d2ccd32d90717efd9c6ded73ccf0c96134f258752a2e6ec198ea3de0aa7f8aa3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
Size

6.1MB
MD5

43a921f89cef249ab663633bbc741f82
SHA1

5de1d8501524a74e182c9633984c8bf91d750622
SHA256

d2ccd32d90717efd9c6ded73ccf0c96134f258752a2e6ec198ea3de0aa7f8aa3
SHA512

8fac6c1366c75b51b993a04f3a0700569795924bec8113b215a322c14d87a869f2d0dffc793dd911a698ae13e73d90ab64370342f2ed8995ff84d18cbf734625
SSDEEP

98304:bihyoPgbIAQEHY3N3sNfxLlC1DxeGqrEr:aDRsNZUDxeN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2364	alg.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
3852	fxssvc.exe
4344	elevation_service.exe
2836	elevation_service.exe
1612	maintenanceservice.exe
4756	msdtc.exe
4820	OSE.EXE
2900	PerceptionSimulationService.exe
4988	perfhost.exe
3400	locator.exe
1960	SensorDataService.exe
2708	snmptrap.exe
3584	spectrum.exe
2092	ssh-agent.exe
2544	TieringEngineService.exe
4452	AgentService.exe
4484	vds.exe
1868	vssvc.exe
1432	wbengine.exe
400	WmiApSrv.exe
1152	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\214c37fac4fd1e7a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000690422586475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000522002596475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007f295596475da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfe9a9586475da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
2244	DiagnosticsHub.StandardCollector.Service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe
4344	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3460	2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
Token: SeAuditPrivilege	3852	fxssvc.exe
Token: SeRestorePrivilege	2544	TieringEngineService.exe
Token: SeManageVolumePrivilege	2544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4452	AgentService.exe
Token: SeBackupPrivilege	1868	vssvc.exe
Token: SeRestorePrivilege	1868	vssvc.exe
Token: SeAuditPrivilege	1868	vssvc.exe
Token: SeBackupPrivilege	1432	wbengine.exe
Token: SeRestorePrivilege	1432	wbengine.exe
Token: SeSecurityPrivilege	1432	wbengine.exe
Token: SeDebugPrivilege	2244	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4344	elevation_service.exe
Token: 33	1152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1152	SearchIndexer.exe
Token: SeDebugPrivilege	4344	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1872	1152	SearchIndexer.exe	128
PID 1152 wrote to memory of 1872	1152	SearchIndexer.exe	128
PID 1152 wrote to memory of 3144	1152	SearchIndexer.exe	129
PID 1152 wrote to memory of 3144	1152	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_43a921f89cef249ab663633bbc741f82_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1960

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4300

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dee09730b06554157c60a8e502faddfb

SHA1
946f0dd2e0fa3b4a466266b04c49693ad0a43c08

SHA256
e7b8af3449500b1b3e8f950d34bb068c70de61634f62d7e410d71f50199cf135

SHA512
e6ffe609adfe894059e9525313ff0591b53ddf1fdfd9b59fc99835a6f7a660eff023e0cd5b0bd97bec8bb3ca32956a658b8879355125ad7effd582fa5c0d942c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
894d312e53d6d8c48a6c14f520596156

SHA1
4d563aaa7955c0e9163f92914d5d72f265b31323

SHA256
f85cb23e4bbcd42300377f3cb587af026b42db3699ab1d74e9210b7a300bfe3a

SHA512
c9ed4c715520451af311e27437197953bfb2a7c802d895124def61c28556c7767dfd0bec53aecc27ab3a2046a0efbf77e2ea8aa7e877aea8ac9277f01efb5a8b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fa30907703c5d8e4465b9bf1292bcbaa

SHA1
a35bb54d7d46d4913ea788a3fba561f303c4ff44

SHA256
3428671c93ab4d4f9fbee2051fdf0511571bf4cf88b4d81ef09be200695fc23f

SHA512
b4796cf2ed9bf735bc865f782056abcfabb1509f639f731a7dcea63313fa601218438628133d5c38cf438c05c5cc5c9e1ad9faca821c8b0a0414dd2038342614

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
73af51f426089642dfb9b154f4d29060

SHA1
2ba60e637da7a20d513ef443b53ccb304654bbcb

SHA256
60e54656dab60a68b4a6827ab16adb0e5239226e9c65516833961dc96a2065ea

SHA512
3e1f1cbdf749214e246db0c2a776f2a1755751498c54a359a7b4fba5f0146ee7353bc4ae5f00d5f1cc9e24cc22c4a6a9bcc15719e95a70e15ae5ac479bf99d65

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
69d65fa239721edbfdcddcedeb455fab

SHA1
84e00feeed045031c7726f2a0998e04577788713

SHA256
d4a24f5f57b125e1e6e897e7766dabf998a5c53b64c500f25a1f91e503de0687

SHA512
9bf8b8b242f3313e30b431c4508477c65c6f760970f4769dcd7619441b6a75a0ea8863bff710ac2acaeaf918ef33f8fa17dafc6a73af5719161fc72ba2fee5fd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7265f7f69871ed0e0ee5ffa9e49c9e21

SHA1
719d85776b43a9ec846b6f0501c5f5db41f20b0c

SHA256
6c93a13c25586d5603dddb8cc1c8bb1c41cba07a833f388daecec4a22f57421e

SHA512
31d0111e72fb773dcc544ba1bb9aaed0a4bf7b8bcdeaf0119785c74df6bacc5b7312ae88eca989e95a39ea7b3f44637a80773768c565008b3c92d0d83fa1f051

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0bbe7c01c37e80dfd0435883b5307e56

SHA1
2381e7a2b30ce6c38795f5491e9a4ee9ef296b58

SHA256
dfced0c7bde3b9ce95d3605f2f6823d465322ee193dc6df6efe5f55a81c08f83

SHA512
98dff5bffafbc3c495cca93696476c1774dddf1c2faeba51bad1bd294beef2528e172b7b82f25924ce2833674ca52c5386a05db735223ddc6c025b2679f65cc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0bfc990348ff1d3b11d67a2fb3a9307d

SHA1
285b2bc0ba05350fa6e569bfd13d84528370a5de

SHA256
265305d95dbea673d5805369bf9f237c404ef37e986abf8e605576ffdb9a023d

SHA512
8bca122682d95edfab36e5caccf3b9afbda5a13e0465ebfbe41246a61098bd9fcef052be98755f15e67713b1e9e29427864d41eeb49023858df1ea305d83565b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ce44ec02d3af5920ba7c40e68ccb9c81

SHA1
2462b7bd37d19b09d8aef265d56412fd82d556ff

SHA256
950bc791cd9be51f09f1c4b5b14639518f610dfda2b67714a005d74611028515

SHA512
1f3573754e38a6a72eae03adeb9d5d1dcdcc6c5344e624bfafa229625e3ab2b306070bf3efcff85ec4873fc4ce3ef3574f55e6d56c2efdf6d7c46334ae68f2fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc13de9abb37aa53df1bf168eacb952d

SHA1
58ea0e79eed8dde2d58731fd5f179662830408ea

SHA256
c5800e9dde9ad24316a00a2f70ada7c2193989d7e210659b98c403f154a42e4d

SHA512
2deb3dffb9e74be8524e0196d9ea9b08f232a00d333ce873781117e051341b69738bff460d904f57e56154735d0372e1701de750f6105e5e107183478f645d27

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2ca5e8811a16e3060de62868c1274455

SHA1
ada27f34ef6a435de9c3665f20aa12c45e2b794c

SHA256
7c4175fceb1015eca0688cbd0173184e0ad216d70710029853b74b72efdae7ed

SHA512
9e1507cfc7ebadc334879856aa02046a3edd13fbe43e62ced90c526e534b7c749a1a1f8ba83b8e37c3d5bad8a557296dc97484d2da716bdea0e9407435438723

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e17029de66efefa9325f2931899379ba

SHA1
0f037b38f18d45beaefc4031f6f2c7e4a3a5c5e2

SHA256
a79171041d7d97042d2aa0005a116df253e201c98020872b808eaa25e7a291be

SHA512
4f74e302fdefe6aeae7f6924998896872b6953629ce3dc104be48bd806abdae9b186368bcd5219329c7c6fec7f4563dd1a2fe051926d778ec37302b15cb62ea3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
56304e67f4a0fe556b16a434b2155859

SHA1
7604453906e41fab4281a16f90e084c4693940f0

SHA256
51273470f1a04e4ff1cbb87bf84f0ce0bd90e35ad9e643f0920b140c6ac5f41b

SHA512
16b9a68ed33c4d49f99572cdf7c59e458390b4636ebf3332163cc24c295b2e8e415e62c7baa47265c43cdb97659054abfc92cb0b39f81736e7de19262b730f0a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d815f91874c4e72a42c492d23b7bf9a0

SHA1
eb2922a4238aaed47bf17cd709ff72042ff34d07

SHA256
058cc3e5470d134207a1f0c01b7f80a748ab5807731a5affe2535cb00d1a8f3f

SHA512
37b1c6b1c34800cc4e6b7ec93323cb4550c1951e0183ea1f54c6d68adf2764fc42508a9661b30c3d359653f4ec575176aad4a6605928996a2baff272c8c59a1d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
de5fd8c48924de92fb90bc4202dbdeeb

SHA1
71b1774524a88ea63d203839fbf35cd1f6c947a9

SHA256
6a35dff5d791c5f113e66d507efc2c1353f0c2aa73070522e214670953cfef54

SHA512
323b2c17ebbe2250012a8c3f4735f6c629b62a76ab5a5376ade012027fd36258130dc4df4da6e66a7b9279e26611f97584f3b40ac823416e2904f93771e6f66d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
6a6e612300eda3de235659543b54efb2

SHA1
b8a22ea10bd77b15ce639b7c53d2c17fa7638b10

SHA256
156eb14690b4afebf14933b836cecb635bce4ac1916981389bfa0d66c5e8e346

SHA512
33daa10ea394f4a9d93079e8d3af7a24d5df82b51a8060ece485e7457a9ff623f0310d5b0b409758fde3e1f472c98a4c86df863181bfa5bf49e6b03b1c26109f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
499aa11c281cf126eaf9a536bd07a26a

SHA1
1d489070ccb58c02fe60d48384026473e004a394

SHA256
96754544fa6978ec55af02a66031436cef6eaee2ae2c70b1f367d3270de1a40a

SHA512
99f5a7950ffc4997acabc314dde9da4b7c99c6f6be244b62b480cf53b0db51cf332c19bb69f65c80057ddc13287a91b85fe179633d66b0fc82f6171ee5bade13

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
69c2276f12b57cec4240c2c361731a3a

SHA1
092a83ccd5d04b65e3ffde64c7513668cbaa8da4

SHA256
088a0407c9be5b9874965b202368c9f4ff489d9f6918594b616c801228311d23

SHA512
eb1ebf415f106eabef8174b1ffc00da3f5655a7e57893f9767af49dde328798e94a6433767142e55138e3370243e998a12e683265bb1b6891d9fe0671d5227ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
8b98176e0b81a8923f57b0ebbbcd87d4

SHA1
07b928168bc24e5ac3470b5deb5c8ccc0fda1f15

SHA256
f30e942440c505ad4deb9cdfe32dc5f6d8a510c5ccf076011c506b0b036c931f

SHA512
305579e0d80f7a3f51d6faeef4459877ed1ac20999b2e76e71c8ec911fc6f5544591339e800bed885a692c5c8b945468b592c89a71958e1478aa1e163bd080fd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
79afdd30fb88012c4773df9420a83b21

SHA1
2a2855fa45f291d06bad5324d62a6dc9275d8757

SHA256
16ef06031b9f31e70813a6859b6270cb40e4fa8032a26c49d2dded2b21526d65

SHA512
e87a352e698c18162b5085017f229e79133ee12b0a20a7543a01c7207b2bdeb5fdc9159a813f848c4da2df67ace51c90e4381a4b78ac75bd8f13d6d616b47fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bbf328c246d109b1c07fda7b8c4d640d

SHA1
1018267bae2a75850f7c8ce2f04538d83eb143e3

SHA256
1aeb82d462f6570adc0d610d5a218540b1094280d9e0f5dfe2e6e832ffc83123

SHA512
7f6231077a475c72d62a4ff528b7e33366f228befbab440c24f96cd842ee8ee195f1fb0d21f131e60ae4d3839caf2b643c380b970131db57323ab4e7992c20c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
292bbd0c7f27b748590a57de65ded53d

SHA1
bb0bfbca16ef1a863bb70da03c9d2346d8867078

SHA256
e06baa15ea0d2f8ce6d3c990ef51dc5d20d6c98943116e74bb7e1bd53f6502ae

SHA512
88146d0f72e4a261665de15fb816fae88a5eb991c5e70a31fe3ed059ab1ec7ea6a261acbf624af8203f1f1cf84ab72c509e1f1aa1ee865c453fe3b3d9990adac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f8d1aa52f7ef556ebe139811eed523e3

SHA1
55d3d770e08a58e96e63968dba495b41fddf9597

SHA256
d4d610ef25ddd1f904f076954c7865acd7506cea3519256b86febdb8021280ed

SHA512
ef7505d38eec3a0c35236e41d1f596979aeebff1ab36e9cf70730499cd46b644235ada04262c01da6dfd3f6f1985545863acdcc4ad9a6abe222aa163e7232829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
55d4d524279d39be42e97a4f495b3003

SHA1
7f6a89309b9344597a2f8dee7a7f580cf11f920c

SHA256
a482358d45b102f90db07af6517c535c055650e1befa1f0c87168fd1f1a5834e

SHA512
c34d6fc8a51fb02f13b2b874676b145e8bd6249b44b739909eea946078d515bd9e6077b2ad062ff55966457a0c8c1c9d2c76ca3ee75650255a9826faa0f10f9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2acc0b8eb6980e84ecceacd0b30c6e45

SHA1
4ce57b0ad12904bffa9f068728c54ddc75035148

SHA256
7363d1a9506a40c24c4c708c4b6fcab537052037e3ed1fee487b26414dea2937

SHA512
f31fff6e122feae7d8c7f37fd6ceee6cc4077f9c1a26ff060e96a99b84ffe491be08e03db3be5684414279d2c3ba3e6d044d63d4a977a7125b75ba3941bf7a4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9c8a00d9f595cce6eef10b12f1356b47

SHA1
23c1fa49d04977a476d899abe316b5c4762d9c5c

SHA256
cf15be84d49e923e684a66309a65c73bb57b22000f2ef6e0d91a4d08ee60f3ca

SHA512
f0144b82b98572feb1d822178172fc085cb58f9a7d8f0e0908f25ba805a091d769f51d5f357b924883cbb8074b23d2a2d214d1111e53f9380db95112dbe61c74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
83c0aebdd866a0bcc9293787a271eb7a

SHA1
0bb6db6ba7d12af3a7124c151c8b52c490ccda3f

SHA256
3e1f16bfd0293f5342d7c48b7e3d1314782a226d1d5cc6ae962edaff438c0eec

SHA512
8beadbc7dc330ffb18edd44015a086690c1b6eea5f0079aab8f2868c34fa216af29ccf555ae3066844a0e7e4be878153e7ec5590d042447a7446d9fef3feaf76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
559ff6c0e35a4c5f187a6bc33c4e70a9

SHA1
512b596e6af6d9377a613b274503ccf7440d8630

SHA256
288c21a75df76544240e9e5b776be9c7f44484f680864912b86b2dbe15835c85

SHA512
1e2f32bd728b40be9be0d128daec6525a15457831c420701931e2f001edba0cdc4d9cb7e0e35e29cd1bbd114e3934cfb8b0b3543738cb8bba567300ef5293d38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
99f46f165307bda02536bb5d3292c1b5

SHA1
489bcf55a596924c7b5355c93398c0a8fdbd7cb3

SHA256
8e76e2b451909f3ab56d2d80fbedd6e1e8f1c52faa3d5635fe094e7f1f0d4428

SHA512
925a83a231e085a8e59cb8de804cc543d78fdcb17344e3254634f032bd616319c1aab159825a1e2d556e6ff29e5b9eabc60d9c69003864c634dd16f3ef63bdc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
22127a6ada9037dd5aa6a6e9b4ef8fd3

SHA1
999bb3044e24b865f513ebe59b448ffd7f6ce90e

SHA256
5d3445409da560a2870fd81bf08b41e1a71af7fb02cbb5291c9959af274b04cb

SHA512
404d38b0abb362a7c9864f4a4198f0c5db9627ab26383e6e4a5c3b0a0af8db0f6dda53a3e85deb32584523a8349c005066a1ea3640f750a2a8cb542696ae1496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
895deb03dc64b46f1c048d9f4b611265

SHA1
45448aa2fb66de015f129f31ce640c66d5866c3b

SHA256
7adda07c6c08d20e2d9fffa63e991164a3cfc24284b5fa4c08356104f59aa58f

SHA512
4b3a9186387728efdb2c4a81364f00cef7f6f445fbd1479890036cc23f32d8142fb77ff989401d55192604ba56df484cca64570b7eb5cf2262599713c483a116

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
cca46f4384cb32bc81700d8edcd1ba51

SHA1
2f1a86f6f5d1823123d3313e60226b60e8527687

SHA256
6b4254efa34d738aead6e6fa29e65f5570cc81d85b9f68e2ab6ff72f6be4ffce

SHA512
2cccde536a337d435f0a54cf0e2a1a39465cf2f9774c3cd839ba3c3aa8b6d03bc034451a790252d005dc886d719d6c9e89b51b2c3adaf008963bdb3569f1464d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
99f32545b7408c8d7af1e5c72f21c884

SHA1
2e81c6c640c15df3026f3de8c497603f6a7a9d59

SHA256
17208119cbc0309761eb865f0997cd2878c8687c6812c1accef4b3ef73cbc0e3

SHA512
504faeda56ec60021dbb9e948fb16744402f54fe3a9be3f4202ec367f9f7945621faf850fcddc2e1cd5a99c05bf37e9175665ce44c43e25812af5af9c766b47c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
82aff4a27f595284ddf7936c18e64824

SHA1
d7d30574b942dc94c6af1fbfd221e79eb8e33960

SHA256
62ea03f39ce9af9c1c3237352c8aeb55d6307f9cf6042c491419831b8c47c8c7

SHA512
e0c41d4550632ce0c2f5685083a97368a027a165c84c85e58133851910364e1898c7e3856ad58b9a5a508f63fe7cae07573f9bbe753f00fc52107ce8edf2b058

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
fcdb095b086f058ddfc75d7facc1aa5f

SHA1
5a6d5fd68c25a93b03427503d179558141523ea9

SHA256
dabc409ce2885b16bfcfb4beb68915de77060f263eab34bcc39b8d3181f51de8

SHA512
c161c2caec68e171d7165bc63da87a3abe3ca72391e59756d4b9f817389d7959b1cebf3342ca639708f316a22f549d53573608b54978d56538c323a4548f8f5e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
1bfe69a3f7415ab14bf1b7691b24b1e1

SHA1
9c8066626f793a2542ebba4c2493313eedf98ef9

SHA256
2a7fd5f334466193b0c4453b64bfe912d33600de594e4405d5fc5a2cf061e2e1

SHA512
7984a1ddb0230f4a99d4af7ae80954dc0811e3124c1feb3a98dfa0a13b6d1ee805ceea88f5ffb88492e332852d6f423d471826114a17e91d91880c3c83877c3c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8239eaaef97e023bdff12e5049cfec2f

SHA1
5c5e92d49c7f28ccb85c19905f24b147a3df72dd

SHA256
d344902984760bd0a517505c7b3567d79b05c9b7614c189b3560041a830c623f

SHA512
8a576a2ec242c38712c805f6b7de4566ca1f445b23008629c9de2d9070102c5a52648aa9939103be4d603b6523bbc8eb480278fd96309b257ca5a8b30a618242

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9c6fae1bacf061be705f8f6c61c353a1

SHA1
4986cc8bc1fcb1c3dc7edd15df2c3a9eb6a3b142

SHA256
c2ebb070e55609af271cf72cf1bbb7d00cf04f7fa930a58710b2d3782e216925

SHA512
af6018b4e7cf1913a5807d390043d5ca08d2c15bee34b4abb2ac9de5fdb99c447d2a4a7f4f1d588ce23b336037ea921ed0d62094a548e6173d5796961fcd3341

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b78768817d3ff21bd284d4c563d22424

SHA1
cbb0c2f7f0e0d68ded431720a18b9ce6e4fed8f7

SHA256
e2443c848cc932625036ece88f9386751a13b9b8118b8f5c189c5d4b3e949860

SHA512
add767dafe9451880497f42ce50f5e87483e74ebb0e3e7ba19cfa5bb8cd2b598c647cf3efe288a323ef28fb5c205053525985ce6c81b35abe5f6e3b4a0ece527

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a9ee3c01ff58a601deb9855395500cd2

SHA1
b01d8b17dd3d147007a87249058c7316d057a9e1

SHA256
da7c88728f9d724fcb4525c33dcc77f60d0f37c103434c16a9df8d4931e86a20

SHA512
f81e38aa111a02ce4a604c27c7c708ad179685355905631d5216df42509d1f96c759cae642ae4cc9557ffcdd648198a2b474a0c6e5eae2f492b33d7c89e7cc92

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b6124307afa8bf1852d8eaaef7e20a0c

SHA1
fcdceffddcdbf2a2fbc152547f3b551bf79b65bd

SHA256
eba4574e5453d4b9a09cf6827118f85147b465e919ac3e250884a225595cb44b

SHA512
a75863ff0031cdfb2eeb5621b04b441d9edf5c615d6e8e54c6e3e603be1e6952c237119c5e790323f78a98215f4a22eaa0b353e7657f1a3a87ec61923fd027fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4e6d67f730227e7441f780ea97076ca3

SHA1
4940a3ee44d60e0c8b91eb1080d8bf404acd821e

SHA256
782f3e9e48fd7d085a5e9a59766cb2690155c05abdeb61e51034e23ac6f60ef0

SHA512
91787f0a65905934aed7c1b1fce1abfb07c59f7c81a8d19fd2765760963482bf59e79b0644c4b4c8470d5c5e7102a380748581b2ff435fbf2fbb348026b34e55

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d5dc2305e3091696b9e7cc50890c2450

SHA1
86f63bac22ecf005ce459a6c78d69edf6c16572a

SHA256
48bf9078768a360ffb0c90ea1fe9217cf8b88c4c9549e34933dacd239597015f

SHA512
57593626d67abfac452e3158a911da2cc71112415eb558a35a5d394b90b19f242ebff16758e2752868cb5e7c00da8510b6e9060000bcf5eba4fbad2edcfe719c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7b75e1dd3176bbe24126fd0ad02df4ca

SHA1
073940ad225943b4be8ce6b664670e51f48dc7bc

SHA256
812aa65491f1c3ca2876b95fb141d878774c1a7f2162f8c5c5836c2fca4e7ec6

SHA512
e22c78217c6460dcfabdd371536235a4abacf1c689939893319ca05d4901ed05aaceb48496dc6156d7dfdb7b103b29d0196c2ce2ffe9c293fe89f1c92c21b1ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f90c8cacce8cbaebbe3fcf08f7257ac6

SHA1
e6870c2cd71e64f814081c1de646ed6b5a358669

SHA256
bd841b5847a10f8bbf30a47941e2a760349946afcf988f97d0922aa3025a2a27

SHA512
64c2446583dd42f946e9b76adba3acc5848704ac6e0687742acfbc3c1db4b995fef455430c98533eecdf7e7e314a3b58ff33944ca1fac83d135c942e655e97e6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b74f331b27beadd85a1b1f3f435a7d22

SHA1
6c41f26d8bd6c5db4e3c23bb709f0bb47bdfb28c

SHA256
7ca12add369fde8b458ac08a0415f576505d11f6bce3adf834570e04953b23d9

SHA512
3ae745ea328dea7553be20e941e3da8cec9ba36a344342d82af9242e43784c05f0da591e4ac48d335db55ef72f05c636e6d222ac6c1f84fdac405d9043b69af3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b5a4415f7cfd047dc8508ded1053d6ec

SHA1
9590d57bed2893b5ea922665bd623ad9fc378981

SHA256
ee712cc558f90b247c8c0f2355f6247040de6e0664c5cfb8b501101507725273

SHA512
f6de76b3275b9862e1bc513ba27ce278a09b213a7cbde9d5f4ddc31c744fd94cb205f8272c8ac239042bc0a58cc9d6db27aa12d6288098eb2157ce772e1cf146

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0b68fb023c7ebca3846b84eed7e6a1f1

SHA1
118a6a4d247dfd4b94a07521c10a011a03ec7f3b

SHA256
73c159bc0d6f07b53fdeab62356c4d33c2e749b9069db7c348bbccce2b7d20f9

SHA512
282c19f87c9d32d4963a906cc5f8d865c7b6cce4d379dfa7a22bdb7d42a163bce7e6e52d8d2eed869588a1b8b348abc51e44f9efccc0a672b716a8b5fe8e2857

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e597a65422434bfc7668ab538c4fa50d

SHA1
8708880449f10c96ba2814c27781ed26dec67c7e

SHA256
4d9d11b44f86d7580a340df361bd3aed46352378d39a8f19a28e19689e0ebadd

SHA512
c9e5f7fccfc3996924cbf0a1e510785508dca5ed473f614f2971645b974342bb191a6e9b30fdc00c65e6ae001a04a55ce53b31bea7ee14485330f4b0d31ca0b2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
28f70593e24c9e43524aa59c84fd9192

SHA1
53013c11544e5a1ed7fcd1490a7a071971516b11

SHA256
8479f86eae47831846adbb490bc6fc25aa4d12577f67fa6302a860e18a14d8f3

SHA512
86f9e04dec174079b84edabb4b456dcc4e069c1bfa84ec16f197dcae50c021c7dab0ab63f4706d8c958fc9ddffb91cc37500c9c1d5c9e4bff07fe2312c364e81

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3461eabed12215373c09307445710924

SHA1
d788bfc1984cdb0117930590a9a5323e38ae4e98

SHA256
56bd83c344bd5474754349c1b1c2ff487181d391fb43399897817ac2271f45a1

SHA512
9f459903d42de2e3f50914e512af43f278bf4e731d5d4a0ade7861afc292820f6a987422d849a951fd24ece3f6f52387d30d20d85c4614440a0cc8a151d13ab8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e36e0b3009518bead0541a76f2259a17

SHA1
f02a4b6beb36291f48d1f7bda269cbf4a9cc2461

SHA256
2e8226d2307462f87979ef34ee45483088da84014daac5238199e7bfee53537f

SHA512
18db49304d40775a91397ee03bdda4dbb9166210a4476d5bff80ed5cdb74dcb1286a9514ec33a2a68cdaa21239bac0b609b1dcb80fe87e54e9bca512aa74a780

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
576KB

MD5
566005868420e2b86ad6aa711200fe00

SHA1
3543722e3da2119803f88aba325401f9d2db4c57

SHA256
25c7d5ed26124d782457e691eb89a9d8277316dee848b37457aea2e14243e6bc

SHA512
1ef5c3100ab274db8ef9b1760a4b59b40b0451784755b866fceb61ccddb3a729173dcb58425e25c7f57e9d42092b2f0a7bdddc4364b817b0d8c3d0f248aff76d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eee2c6a71115042994652973066faf7c

SHA1
7c16f0be8df46e7752b657c427abfc466b8cf61c

SHA256
204f950e35fae98478f114a9a1adbf4886eb53fe7ac12ef5278d0946fc8539ae

SHA512
0b947c36370dc9abd727179c662e0753fd5f75b51da83d5ac16d09820c10247468c82a6a1e425280c3571c3444a477bed429fc9b80edae975aadc8666dbe832f

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
384KB

MD5
66600de68c45a113a7ec6f2916ccbac0

SHA1
92001e2712a51be7775ad31e8b7981b61cfd66e7

SHA256
1615887e68440341c39ff38a767037d2f25fa40f3a15282fcb57470939e896d8

SHA512
bc274a6af272695b0b2bf4e33be33752c3bfa55b872d9713f27ab83e5373adf12347bdcd323f30493998ebf02330b85d97d586b1dc156ba162153599928d3d31

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
576KB

MD5
7b2ba9734c426ad876949d6503059eef

SHA1
f6d399a9a0b68118f05f8d135d51e1d664e39d8d

SHA256
3693524ef104fc06154e231fbcc3caadb77be106bd9483e36b63af0a9e65470f

SHA512
9b3e783ffa3814fdf3c5f3d5e60162d429293972d9b1e2197cd4f1659f67489b1dfde5bf3c3bff5c9de791c9749978e06e684799ee712902cd9e9281e7bf3e6a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
439KB

MD5
9414ece626102d51f4c36c8a3f270b1e

SHA1
11e59d337a5b44f8305236475cec32ce6ccf54d4

SHA256
8ebeba3200bbe450ca5d20ce37997f04fea4e624aab8e9e5fea6c7bbb45548cc

SHA512
c251654cafd22eeb6df5161dfc800215e78eb63265ad62640437d9f2fb0e6227a9ec8350399e9d79807d35d60f3bbe2fdc4b4189255471de2b484cfcfc5094dc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
448KB

MD5
06abb93a423c69e55069d6983ff23276

SHA1
49a37ea5d8b6aa9677d18374014ec47b575d87f4

SHA256
57d476a95176262e61e528fd0c51a95b92305f93f7fc9af66c4636de552ef8d3

SHA512
6761cea7db8229ea22aaa6b1d43baef58c294a9a014d94f5d372662f8bc64beca9b12246b3301461c7c65fa2189615e4b000bcc41fcea3d5326f3776ed0ce716

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
96e0191810a833a269cf8488b32263c2

SHA1
47beac99b53c70d50fbaa034273263e3e182a0fd

SHA256
c428db1a1b115aef3049a0feff63d993cfbfebb7d5983172351e0ee34ff91ef1

SHA512
d55862c5e810951a9d46ab6af04d452f750c929b55438ea1efd70919a7ce334daa6eec181d61bf9bc4e3bd0faf5cd4dd35277376a6df07c0f2f095ac302a49a2

Download Submit
memory/400-348-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/400-179-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1152-464-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1152-358-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1432-347-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1432-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1612-69-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1612-62-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1612-66-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1612-54-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1612-57-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1612-63-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1868-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1868-346-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1960-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-118-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1960-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2092-149-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2092-139-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2092-340-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2244-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2244-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2244-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2244-76-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2364-71-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2364-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2544-342-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2544-152-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2708-122-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2708-177-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2836-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2836-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2836-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2900-93-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2900-99-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2900-92-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2900-148-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3144-447-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-465-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-458-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-455-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-453-0x0000023235B40000-0x0000023235B50000-memory.dmp

Filesize
64KB

Download
memory/3144-452-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-439-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-437-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-450-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-432-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-433-0x0000023235B00000-0x0000023235B10000-memory.dmp

Filesize
64KB

Download
memory/3144-459-0x0000023235CA0000-0x0000023235CB0000-memory.dmp

Filesize
64KB

Download
memory/3144-440-0x0000023235B20000-0x0000023235B21000-memory.dmp

Filesize
4KB

Download
memory/3400-115-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3460-0-0x0000000000400000-0x0000000000A3C000-memory.dmp

Filesize
6.2MB

Download
memory/3460-55-0x0000000000400000-0x0000000000A3C000-memory.dmp

Filesize
6.2MB

Download
memory/3460-1-0x00000000028A0000-0x0000000002907000-memory.dmp

Filesize
412KB

Download
memory/3460-7-0x00000000028A0000-0x0000000002907000-memory.dmp

Filesize
412KB

Download
memory/3460-6-0x00000000028A0000-0x0000000002907000-memory.dmp

Filesize
412KB

Download
memory/3460-180-0x0000000000400000-0x0000000000A3C000-memory.dmp

Filesize
6.2MB

Download
memory/3584-135-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3584-125-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3584-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3852-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3852-34-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4344-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4344-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4344-32-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4344-31-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4452-158-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4452-156-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4484-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-345-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4756-74-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4820-134-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4820-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4820-77-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4820-88-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4988-155-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-104-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-105-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4988-110-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download