5564b11ec6052707282dfacb40933acae23a9c691d464610cd2056a9f972744c

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_8d61f6b8d434ea94b473f46eee5c3b23_mafia.exe
Size

1.8MB
MD5

8d61f6b8d434ea94b473f46eee5c3b23
SHA1

0ed63b18d1aee7b6064d77495a077bbd4ad8c160
SHA256

5564b11ec6052707282dfacb40933acae23a9c691d464610cd2056a9f972744c
SHA512

18add75a1ee40d6ada83dc154bd37f8b9fd621ca368e936e46a65a7abc2c27262c7576958e973be45375a3c5614fae1736d393479c59f15f498c4293209d2242
SSDEEP

24576:1UNx+O2R52FaGZTKYD0AtP2JOt934J7Z6bQaj1BvUm9J:TRR52FaG8YD0AEJE3jM2ce

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4080	alg.exe
8	elevation_service.exe
4296	elevation_service.exe
888	maintenanceservice.exe
3616	OSE.EXE
5076	DiagnosticsHub.StandardCollector.Service.exe
4548	fxssvc.exe
2032	msdtc.exe
1588	PerceptionSimulationService.exe
3252	perfhost.exe
1520	locator.exe
3728	SensorDataService.exe
500	snmptrap.exe
4020	spectrum.exe
4616	ssh-agent.exe
900	TieringEngineService.exe
4356	AgentService.exe
5088	vds.exe
3188	vssvc.exe
2196	wbengine.exe
3648	WmiApSrv.exe
5096	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4eb8721b1222d1c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-03_8d61f6b8d434ea94b473f46eee5c3b23_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_109750\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ddf25a5356da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001a0165b5356da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a879e5b5356da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000872be25a5356da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c979d15a5356da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040ed625b5356da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012d5525d5356da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035164b5b5356da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000001765b5356da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a4c845b5356da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ecca45c5356da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
8	elevation_service.exe
8	elevation_service.exe
8	elevation_service.exe
8	elevation_service.exe
8	elevation_service.exe
8	elevation_service.exe
8	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3508	2024-02-03_8d61f6b8d434ea94b473f46eee5c3b23_mafia.exe
Token: SeDebugPrivilege	4080	alg.exe
Token: SeDebugPrivilege	4080	alg.exe
Token: SeDebugPrivilege	4080	alg.exe
Token: SeTakeOwnershipPrivilege	8	elevation_service.exe
Token: SeAuditPrivilege	4548	fxssvc.exe
Token: SeRestorePrivilege	900	TieringEngineService.exe
Token: SeManageVolumePrivilege	900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4356	AgentService.exe
Token: SeBackupPrivilege	3188	vssvc.exe
Token: SeRestorePrivilege	3188	vssvc.exe
Token: SeAuditPrivilege	3188	vssvc.exe
Token: SeBackupPrivilege	2196	wbengine.exe
Token: SeRestorePrivilege	2196	wbengine.exe
Token: SeSecurityPrivilege	2196	wbengine.exe
Token: 33	5096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5096	SearchIndexer.exe
Token: SeDebugPrivilege	8	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4004	5096	SearchIndexer.exe	116
PID 5096 wrote to memory of 4004	5096	SearchIndexer.exe	116
PID 5096 wrote to memory of 3932	5096	SearchIndexer.exe	117
PID 5096 wrote to memory of 3932	5096	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-03_8d61f6b8d434ea94b473f46eee5c3b23_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_8d61f6b8d434ea94b473f46eee5c3b23_mafia.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2032

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4004
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.3MB

MD5
42303a4b115ddad2d63b3fbac15c9be1

SHA1
31bdbb0587869dc32e291b82d2bb98f43c94d613

SHA256
bf559c39f8761d76fa6b067e27a23e2c686960447bf443b92b6c6e3a2a3600fe

SHA512
f8f5166d499c07c34c09c8088cf678b4a997beaaaab5b7cfe8993243f39e270b86274695ec520af80e33f3848b69c8b42a3746015620039bca05d21d59d68360

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
140KB

MD5
bdc0d21555b68e9f668895973870a277

SHA1
604d5e51690a06e39274b8c0659b94f56eb83ae7

SHA256
b7e8c99156528997d2e64fa18c4f51ce35d68297349d49f5fe54e752e7818c07

SHA512
9c7b9b5f83c726c1fb93fdb02ffde4f93b11e05873ebbc9578a4fe51b61c53827ab6a1fbf19b83863b5c9b85ce0f0893b02b51e9f2cde728c7649de08c2fdc7d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
75e46e980b742158e607e850f5775964

SHA1
814adedcc012cff34711d1b8d41cd8cb0b71fc79

SHA256
dc3c29c9c776db371e2286ce07b622095014e1f2225362c3e26b1e93b3dd4037

SHA512
104b36c0faa87318cab6e0f8a67d6f3e36f4e1d2ea5820cb3a47d1d326abcc8dd0d1c126cedc76a53997b3a84a5e4a375621a48f27c5d1288dbf63da02a4cdb6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
115KB

MD5
b3d5bea80462ffc940c617c3c61fe536

SHA1
8c561f3ab33eedfcca5419ee120e0ccc09ff5351

SHA256
5ca17abc50e47e84d9fc8d77095372fd7433eaeaba255539f2e3ee3f12dc2c4e

SHA512
ff34932e7d85c1f9be4bc1a64ddfcaeb37423c8aec4ecc8ec303ba83c7b927ee461f1eb71fd2c80978e4f82849a4deede1e0996dc8e88c766ada0e5c9d1998df

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
197KB

MD5
dfa1f1ad0b79f4c3daa34a69b8bd9f2c

SHA1
2fd7b645958167afebb97341f1dbf8c370b1bdbb

SHA256
183027cc23f0b0ea51f775042432939ec547b93fa60d13472eefaaef4614feea

SHA512
f5726b76af754ccf72f8c9ffa4026490f8270508aa36594cad90e7d3a875869380c7543ee9e09d882759275909f3a4b9d983b0a3af8798c19048e96299680ab7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
125KB

MD5
835509c6f8fb2c865f23b2734e4ba0e2

SHA1
bda4e1bcc3ca3a698f626dfd7c8ceef796c01cab

SHA256
3cfb7b31f1000f372f728c22160756dd1915c02c96254e497831a34c4c2e0358

SHA512
31dd0dd9d11f12ab2685cc673973f7ad9b557c7777cb0464b6344a18fb22dad7bed2e3c1d9822becc83bbf795400d04d76e877e9b784ddc62c2f83e048b40110

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
159KB

MD5
504151e3b042c6694a540b2bd57dad04

SHA1
ea223a2bd8486bc85522a201e664e675893cad6a

SHA256
a1f206fb4f6505fe694c8f204ed9fc2ad7fe832a1838713a9d7e140de6ec94e1

SHA512
fb316ae6d5795c63fc311d6b0ac5e78fa31181983e777f5796d5b4f999fb0b0caab5eb4e6ce2918eb2a1548b785733fb96f4acab574303296cb5728f2242ce3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
139KB

MD5
f95fb24dfd4f7b8c6ee823e8df1c797a

SHA1
396fb85e68c6759cc667646dacc2dfc706a2e0ce

SHA256
40bc6ac8007549ec700045e2cc99ee5dbdced43c72f4dc8663419a7f6e7ae70a

SHA512
c82b316c81689941ecd8deadb54ba23bc6f42bcd61e7b5523eac80b3e7fdc2c492e9168a7e49eda89ed082afbce06d0ff3001d3ae3e22c1d28cb13daa53afee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
186KB

MD5
50a4deb0c4213f5eb3f9f474e18d920b

SHA1
6cd90e4304c28cc0f5f16afe7de1ce41f28d6acf

SHA256
1fa08df6daf94d99aa423fde26986441f3638f40d44fe2253da4ef0cd1faf0d0

SHA512
5e083417b23637148ab6c60cb6d783cfbab0ea9eab6e526685c6b2c53753cc250820b99384607aea931107a3657bd41668419f119f22d7cadcfad35bec101e9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
184KB

MD5
0612feab18ef07ea4664c1981d92ff01

SHA1
8c16fe26e060ab648625bf5558a8e194b9f305f3

SHA256
043c1bed03dae240ab34b4e2999b465044a4a9fbabb6f575e80c6dec63d55e10

SHA512
d423799d79cc211cbebf4a5558d3b86851c1a3ea786f168ab5561271e89b913b39576f97f37d6f7f3bae866afdb049b1c528c7e8d9bf115f50a03b7b1bc88737

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
225KB

MD5
0d8ffae01417957899bc8c5e45d450d7

SHA1
2864402c85cc60a6dc88aa53e86e668eee67ed81

SHA256
fcb6ff3699ec8ea1e293c7dd61510eadd64ffd1b87868ba05b5d64bc8a5576f5

SHA512
08b94585683aad1f8d26a8be3d4bb8a99befb4ce29c1b08261322a1d5368587ee03896a9b438a3b3d0fc479e266b6c1d2db24eed4690f77bb6a0a473831b9dfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
317KB

MD5
f62f4cde60cb84bf6b9d4234a1ee9ee8

SHA1
f1fe399f9d6ce8353295ee01e3eb52d6d7c74e90

SHA256
7cfc3edd4984bcc08cc654b406392dd409de44d868d440a626608bdbf5ad3264

SHA512
ede0832eb6e5345866575fd9f6e86af410263cdb2c19e596fa1408b250d8a0373f9e1eaef501a45b3ee01b8a5185676f122ab38506c30a1b7265552927958e4a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
89KB

MD5
3bec5023c6bb17e3a376b29733a7c094

SHA1
ecd51d2b71af09ee3358573e891712e666dbfe5d

SHA256
e02b50bbaf7676f03ce3e98fd51f0a5d58330cea2b0adc13e0bcc3640261b9b9

SHA512
6038c3b5f69bab8be1b919d6e8513c7767eea5486ad5786e03afc372af7a0eb67fc148cb958fe150d302a2d6310cb44df5304d50c6694e74fd9b20ee850dcd03

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.0MB

MD5
755299ebda190f5eb5d17d7ad5c5dd74

SHA1
b174a4d49e79ffbf37963a1b0189b28ca992c029

SHA256
03477e6abf36fdeacb9fe86415aeb19cb5b62d657674e78f7650d548523d3bc6

SHA512
b579438ecfa66dde93de9039aa18ff08fa5a2b5ac1a19f9cb9f7615e892a65dc41094a3d9340f187e7f457bf07521e3e6144dd23406a2573d336ba3d48f1746a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
142KB

MD5
969460eb7697f4498b19ef64cec6b2f7

SHA1
7d0aa6dabd80a56417a655c5a10738c1234e30d8

SHA256
9424ff9d1511bb66ed34f446ef9925824b3f639f54f84961c36032dd2e562d6c

SHA512
3d0bfab9bb229d18978c2b9f6b46bef23171ca8e929fc4640f297f7800bc913110ee9ca71cd1bd6d0b18be9862ce7b7436cf269aa80b66f8d60cbfc3f2c09be6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
155KB

MD5
c26021e593596a8331a7f56bbcdc39c3

SHA1
e501680478702c9ee0f77726c6052761fe1327b9

SHA256
d53cfa6679d02620a2c71ae4b70fa94deb6f330cdaa4232fca9455a64f3d35fa

SHA512
a3480ff2195bdbf64f650caf91e0f3e4b2b63f576e8416004a9215d09b8d6e8b64f3cff9755c7393ab5b60dc1d337dff2106bd3ca4efe702f77a5ef6347d643d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
192KB

MD5
6aa5615b84e6e32d88eb3ae0676e88c4

SHA1
6d3165f9bc066a1662bf13edcb42c1f4c6fd04e8

SHA256
cf336188f61e3203e06799b7c2311e63b4b905c26d7f27f3ae8f65d0b0806e62

SHA512
a3c02ef575598fc09cc084ffb805317a199f3b5f3b13e5f4de0cff990a3efb62c61b48295ffff53d2183d0ce3b6464083025dfd7cd4f6856751ce5f2ee176b52

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
165KB

MD5
8597993de10ee5927c1d2ea374289d34

SHA1
13b25fa04ec8b5b7d7f67c1fc0bf6cace47497a5

SHA256
8375e104eb0392b4c493d78fe04fd90be5797c49045c1cc22149427dd58cdaba

SHA512
e6cacac8d306b8dc1aeb38bb8dffedf2d0e6dc415e2057de4ea5f738df900abd80990f11f0db7406d7a5414456d5313e82dd2e297734e4fa8bc5241ac4998425

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
183KB

MD5
9bcde4e0dee1ea74166ffb76a9759ca0

SHA1
e15e78248c29bd74f45965d90e376d96d677a88d

SHA256
118d957c55b089a4d7c7db581ea652314d43869d72c749de9c1687d2bcf26a71

SHA512
9fa31d68ed599ebe110ceb0dcdc411060686b3eeab53d1abc17bd8d9607491a5e1dda07a68539d02504c5e2135cc0e526257cef1dc9f398a6a02c3032ab3c09f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
196KB

MD5
4118305dd95824c4d193d61c34d68fda

SHA1
bdf49696007bbeaf7156c948de1c73d50cc93877

SHA256
950daa3040acaa258e56fff585be07304daad0fb78b32d4b47b552f2742cb8cd

SHA512
db21625cea656e6fdddea326c83adbeeadb1fffdfd4de53fa3888dcd3c3bb4d983e6b9a45bb80df5e0b81200e6ac1ccd063c97ae73ae40accefe46029880fda3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
153KB

MD5
21dcb8119d5c949509b479b7b621e705

SHA1
a9932841efb16ae61f3f61d0b1c6daae944268be

SHA256
a26fda0a9cf9bcfd7eefe938b02e070e9c41c91f818e148e98a3cd82549e4870

SHA512
d1f1a64d6358b29ea4e31a42839006edd91c029e74c1a947b352741501307ef056af5753ec07aa854fb3fdd8e81a35d02ab1c00d4d793ac8e2ace298ea4be8a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
185KB

MD5
82fb4089705bf669216a9d8650682abc

SHA1
73307d722f2103d02809139249da0365e40e5062

SHA256
e13452612e10ad58897b7de51d4c57ce6d433df1075a9655b6595f36f7ed9885

SHA512
319deb782e5eb3dccd631351ebbcf01be17dc7a8beae5ec98aef99d58af2fafd5f375870e788350f7d3566cb40f91a36302dbdb20b3ae9e2ac2643bda32fef00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
71KB

MD5
a5183562603f534e7f1c0d9b9e234222

SHA1
a73764a64fe3aa6e2c17748c85c231238a0db208

SHA256
8d77dd2c2ec9766eb0fc93215f7ad44e04648a5032a947f23a442ab300f0fa43

SHA512
2da1702d6b831bf9e87575ba0d311c4468424be98ca634b38889f4fe8abd6a07fa912e726eb4eb51184dc51fdfe3c4292bbe089a7735416fbe97b3e855421e04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
6KB

MD5
8d52c0e6b4571b707cb4f679229ff3bc

SHA1
6c6c2ad91540c369e2512990383a5fe6898eed95

SHA256
7a2727ef6c30b71c425632d18a9831a82f4bfa8c1bc60cd1d47a68d041111da1

SHA512
834c3be17a9833f9d444709c4ebf16ab8f58794bbda36127d00187c530fc96643c6952a312204b92869a5fe99a88c957baf083759736449dfd2cf8a3be626cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
173KB

MD5
d40809827224c4b7ac428a5a701a9b6d

SHA1
2af927b0197453ca15b79882cb792bbe37d22928

SHA256
2057df4dbb09df531b151bce4d70ea06ecf76c47c01d1bfb710350492c284b7b

SHA512
f25568385b8d1ccb32b4cb360f1b685a6ce32d54ae578bb2f3b81be99802ff30ca186f85416daa03d5d39d1c028f1cc512ef6a3a31a737322935ca23edd86fcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
62KB

MD5
7faad5d9f00c489b118e6e8148179a1f

SHA1
16a8b416a27aaa0a93e1e7901b509732d335de68

SHA256
08d63d3c7dc871f1edcdb9df7e7f8b091263eb20d58cc5b9c51fce1370145d0f

SHA512
64cba0d726522a31796ebd758f392b14a72a7039a3755772fb0788b86e96196b148a9afa1a882cd557c5d3fec64806c1640b21d5919074e389bb34fbffddea4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
93KB

MD5
d4fc823235dd48a2a82b051f503cd2a1

SHA1
7a75afa9d8801a9e073746a97ef8eb5bdec39531

SHA256
30ae0298a51fe4cdd09b35a10bca79311862f9e69daa5338082135f930475835

SHA512
db3d435011c0974851c125ff14b61f7190602738e35d0c170a7bcad9ae5528e11fa9794f70d7efe88d21b17ef96e23bfc395882013dff64d12a59940a3e4fe72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
92KB

MD5
b16a800fa1cff5c195b5ed42765a3b71

SHA1
9ee697e8b137f413d31a1fa632db76e1347878c8

SHA256
f18c18510a132f0a3711fa89c3f75e47ae6123bcd06488b91ba7dc2f91a14e29

SHA512
4d16788f6cb75c7d51e03187be3a63a35f7df829ac10e542294d7bc09db92f4a78792e2ebb7a248561f86bdb43d375be8b7f5364f7efd477e262a6b7202fa931

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
29KB

MD5
e26dbd66c1c9658d8dff44b0da1a3362

SHA1
cd94c76594d64a44ac111190eee823bee7283774

SHA256
958e7747f3be4a7371c56d16b75f61f06377f70f211738e9fd46dec97e8d61e8

SHA512
65bae8b6c6b9740e6debc51c9090b5bf65ece7805f13d96e86f2c3e35233f47070265f290f59145255d0bbbb710fb2bbbc3134eef46f8d63d8010fcb9754ac77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
79KB

MD5
3125261cf589c64d916e7f5ddc786cc0

SHA1
3f9e020b6dbe7c82c2f6f84d25fc4ad04d1c34d5

SHA256
fd1916d73679698ba8c0be7f373425e665bd9b4b87fdd19be6ba137e25be15b7

SHA512
36bddb003855254c460c037ce7756354746501549644c2bf35e8971a1a8a808a1e1db31c0d6ed408c7fa1d2cb3130b324187ec8bf4b1782c60f29b539fc29c08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
76KB

MD5
7f41852934d794bed3ba74a6e1b12b0e

SHA1
e78eee632a0d464fd042e963c74588496845a195

SHA256
aabe67ad5a0c8fd2cf1f1ffb5f5fc0e99445102bc190e71e5e59d8b33ccfd4ab

SHA512
576ff8fc572824a4ce204701d851810ade66be0c2493713cfa9da3dedcb7bd30566052c817f9bc552ee4dda4a5f2f66428ae2a4ddd75f41c4b830fc32e7b0229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
33KB

MD5
ef181492f074927f5f6952d5e74c0563

SHA1
d1d600bd5fe2978b2f843377ee0351e9a43b6021

SHA256
8dbbcf93efb46bdd31dab2b63aa64e3b5b81dbff964fb0389a614438b9003b2e

SHA512
db0f08b823b59342031700f77106d752d94d8a33b17fd04e6d849fd31b4c44bca01eb3bca2bae4993d3197ef8be9d3d7b6ed383d3f3e4f8c9e868ac01a5e5fe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
55KB

MD5
feef00ea05bc9454c7f97fa8970fcefd

SHA1
ef393302b802326d4544021988320ff176810f03

SHA256
f9914cc4adb46c7ca989b71925ec86454cbe757c67f5c1c9b05a2b548b878a88

SHA512
b5fdbb394603ebc66bd8c93d2b72c2a454b406dd147759b886cd3935a182e1278d46d734f3a0f5539fbb3900009636512459720180c7f947dc15eacfd3911238

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
25KB

MD5
19cd2a7b32d1d247988b3e1402cfd6d8

SHA1
596c0ace0d03154f0b8b19880f7bbb80d445e68e

SHA256
054cb63f13416e3fd3db9098e1f46f3b529b3628cfd7386180cf0a2ad3aa8011

SHA512
42a2d063b032e77dff3a79a9a725fce3d958cc909646ae9c3fe2c4cb0fbf9f021d4f99d14c6b1170553f47ae6763f23b6490bf524a139cefd04b84f6dce44810

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
95KB

MD5
1de3a05df3ab06672086b8f62d473740

SHA1
a292accf6d83e7c69de2df30e4484c4af68c474e

SHA256
029258fbceebbdcda9a2cb57eb73c77385089c4c782775c326d6b23394a67a7d

SHA512
dba2b340463fdc92ca6b559dc9f440f11e4c5a62d3b999133d89cf90a82c464677003cbf4f66d07d0948cbe8dddb4ea0bc0124dcf68d5a88d9423cac8e4f63d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
64KB

MD5
2a8dd2525a46adf781655599df553a38

SHA1
7f10d359e6a58b55cf0952d58ec524ca81def68f

SHA256
ddf7d7f684efaae80a7bb452aa3fe8ff8f985483fa7262281a993104d58db2f9

SHA512
b907e5baec29fe40c1849c5aeb57eb8bacbb83bcc39ea8c19546c0147096f805990b17e3bbf992433e422c8453acc573e7aaf7e7aa76c44d953f7c08e84f36c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
49KB

MD5
330dff1f55809a728aba2d7f1e03ad30

SHA1
41db068549b44f369db3668b942cf777d89d6887

SHA256
e9b661ec0defd33102dfe46f2ca796299cb09443359058745c1253e19b2bb1be

SHA512
b9c0dc41e5d0ae2d5af3d9ef7814e5deb230637459839e54a669465dfdd99b70c85616a8a03c5d0df79010f57d211eb06bbee548a41850eb0a2cde3cceee3c43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
92KB

MD5
aa5488ac0dda3dc51b94828b9bea40bd

SHA1
77c2c56743fb19423e89cc12c3159ef5a8298276

SHA256
2bc52dad59560e8988ef70f2480cd2fb761b3d864be7db3368ccaf47fd3142ba

SHA512
d1136fe4fa2a01741b88460de60c8a4218c3363f659f20d6ef466bdde9ab9a8f3fcaaa5690c688680757a179745d511314bc4ba6354354eae25ddf410ca1661d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
35KB

MD5
bc7eadf8f7995b7c224f60faed25df38

SHA1
5f457b06fafc5096474e08b10c5dcae8465f651d

SHA256
37b7da8ccff27f96af8da0434654bb011f4f9c1481c38031efcaf30ce5cf9a51

SHA512
bf293821f279e65461b12536abdbd945890b3d9b925808d85103639d3fcc5ee77d3737e551bb73499a32f5955cc12250bb52814f8f8f756eefa76337dcb024e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
106KB

MD5
1ef475def531913a376df544fa8ae6ed

SHA1
b0a2e9afa7f088f99acc55a19467c842bb0c3cdc

SHA256
10373142c36f7b8bd5f6fd9620781c2a48007d3faffd8400100a1bd1163d4108

SHA512
aaac4ed1756e9e2820a9fcf32f48e0297865fe34f9be2266f8e191e4282ce9e5b64087c8c80a38a3d5eb367c034f299fa649097a8ef95652f9de8dc765944fba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
55KB

MD5
81c075b4ac343f0e205c0d2011b21206

SHA1
78146e8d1dce50b4d15b92589c762cc238ec0ef4

SHA256
92313c019b8f291a5fad93a13dd91222e2d0788688cbc718943e7e056bc8f889

SHA512
03194fdc619aada3029623b802d4c1582a78b3faca0acf10cc1630cfb15f780112734cd7c8888ffc1d06eba388d3bccb01d438eab2d7f0a2a0cccb6b6fa4f959

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
77KB

MD5
3cacf7a5c474f8912f73c645388b30db

SHA1
e8b2bae55c7a004664622a65bbab2919598bcfa3

SHA256
a596f94cc55ad8836646bc87b14e81842365e36bf56f02c6e1e669afe71526fe

SHA512
b41a51fca19a92c6e489dd6cf501797db1c406d0624055cc8503b9748edad2bd8d5e5d9fa44b83df6155333a732543c0a06a0b1324aa37bee9ddcb07a3444fed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
7KB

MD5
d78cb68ed1a6ba1e9fdd0343de9e47e9

SHA1
b1389c8eb030622567954c99f886cd313757f835

SHA256
c514c3390d3b69354a8f4ebe6ed3821346f9e9ce326f366d05a740aee234a490

SHA512
bdf0d57cfd034abea5c205310da5f8c55d125f526e997caa533cbd435ac58212ec1f208830e6e5bf9895e6cdc1f306796eab5e2318bc39f19e3300b1511996b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
82KB

MD5
267d7708d3420f99d8adc5fba702084d

SHA1
c5e1b250676ad18302ccccf1a1f6863a54e88e8b

SHA256
24c9433662cfa292400b323e5cde72846d26349481befb91d3a1a607b6ed0bf9

SHA512
2a72744a8222e7689ed07648059f276231e329aa51e795f603b4cbbb93f92e0e986c4a1d5db9f9d5a023d2472ed43932dcddc4573a5b497f10fd39cebff9fd44

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
181KB

MD5
78731182deea484cf47d52966efd4be9

SHA1
2f9566677bca48d35cafee03b46c5b228e7b4464

SHA256
ad53b779bcaada5be97775f3cf651bb1707de9726786a4f8f60ded970c5dd842

SHA512
97066761a20bc51e81c55bb8f17845471b8486d7abbdf103468d4df0df47b6a55b901a0cf192041f98988693d2648d537d01ecd9f5235fa382160a9a5f983f0f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
92KB

MD5
2b8920e229ca9a9bffd6141c3b563c0e

SHA1
02f0495621eaf37429cae5bf246cbd1abe10487e

SHA256
87e4540315c9f73b5f8c8717837b6e4a2b5e62dca0a79b558f1c24690094a936

SHA512
ba5680de86d74b02f332bfe13afcb6bf52d15e53ef70d907b212abf67a6c1b8ef1b6de3467adb38f23feb5081ee8fd17bd16b85a1a31be3f8015f7912d9a810c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
226KB

MD5
283241b09cf2114c7c189e4b3781924d

SHA1
69c289d5c71f7af31ca60dec72a0840f193cc6ed

SHA256
7f9be845aff1ad296e26b5ddbba93b574645f09f3f4ae5518cafd8773e06de8a

SHA512
050e6632e6d0eff51d4d69bd49ad736be2d0be34f9e063a02b94335c1aac556713544f15b0aa80db8543fb0f0b2826ae958a48fb990fc4a3116092d0d4f798ab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
170KB

MD5
59821337cb38d6ecd28e329389895901

SHA1
3086c9b3612d67006f58a63634f328c03c451479

SHA256
4ea6984e5d72f9280390d1dd4ae6ac42037793145e83554116e8e439c450ad6f

SHA512
91abb3da527543dded7414c9fe36d526477abfb22cf82fc5834cdf354cd7fa630189a32fafbaf7ebb0c3386928ce21621e8bd1be8dff7b1b21fb6d05fb715fa4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
180KB

MD5
5650125d21c2904aee9693f65f91346d

SHA1
bf14f9196ee65a6572a1d05875089d51f69a7fed

SHA256
93e05c10b6df872a72b0f79c24a0cf323801bfa16ecf4789e490d6dd10706b38

SHA512
53651539901dd03a3fc40dcd77d9423545b305fc7f26cb6ea7e0527b8c10d4b4e4af01bc75e3671e860ec5f8490e72f9ae2c686f79f2814e334f73dd44b518a1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
72KB

MD5
9c69307bd3c36d9b8af55ec5de4592b2

SHA1
935f55535b412b3154bcdf794945a985f8788537

SHA256
614e8c76826b685b8bcceae38a6b439956a695f6ebb6b22d994d501d0d9bf05c

SHA512
fe35b14ee3512ec1459af104c3ffcd7c49dda15d1615b2f5121781692962f3c4b07973030cc134e1b80eff2888984ac5c2afcfb8e8c8ea3b905624ffd38e068e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
25KB

MD5
777920b7a396f7f93adfcbfc88f94fe3

SHA1
36da57f26dd602c045bf21279e228cd6b9a4732e

SHA256
2cf965f4a3cefc490cf9125172f701b85e2c2a108e466a9a209bf1a9b5815b2b

SHA512
88b94fa17ce0d9201afdd382a4ddb74faf1d9255044f82da3f4904268afb0bb422b7089c3ece9146ee7e40d9b6ac2db12d0e053c48ffd01cca67c188f5f15334

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
212KB

MD5
75bbfadbf900c9b8db155c1ac75eec84

SHA1
7035e1e5b529df01c83a157cfd7b62a38bb939ea

SHA256
acf5851cfbfb97056c17b1ec2bfb1e594ae86dcdd0d183e958d016cb449dcddb

SHA512
c0af3476b08e5e984488a69d14e2553b65fe5a33cc7012ccc637603f2636a565d3d9f5fc3626b1b520e34139cb0169d75a0201eb592116fc5a8caca8ee19c749

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
119KB

MD5
79632df88536ca27137c4a44606a55dc

SHA1
747d5146ea94c62bf226f42250f1b218d62439ff

SHA256
baa3fd7b2a07ebdaaa835fe0d7abb6186d0e83b88b189228c9005150c74a7126

SHA512
41d8c52357b777ac45bc13d955e6a558f418e6d20bc5c9cf6019bbf1b12c1379b0ac244baffee696c01e0495cf428e9c2b687afe116638e62f1a870d3a35d8aa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
155KB

MD5
b2584d47310d1e5fc81c7675b419c31e

SHA1
1ad2f55d6869d627171a1f90135638cc85400376

SHA256
f7a35a3ee100d35c8a050872e91259c6dbe09d7280162c0868203b9afc47cc22

SHA512
4888c46f41c4b2c82ceaa28254fefb19ad41ad3fbc1fc5b71c161b736c581f3c0471f1050c1d70b295e92cf7f0e14f28bb162c3933ac5df8e2d2dd738bd87064

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
77KB

MD5
84888411571bbb80805a86325302a5c1

SHA1
80ecb9f74eef4a545462ac29c4861b1dd16ac1cc

SHA256
796259bfa8fb3054077972e7412241dfaedb94f949da5881b5b61c89f5c50709

SHA512
0690aeada8e76b2a08ef9fe8029e22bbe1ba9453cf793c5af1db374e5193dba9877b24d779cabcfe51ce46200184ab7f059899ef57b512c78bf03f65a4e924c1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
162KB

MD5
ea1a93b56d71ba18f14241e1f9482200

SHA1
b344582a5a3806d41a39542405ddfaa71cc04239

SHA256
5c6db0edd1af5a19b5a7710d44698a01af3ad40a56aceb5e50843f009cb7fa2e

SHA512
3159bb100f2fa4abafa4a4d96f225e14f1765d94cf27d69207243c678b6c91d0bf00d9757b1af1c20e2a7f811cdca6998dc80b9682f737e1500d273661c3f653

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
105KB

MD5
5763625ecfeef4c37188793d91bcdeec

SHA1
afaf029beb0b6a0417271b3c70defb5e0eb603a6

SHA256
c0403f9f533d86d0808eb96516f823095a8ac0869b8dc7538bb5d53f27864479

SHA512
38688995abb28660953c37d9f4870b771d3c0f3c71f79e88cd7f7713387e3418b1c683b13f46b8cdf32bce40a2fbc66b235469b7ce56770838a2cf48ffcab1aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
643KB

MD5
e8651e029a3c0d96f0c1fd74589fef47

SHA1
c3c994db7086ac88e4a23702c39748202c8a6317

SHA256
c54b4ff6a6488d76243a05bdc043e3ad959dbd95b920805b3c71f40485001545

SHA512
4e8c7250afcddeab9e099fbb368a63d325b463ed3b218647916947f31acebfb64b2402c5c0bc4f52a1794bdc6a9c540755562242305bdc6b00b3a1ed9b3eabd8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
57KB

MD5
1d7ccdaffc6af7dd9bc16c0cb3d8e7c8

SHA1
99eeb6501ff7f25305f5d14c9f4aa3a70a5cc2d8

SHA256
562dc60c31baad601309a48a81ca199b0362de99ec52762c3c9fee01abfdf428

SHA512
310b5315af160cb0fde0b85a636f2e111ed88440594b8836669b5ebebc33c579930610c0fb404dbb10dcdee49640b102401a07eb5d3e3361fe3a03976b3b0b8e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
83KB

MD5
2782927846f20fb2957b5437b89d6cdb

SHA1
72444ae27d8c57a2687027927c510a30aab6245c

SHA256
9a678671e012481754b282fa9565b2140ef050773cb84fef578bcda00aa0ab86

SHA512
310260b63f9906e87dc8ecf603fd4dc6b915fc95fc9e147bbfd5c70dfb85fbe4e7ea70679df795f49c4329d5ce2f3289822218cb9a657273ab2340493b47b9f0

Download Submit
C:\Windows\System32\vds.exe

Filesize
134KB

MD5
fb8ec8d18d0b551662fd4f02cb47b14f

SHA1
01680d005aa62fb16a77571ed8d9b0b340de5160

SHA256
0265671816461a47806cca33d6bdf4327a07490fb22cfa4d1103c7b3d08f9af8

SHA512
cd9ff2860f4507b9a28806a46c9fb85aa9e5cb88c875cb5f85b449882a261540ffe5e19256af2c941e9a0fceccc4d74a1186d81e35a26f0c1795730b4da277be

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
27KB

MD5
fd8d49da0c0ad0e8fa9b11fce3f5a727

SHA1
b19208387f7eaa57f5549afe608a6531227005ce

SHA256
aa34248ca195221e1951d13bdfef6db6cbfeb305690a826b8b3b8d3c33938093

SHA512
29e9ca69627edf500d3ab33f78e5037333d28f09792ddff0b80cdc889d58ecf1ae768a35583879ab010da0c1017ec2c867f21982ddeedd56b9e8f8295b269121

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
153KB

MD5
d5de9a83c37b496c6c490b0fb4b5125d

SHA1
6e341753470cc3c6cd90e3033432c0ef243545bf

SHA256
3ffc634b5fc0a5d88be40d91c897f9b21d3ec0ed4632168179b63f63dca40d51

SHA512
2877902cea8ee4abc448a595ff4dcfb9da453a4eb6094218f5a7fe35be92c01e055d45a84edb30c4053107ae8810ced2737723a5ae32721919af79311dd6a114

Download Submit
C:\odt\office2016setup.exe

Filesize
117KB

MD5
c597511e5ed36fa29d9289de07556f09

SHA1
8fecb36a32f25fd304f225530c7dd5b30ee85854

SHA256
8353c0e3c7c20f7886cab069299a376bedb7198dad662785023c0d9ac41de828

SHA512
57490d2c547bb87fdceda42478bdedb0339c3272ca5408dfd646b92ab7511d8294b3250ebc4a84e52419880da0fcb206a51e0864b60ea4b1a638082419ecd16a

Download Submit
memory/8-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/8-232-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/8-34-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/8-28-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/500-400-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/500-330-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/500-339-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/888-51-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/888-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/888-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/888-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/888-63-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/900-371-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/900-379-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/900-439-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1520-369-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1520-313-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1520-305-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1588-351-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1588-297-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1588-286-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/2032-281-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2032-272-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/2032-338-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/2196-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2196-435-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3188-413-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-422-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3252-365-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3252-301-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/3508-6-0x0000000002550000-0x00000000025B7000-memory.dmp

Filesize
412KB

Download
memory/3508-1-0x0000000002550000-0x00000000025B7000-memory.dmp

Filesize
412KB

Download
memory/3508-7-0x0000000002550000-0x00000000025B7000-memory.dmp

Filesize
412KB

Download
memory/3508-0-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3508-15-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download
memory/3616-65-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3616-237-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3616-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3616-66-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3648-448-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3648-442-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/3728-382-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-324-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3932-541-0x000001A92EC30000-0x000001A92EC40000-memory.dmp

Filesize
64KB

Download
memory/3932-542-0x000001A92EC40000-0x000001A92EC50000-memory.dmp

Filesize
64KB

Download
memory/4020-412-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4020-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4020-352-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4080-14-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4080-16-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4080-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4080-165-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4296-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4296-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4296-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4296-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4356-392-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4356-397-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4356-396-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4356-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4548-263-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4548-270-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4548-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-256-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4548-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-356-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4616-425-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4616-366-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/5076-245-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5076-244-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/5076-312-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/5076-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5088-402-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5088-538-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5088-408-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/5096-461-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5096-452-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download