1a87dc1e5cbf19b7a4692a41bd64dcf1bd501752d6d6962d8081f5cf725cfdb24593cd14a21a34750915612bf4790c79906ad1de76ab35b3cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c1f9df895cbf7ddeebda52ca8b775c41

SHA1
d5c5d857d15879973ada10028ae6c3e830bcbec4

SHA256
09c42a03d2f09b52884cd4541426365dc5a33ae4617463d737ef46e7edf83170

SHA512
3af0abd89bd33d8dcbe83142ee07f283c926bf407d13c6a251d301660eea061a255abd5294175f2e0c23bf7c3ee19ded393cc1aaae4f8d1f02577c4cc1d35b89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
46f781a740da9c8eb19ce393a2cb49c9

SHA1
db40522dfbd906853a52938b7d9c0ff7f38e12ba

SHA256
0e32a3f4f43c80ef05292e1ecfafcc5efc5766a3cd11f5fc48877f37639b8d5c

SHA512
de052759bd71ce74335c4a3bf15be4ddface5de1ad8075e5cdf118300f4f04ded1f5b965baf1798eeb1d2e3db821e13069f82968b01517d89dd0d02a6f9685c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
432657b5beeea3adf01b89fd2bc4bae3

SHA1
45af0aecc7342fb06c37ca00261a11e0319b2c15

SHA256
38508ca3acf3dfb36bdc57be4478d092efef23ee358dca53fb8ad1d3b9831985

SHA512
d8a548b3a43e462e8d96fd82693f7f55bf1adce3a91c4b08f532ee309b96d0ac7a5aaa245cd330570e3fe17a60218258e824aeaa8227675fab5c791c987db14c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2543606c231d28785bdc278f29a5af11

SHA1
721fac697c1ba4a733f10f8af7dcd696245cec49

SHA256
7998d74003c2403e36c6b6bc7cc2e26928e1967a6ad7bc98749850d02552bdb8

SHA512
f9794d0fd3fad462ac0aba18c80c1f5609d8d73e991f32f0f0c92791a58fadcaebcb7f84acf84d41fc119ad295f0fb95a637925e28bf17f627eb70f984698500

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8ab35b292a6a776f99ad2290d9d1265f

SHA1
7c700e8bdd2e36e431f261f2be7cb038cbf49fed

SHA256
4cfe14568494820ab0275c473f3076d6bed0440c9958d5607adc4bb517532b42

SHA512
ddaad7587fe88789b544b48ec7f857c37fb9c5c56f6690cf64a0086232b39ede1972eb592641de62cc5c0c0afdc770cc804b3fa37fbf3f07e0871d5359074a04

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
43ca302ba273d538ba55e515a8707ea0

SHA1
96add6bb060768934e6e7f2d217518f11df88b17

SHA256
9a2ba621492ae17b3d357d4bc798519fcfd3c1adc5da5fb9958680e7903814b5

SHA512
bbc46a6c49f5d87f3bc568e2f6bd2a87e8addf8b85c8b7f9c4fc753d3668f6e7f3431366d301bd54ccfb335d7b2093306598456fbe254f2578e964084ee23f7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f931ee5459172e63598b4081f196a73d

SHA1
42e49e8c0031841be7b49e84a7e59639d5c7df75

SHA256
b7d9a018103a109618b0d00899aaddfe23b17e5c0d95c87542062d768172b519

SHA512
df14346c1d262dcdd26cad3e2aadb4cc9dcccf81429332fd570172d422b0fb17f0dc72d837330dd2ee2fd5eb9fd2560029260506c3cc7c95689f70a0ee71b95e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
41e365bcb23af2429b0286b396c6a08b

SHA1
ebf0207025f991783be994c53b006301819f66ac

SHA256
4bffeab79e72a6f14e127808da9ccdcc7c19a584c0137f755dd96f33174a1bc3

SHA512
c1dc704c76ba162d1e00af4cd2e911802eeafff6d042549c0f78e6a4bd28dbe26b131412d0af0d0f979af3f983f48966f777e07c502be8cdce7f4e6c4029bfa1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
50fef864a835064e093bf3b8b32cd2c4

SHA1
1f09798ef4898ee11682a61debdda954cc0fd605

SHA256
cc1c2655f202c75fad0e767a4404491d3ecb1a64d07e48ef3d59c38176677d12

SHA512
a217b0c6ea39e6f7f23a2aa48776df5ccf5a3bf40277c71090834dd0a98c24cd35a873706846d86a53130b9910924ba10a34f7070dd209c29fae7cb69ef53d58

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
98636c59d39cde5e5431e84ab46051c3

SHA1
330c5211bec470292ef4f7f268678bc19442357b

SHA256
7e8184d65678f96247288d2dd0e275ea3e00ee6af3b3842f4f34bd6f3bdc4ad8

SHA512
d8d0073f8f9c9a4f7b488216b283ec6d73f6a553767da17bf534176c78617f58de0e64d94d0b60b20e8506efc9d121dfc58419a358cc7adb191a4448aaefb667

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
174f30c7523b86272612380adf8f22e3

SHA1
86e811b8302f6e47dffa367151c8f068abebd54f

SHA256
1eca5cafe7da600451797fa23259b7552c7fe29155e52130121e28556e90f224

SHA512
802e4747930d106cf38683597a837f64c30551bd44786b496c49b478ffde43affbcb30785b5fe2bf2d2be6a3aede8ea0bcdca737bd15acef03c886bf418d1f1d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3e461a4a1c141076f82e4d4ed30dd9f3

SHA1
cab56e4da4140833ee97783b1d9d09b57d709068

SHA256
6b77f8d840f078292652dfa513dc2636b450435d7021ca14d774a7e32807b0c6

SHA512
ed30fca7b3087c414ba8cdef6a383dcc74f9e114d31f4039648570057c83b0d909ec0720d32b03ec9dc7f1a53cc7bf0a5660fcb56382ce5c540de7867fb2fa31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
956dc2b87dfa07b34c360ceddc66ad2b

SHA1
59f6246ae492b466b9c3041cbce03ae10e2428f1

SHA256
ce25b3f5677460122f997475d2c3ab19dfffb67217380d0089dab24e97304bca

SHA512
802cc3bfcf87644a14249e6db5a9218106627652700fa7c15dcc3371f4c872209f51e1f0bdcf629ccc009ef37db1d3fd9878357eb36ba22f04528e45d41b495e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f7b5a7e4ff665a02088cf606fe62342b

SHA1
b8c8877b78f58e01c2460cad0b4b995a992a7c37

SHA256
4c9e00e8601d313578a626efc9d1391fb576b58e218f79b67caa1c06f29e35b2

SHA512
06cccd196570d6de9906a934d7dd8c5bc5c218bfdcc3d99bfbba308f13aa445fa288f4924f9d8e472b47dc7402aa1366807e0edd26374b9366635535df70544d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a593c64e40b7ad6b9e0f76aa1427c87f

SHA1
527e349cc5a74d2c4955167001eadaf8359c31dc

SHA256
15253baa266ac65c3eef8e886c3202fcb30711dfdde0691588710a7ca32c592d

SHA512
a43639aa771501f9918a0de79917ca0a74f6e58b0218bfd1fdcb01b2f5ad90d3470dc0b31c41a7a02836d8ba9c19f46a17bbdcb456ff7bdc4100cdabb42f1c08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2c7d2e41238ceb2cdab031721cae4c56

SHA1
4af4f25da33add205727432a6309bd38989f1c28

SHA256
18f8f76142141fb0f5bf5e87d033610d9d52192e0061ce845e6f9f66080879a5

SHA512
93a971b927a3b378b8300bee67f8eb97e9448d5ee7d89062cead1bfe6444d60a451a82ca2256e7990b31b99a4cfe7e8baf9e8830c42cf89cad5c6c3ecb7856da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c9d25428bfad28a3bfaf6eba45d55347

SHA1
4aa98bce8145c2e9df33498775b5511986da503a

SHA256
b806d506edc9b2d9ef807a57b8a5a102d7739b3399af91f30dacf97418c28575

SHA512
99014e5e459fb4a4b1fef9e90ee1accf575134426a560dadee55e2acca07b8b03f53fed3e52829ada8b31ca027bb3eb1d4f819a564763c04515adb3a7a9b8d2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
beeca73145e7c54dbc935dcd64239de0

SHA1
4fca26ed5df3b8efc5c41a98fbb09969bf5ec278

SHA256
7a707e30670d2f396245ecfd013131ccaa3bf3308bb1baf8399a53ec3a19bc74

SHA512
c1c639f4c7307717acff1793bf075d0ddeed3b5280e5792ae94026e45091d1ac09647d4497cb242fc1b9866a7aac9fb5854f9d8cfced76f5686a5a6ab8cc7144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3575ce476cdbf73daff93b0367e9c6da

SHA1
69d929e3279eae6bc64db8e5bd4f76834830f322

SHA256
3c6ea52dd66f3032aa99b1387b0c3ee7da6fe84cb193a07886d2480a03babef5

SHA512
08f25ab78a605b2aa8de7ea5ca150d736beab1eaf0761e6e311f5cceab9cb8f39eac929246bb354569eb0d16da9376aa09a7ceac674cb61de8f6b2ef53984ba5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b458286a2d3f3ada071089143e1f8265

SHA1
ef36198132879ef5105318cf0961bbba33b095d0

SHA256
d67c0e2ae5b5ca56f1238438c239b8d8a0d25d36ec1847de17d6c22c504ea50e

SHA512
a5e33d8a9de56343a84edc58c05b3448c07afc3e1e1ce9e882492f976aa42c0327875bd9bc9582bf6af1ead68602842e5b04e7e446fe71effab7e7af24a1298e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
64ae2660866bb48d6c1c7944f78b2427

SHA1
8b303b78dadd7bbfd08bc585d81b5ad8e3c92b5f

SHA256
06009b684a6893731bf2529356d8df72bd7ea4c4381be663664b8165fae7e6ca

SHA512
549fb080466696a7799828376536ab394ba17c8b9ed391d43dc71e1735bef90ef822b4dde44c5948ee37f97dd3683b945e2b0fdf724f159fe64a97a6e3d8184e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f3f85e6ce90f6422f6dfc948d72676e6

SHA1
9aef5dbb921986167b2ce547c1bdab915ee36063

SHA256
3f6067e966e750c3dfe9355eb65528a5d135158f4a6c2348fbcefc2062eae4f5

SHA512
7aa584d9b637beda78c1a67b59ad4ca952abd74dcf348e56ed90afcc2c2409f3681f569f0fbd09993ea7a1f5a2370d2b2e44195c5d533ca8414d01ec34ebc61f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a1510a31b9852b6e32292ccc869192ce

SHA1
bb2f20d092116c791404078ef298f293fef8ce69

SHA256
dfb962f16bf12d37f9e2faa5f3edef75441848759aef87698e745eb87cfa9b77

SHA512
395290f35c96905db324a572b53dd27b5c83aaa55005b8970405b8193a64a64b089a93d410b563c2ba32f70cd81974e7378f2fdb876b2db28c92efc41a43b302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
41f9c8b864b62015172cfc1e4dea74ef

SHA1
cb2a202e315210b9a1a32c7c141a38ce2adcb737

SHA256
0103a2b9e45162ad7fcc2b50e4af18a653caee93e5748149ebcdcfda3a8fa718

SHA512
b84b08390147f285aaf627af5656da953a6caa6e30338fb4083416a44d825ede563c4b3b7f84096d762fbf4ddbc6855420c9bd2d7744f97d090a463210171524

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
18d164c22ad3cf05c4759df79bbd9d01

SHA1
cd25b7069cd8390b4f3f80fb93bfb35b7ab2f5f1

SHA256
caebbbc566a654b81e42849d16d2e4ff541b7d46638505c9c8e9e7a37c3056ca

SHA512
4c9da41b3177f605eb5ee5692504cb59c3601e7fadacdfe8815dedf1a43804ed48fd1ca4b61973d9143099d9a92f92ac65c1db8c9d28ddcb779cd20a8393edf6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4b9bcd4686ad46f42ff1f51e91f659e5

SHA1
b9329d0618e528988eb44ac78691452052fbd9d1

SHA256
ea08738ddad4a980741c15df1e249214f5179e87e79fe8b97acf050a0378dd64

SHA512
607a2bfd100fb3ca359a9cd6c6f23b5d7609f3ed169694e9d4c33288435be25b30b138e94c553f028d1776f3fb1df47d82cbfce9eb667e20c9bd46f96519b220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
254285aaae4e214b417041af5a3e9c8f

SHA1
c71c37d6c014f74a0db59c986e4718b50f086c36

SHA256
992cfeadedd55d2525c50b5955238eb3b183edf2297d63d84d124c18e1073d37

SHA512
4457ceba16b1f0d6df85fd83a6727dcfda1ad6a01c8cacba0306df4301978c171277bfd6bccc2e23cb12372fc4f057a8b10c1951a6079f27fb236762ecd54e8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
72b782706827ee042586035111c3838e

SHA1
93edecf6371e7b569d7a75fb5ec4a7146a522a6e

SHA256
ec5047a8169499fc5b8b6b1826a0be22f42a51474131a2bc4daf4c27548ae7f9

SHA512
033427d15c1b06d56f17d46f1178bb0a105bbff1e374d2c578c8e89d0253bdd6124526673febebadbabb0310f0f15019153ad53c3bbccf7f5a3f836648706026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1a9b5a06d2e9b36db844a0add5db0d94

SHA1
9c81058b325cb1efaad55cd21cdc229766bf797c

SHA256
7707e76ef38c994e66bf7c30f016dc8759d6a8f4d0cbbe79d49fb691885df50e

SHA512
5e2f93f53a62b8bc263fd78d1615578b867202cd647b3e9cb2f7ee4c611d52a42c97ae76610799ae49b744429fbd920b33950908da1fa6629719f2fa551c7054

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
423f0f46bacef20d759695e85c71c577

SHA1
2bd255862c5192b47a07573e1f8c51e1a1f95314

SHA256
f256cc00d036b153735835985fb59bf7e9a43550ed00a82603a33ad60f75c6a4

SHA512
a0f1ec3483697d142dce77389116086e821440a22f24037b99ff1fee36e3a6f3a86c281cf1ea5a002692c6667faf741dd429e509b4f7ec34129a8c64b949601e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
3cb8e4e3ef6652e5cf898d701b886e2c

SHA1
ed35b6e40db595511b2b3c8345587b4aea4ed612

SHA256
57ad07434f15608491c5492c481f0e4af50a3c4cf323d36601c4f707bb8d94a1

SHA512
6556397c365c86f4cb011524eaa3b735499637c56798a3cc5478bb52f11120f48adc255e18f38bd6364dc20082558fb85f26d7ee129c6e824f4f5d4877293924

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
e32cd7498ae7daacaa4612375ff4c604

SHA1
390b7eca1eb01daf500efab92b3fb0365fdee8e9

SHA256
d2ddc42d7ebac8cf25704ce807bd48e9add0b3dc2f2215c6505105d54af666ff

SHA512
21b342d09fd82061419ea7e8f5a5015657c8a2512df554c4c11c7946585f3707a52c0541b624a78e3a2954042b4e80c9a4ee1a3d16a981d8248337b6660ad36a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
ef38ef01533cf530c3bd75cac1a0c671

SHA1
b6697e18b01e3828c42e6abcc248ac5e4c77dd8e

SHA256
0fd0f684748383d3fdc9f795b278b980196217736e365a406140c72272a03b0d

SHA512
0f2ffbca5b077c074f624cd725c8a2b94946a520d93c6d169a96636ace2aaa3955173034db11ea70f11b42c43691e3200bd464591bc0af45f00628620c0dede4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
70ae8e0c3a56fe439b5c49771fd63393

SHA1
dffdced999b21618e19b19c1f02bec1d4d07f694

SHA256
a1323443585538e2a9a7d07a9703d6f6813de3c009152890e9f6443f7d9763d7

SHA512
82cba034c7d1e6efc966abdd71af77c57b3024d83ddf77a3349e791df6e166771945c975bcde70e5e65e455042c66fb4411a541f5b63395220b96bd15ca656bf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d981092997c07da2c0d3505a8bdc2c40

SHA1
f1f26b89a9a7acfc1dab2374cffe465f37bf9e3b

SHA256
89c39bef1f55e260d7a1d803772fa393fe334d3588989bb7f77f2cb259f46832

SHA512
c7a1cb7554fc535932b298f4b5909eee99954a5839ac062e6cf05bf6a6aadb95bcc435a323e767dc9b2e18fc0abf83ce75166fc9ffcda7f055a9ecd1cdfc6967

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9f19ae455259e02a067c1aa10d2cbdd2

SHA1
7459dfea3fda6eebee920b1105b72516ac1363fb

SHA256
ae0f6584f167c946ad941c4d47f6cd2b9bdf5d24eeaee7e2546bbe075471989d

SHA512
61d541258fda5ebb376afa6430023f0dc3e821b48e6ead1c9c09371f49c604d569ac97fbeb5b5054ceeef9993e9e92d6695af286525d08f9315f517d055822ab

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
893cc8986154aa1b8e34f0a5ab08941a

SHA1
efe4ea34717ffb3b6127e778fab11b8821af93a6

SHA256
cc1dfa4757beaac263dbc66b6bce95ed6462e0fff1f9c273d905bc427dcaf743

SHA512
57b511c52917db31df62c4a6d32f9e171392054d0aa5dd9afd8df8c221890c26cc650efb499b9fa8c56986f40fce872c839c0391176ba832bcc4dda09d9b39b6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
afd634ae6528a5c0fe4d89a3976616b1

SHA1
b96e76628595bfc3da3c22c05ecb36aa9314cb4c

SHA256
9e69c5b38accbe610ab413ce66d978b53af2bcf6f6aa90de85a9dd91b37a732b

SHA512
4ec98de99cc97bcf9ac3cd8e74c2ec8110951ad904b9f534273738ee06497524fa48bd7d7aaa7f43267452d5dca83b965ce06c816c4f27d9f7999ec9fe99d7ef

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
89166540bc1ce05e738e2b445de36772

SHA1
0ef91af593249cd8c73f8b46e7dd66b8a10cfbf3

SHA256
d79110960efd88c2ba355cd458977518594e95a77e3d3d536d08e76e856e2010

SHA512
f7d857d110aecce6384d5ac4441c90a3e49e9068d50edd8f12ee9ec6988da7ec3c5dba6067e05c8fb22b53e57275b3d9671cb700d13f6f3b6c819f44b630b73a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7dc3e55ccdc27e3bb2b5be93e884f73f

SHA1
cf88dba73e2833c510aedec58b61eca375b96e1f

SHA256
87bdfadc02ee68e181420f005d110a59a4963d26c091cd729b01d2452c8134f2

SHA512
999ffdba70417cb5a442c0b268cc1ad8ee0b353bf77adbafcd08986e1d951256de95d3ffb10d2398e50b24595184832e5251b26f20115c31b5db0e56ee3b8300

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
438ed65e7d1bd971bc1bc574e71ab1d1

SHA1
834d9ca2557270eb2b61cf0f6d6bccf7669d12db

SHA256
2a58c9933cfc061b0446824ac898a69c0ab97d6f1b14f9783dea24250895807e

SHA512
b1623c5fdc833c3daa6a48c0a21348f60f3bc45e39ec572e220c7f6cda72209de0fb98c5bbcb56e21ea3f294c640f2f20111039b34bae67f279061dfde53cda3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5fb83d9b6c276222fa955defc9ff057b

SHA1
c72541d5abf194a2cbdc9597d2f51b20705a9424

SHA256
604d2c79252638cb11ac307c5bdfe721c0bea070e19c31e15da6c6f7fdf34848

SHA512
61d107cc11038ee54c33e1e7f217bf5aaaa0aaaf9bec6453209e1cf4ff6cd843e36eaf11de18781513d8360e5f6986a151994f836091953eee433679e64938f5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e19ffc5a2a355e97d91d2530ed5413b0

SHA1
290ac2c9e9897d8df15b6efd87b4650e55ec156b

SHA256
b97533ade4dc08fb0bbaa6026ee09a90cac179c2218d89b773d2516041ef2de0

SHA512
a54152b0aac685e7b3ab82787c15a3fc819c4e71ecf9d4f92fb99f0ccf1955e1200667158292962b6d2c9cec462bba21eafe960555f9ae2ad1002eef85b13b67

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5a9f174df2287a2c84235fe24cee6350

SHA1
ffce8119029a02703f4eb3e3aa400f4f1a870895

SHA256
6ccd0bada0c2390ad5c570a9ceb94487f493cc74977aa2d92237243144a90b80

SHA512
2b86a8d03794f3578302e3be8c25ec1ec487226bfedbbead9a4f270ef2b7621061a70e539d8ce6fd658ea1611ce91be2eb6d11d90c9ca959639d0578a19dfde0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
52cf6d47652e7be49a1aba1db7438feb

SHA1
f3b6ae239b78556ba9b2995dfbc9b729e74aa2b6

SHA256
2ab17de9dcfcb6453fc61db25f5e485eb6bf2431e5d5c2ec93afae0cadbe1e67

SHA512
7450a9ea6a40ce353cdda4674dc602832b767dd331f4c3d96c7ff39adb547f6cb262fe48d5a50acd359ccc79446c10b133c399103b21395a80d3fb1ad52ce02c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
310d428bbc63b314add040e869489916

SHA1
e8df605fcfe4b583bd8b7dbfe35e3fb55e4a01f0

SHA256
69770d98a91ab4bdfa58ff534409e96e10cfaf20952de7581aaaff7e84e1d1cd

SHA512
c68f7dd1fa6f0c0e28c522486415584181b991d70c1c8f04cbd57d37161eff9337a361380f0c691a14898f2bf12a2fb4ef79d3e456384b06a1ca88c3da237ce3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9955d03b922670c1249db4d3295d69c1

SHA1
9a9be6ff69cebb5992f0a5b1d44e2f6bbf3d54e2

SHA256
fbca23b70696609b2f6ac58f69edd8abec05996924fb995f307e93d6ec4b71ca

SHA512
69fcb435ad992a6f2f00f29244e19d2096842c9ec1a7c447fe4a9b2c2dedab92fd05d0e32ad777956d47cecdaac16090d0e3192993b0c9f692d6722ecff83d16

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
53700259430a2ba3bb2697b1c976c3f4

SHA1
95c1edfbe8feefddcf4cdc6e022f0eaa024f01b0

SHA256
fd879db0fca704fe95558704b778f5ccd2b2f62a2241c39ebff7577f5b9d807b

SHA512
d6844b1cd89f81318bbcd520fc1fa10e582eeaf90db4fe93e8718e98fe9db7c270d7a9ccd021c447187b072bac7618852875215ba577b5408f860a6674fded27

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e1284704280f2c47de8f1e27ea7a4990

SHA1
a48ea6418019b930f705be315aead089efd80591

SHA256
84bd372e2d2ff15fffb9fb942fe05aa931525456ea341b129bd91616d832cf7e

SHA512
0fee3f8911110a08e5cda906a69054c893910dac10f9cb997fe77dd60fd9d81571d118862d5d630f9c0b08efd1d74db3edc4b1bd98ba7dcc4a5ae3e9ddb010c2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df26d8283313ada5567820934644e7f4

SHA1
5501635ffe522f59f17b990e5d87d8cf0d8843d7

SHA256
1b867850368be7ab0164b99276aa0119f9e59afe9e33b5383935683a4db14466

SHA512
3e10292ee7e9a830469814afa815f57419d43e93359c795a94f5e9e354be34d3c471a55cbd0a7c67efc130c59500ab8629807dcbc7f8040b2e82cd0c0d0d07c8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e69646efb9bf90e93a961224ab36800b

SHA1
4903943eb2535d0e1efe4fa2f6871bdc244a8df1

SHA256
43f8f931081badac11a52a590202849ffb350dc1d7f7a93939bcb52dbba44edf

SHA512
b6c38fd71d41fd77c519ad89bcd8c812c92d577e1fea71d134193ad0c1df6008479f75ab3cce653949500641459274c3479a42a671901709e0092412955ee62e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
324ad2f1083c927c24723db7e21ab55e

SHA1
1c3399e2aedc10ffc158d0a7d3d191a89be3f244

SHA256
cbc99980d4c199eebfbd6d58148f8214599dc53e187a96e080c7b11237f5c1a5

SHA512
603b7c66fe7d78a9bfa181441fc1e5b5876292963ac6212a438eaa0684dc0a6b01a7665952e3c161cd07ec89e2778fcd61e04a8b49fb5fa7db5b627da80f8581

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
452a48dad61f6ac4bb0f7d319314dccd

SHA1
980576edb92b538e504aa939c6ea3dbd24d3ea2a

SHA256
dec12907924991a07084f826e1f282a9941a453e34a33b5f1b73c8e0c819068e

SHA512
fd8f391464aeb88f6bda73738ab96c2f5b1f9d17bdad789f3e8a33d689d0cdd91751c28fe1282b179e4220325e69b5337f1d49e349588c7a1072b068fb9feeb1

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
357d5e72a8af88f5608a7553528b1bda

SHA1
a83d408c4b874ca8ddcf118e90d5facde7be5c7a

SHA256
b29d9fc16320135848f19bf780d67651a4efe7db8c1bac0e0a139c85d27b1719

SHA512
84d4acc6b74dbb58ff26218119a7dd083ce2d6e5aed789b50a5968f588e5e1aaae3b1a2978bed4ce572635b21e8cf3ec79e3f81ae3c57a4533c6b4a25079c505

Download Submit
memory/336-308-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/336-419-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/764-366-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/764-639-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1060-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1060-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1060-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1060-236-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1236-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1236-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1236-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1236-69-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1276-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1276-644-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1576-8-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/1576-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1576-28-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1576-2-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/1792-407-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1792-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1912-634-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1912-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2080-346-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2080-638-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2180-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-256-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2480-311-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2480-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2480-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2540-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2540-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3040-369-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3064-645-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3064-420-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3624-252-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3624-245-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3624-246-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3624-365-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3640-64-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3640-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3640-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3640-60-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3640-54-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3656-642-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3656-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4224-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4224-383-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4384-643-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4384-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4648-323-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4648-585-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4784-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4784-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4784-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4784-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4828-395-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4964-37-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4964-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4964-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4964-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download