6af513561a80089bd5d863be42d99d36afd5350d7f11012ec3fe782a09df7361

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
Size

1.3MB
MD5

b4f11a1e22043cb737f94480b0c240ba
SHA1

c11f380e2c6314d41add5aaaaa4d00361e103598
SHA256

6af513561a80089bd5d863be42d99d36afd5350d7f11012ec3fe782a09df7361
SHA512

989780da68db3049750c3732c0d4983fa3023494e1166e80cd298ee1391419f6a61c566608c349b875e5b7a96e7b45ac7e4e8a1b8d3ea2a9c458580711ee3d46
SSDEEP

24576:N/0JmbJwh0nXkrjE9qLKjDNxHT3cxLU4ki3s34ORrExEWqifuJXVRzzAV2J:N/0Jmn2jE9qLKfNxHT3cxLjkicoOxYET

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
4828	alg.exe
4484	GPY3354.tmp
2176	elevation_service.exe
3116	elevation_service.exe
4676	maintenanceservice.exe
4220	OSE.EXE
1732	DiagnosticsHub.StandardCollector.Service.exe
3684	fxssvc.exe
2836	msdtc.exe
4808	PerceptionSimulationService.exe
1456	perfhost.exe
4212	locator.exe
1072	SensorDataService.exe
3608	snmptrap.exe
4516	spectrum.exe
2888	ssh-agent.exe
1156	TieringEngineService.exe
3352	AgentService.exe
1928	vds.exe
4876	vssvc.exe
1868	wbengine.exe
1052	WmiApSrv.exe
2372	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a39e037205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000938a4fa2b979da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea1359a2b979da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b2b0fa2b979da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000425b21a3b979da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7ecf7a3b979da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013a205a2b979da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088757aa2b979da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e986aca2b979da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe
2176	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4392	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
Token: SeDebugPrivilege	4828	alg.exe
Token: SeDebugPrivilege	4828	alg.exe
Token: SeDebugPrivilege	4828	alg.exe
Token: SeTakeOwnershipPrivilege	2176	elevation_service.exe
Token: SeAuditPrivilege	3684	fxssvc.exe
Token: SeRestorePrivilege	1156	TieringEngineService.exe
Token: SeManageVolumePrivilege	1156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3352	AgentService.exe
Token: SeBackupPrivilege	4876	vssvc.exe
Token: SeRestorePrivilege	4876	vssvc.exe
Token: SeAuditPrivilege	4876	vssvc.exe
Token: SeBackupPrivilege	1868	wbengine.exe
Token: SeRestorePrivilege	1868	wbengine.exe
Token: SeSecurityPrivilege	1868	wbengine.exe
Token: 33	2372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2372	SearchIndexer.exe
Token: SeDebugPrivilege	2176	elevation_service.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4484	4392	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	89
PID 4392 wrote to memory of 4484	4392	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	89
PID 4392 wrote to memory of 4484	4392	2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe	89
PID 2372 wrote to memory of 4756	2372	SearchIndexer.exe	130
PID 2372 wrote to memory of 4756	2372	SearchIndexer.exe	130
PID 2372 wrote to memory of 3404	2372	SearchIndexer.exe	131
PID 2372 wrote to memory of 3404	2372	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_b4f11a1e22043cb737f94480b0c240ba_mafia.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\GPY3354.tmp
  "C:\Users\Admin\AppData\Local\Temp\GPY3354.tmp" --wait_pid=4392
  2⤵
  - Executes dropped EXE
  PID:4484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1072

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
452KB

MD5
539043051a1847775c199929071787bf

SHA1
9af7714e7f5663ab831ec300288f997915580580

SHA256
e890d5f6d06efc3bed6a3ef5c2ade55d926b0379f3c186f29ebc0b5c8a9e4483

SHA512
8558ef6d8013ab34d40e3865decfec3522cfea837881de232af05295dd010c28af386406fd8bcd3b809a26a5c611ffdb0a7754ab9a8dafe45a7a83de20043e22

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
67KB

MD5
0119df60f210c3a286233e70ffccfcde

SHA1
ff3192d288a9147b3724354bd3688f6c1475ee07

SHA256
3e2b6270ca5e483e205782a39a14689cb9196a5b8f1adb3c1013a9e72f75e9c4

SHA512
16517b748809e50a98595587010723137d85387fde1323919395faecf5d998b78abe55a455963cb97546384eda97483158c8262bda56a3d963e17df9d40336dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
851e3e900f0767ed1c8484cff331bc61

SHA1
5f263aaada95dc8552adfbdc0c9940a2d736359e

SHA256
5f0c181ff786b48e0fc3bc7136359e878b36cf5a9c6d81e291a565256cb7a397

SHA512
f450d10158500c60c69bb7775b75d5d34725da5c9f0c9da6e4707b60a9b79e65781bcf3ce943a0e755c127a1f8f056c5a4bae625a439b9620687b3c347306781

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
30e733780cca9991e4d84db3814505a6

SHA1
ede1a6f9f3540fa5f37d6c225b052a7d62c0c60d

SHA256
a1f2e5c36f82a43bccf2a6d85f32c7b4aac7fb3da97470042b5177e8d53dad1f

SHA512
cc2797d51aa27d4e521f570038a09741ae6aa8739f1b0e30c02fab0d6141629aad86aa4fcdd634ddf514e922aac774f0a2eead02b3e1b3c84ebdab502c802736

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
de871aed79529bfba59aa16abc13eb10

SHA1
ce8d4bb80a4f93d83035407e8a1f826635c87d14

SHA256
05a6e0a0ddfafb73aed6d17c76b6e9b3a564ceb5a5c54cd3cb85883bec18267b

SHA512
9fdbd86ae140e888098a7b4ac35f601ada22e70a7cfdf4a7c40e0cb7ee8a7763595b326fcf812d9a48edf97c6efa59b60f5c24e7a204096beeda44acc3c160cf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
704KB

MD5
a4a0bf3c413e08dfd11b214aed840f87

SHA1
b89de00b8a935bfc84f731c02e64af68079cded6

SHA256
3127560003f9ba9b2dbe2f1a5b3b4ce625f7fda2b75e546a1aed627c14633d73

SHA512
697fd52bec72b5d38da0cd1f88bee3cd895ac52b80cf8ed6c3cc09825077839343ba092c89155b506f7576449fac26504e1dc93e66d96556838df3995c9c9257

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
9500f4b8ec29d4eff54f5e483e9fb9ff

SHA1
4444c77c2ece8d42ef4f2f4ad917ab8256158387

SHA256
b66f1ee7f90d52918f7679b16d2adaadce2d7a850a8bc449bde0aee756fd8da5

SHA512
82ccbdee2370b0751d52a1a0d2174fbe5eca15f9674b54635af993f7ec147eae40da11d82b6cb99633d38c49f807b99a7bac83b69a18aff9a847a1bc468f0575

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
576KB

MD5
402112d9eabf89b40c901702cea6f01a

SHA1
9fb2f635865e236e725d16c8cf03feab3620f800

SHA256
e7d483a10afa7e642e3b473b4f814848b1f0c1b83435c64a6af935f6d9f50dc0

SHA512
c7e73da372fe6dd1b130809248a24e7107d06fe9879befe5988d917ba3cddce96789669e9c0ba2659ca0632620186412e6652f00d5a1a3c8a9807cfd6cad3a23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f495a5ee65a264f96da31bcde9f4a948

SHA1
8f26c96861b23ec92b89e549a3a682d54e182bbb

SHA256
9db88b63daaf9686577e1eb5058ee3efc902bd74cc0b08c94541dea9b92d9acb

SHA512
03b883fc3a9bcb0d2b31a0942ed16ec71eeeb2206aca14c82e66d467fe4b9e4f4f989319f7dd873ace78cde6dba38278854cc311cdb8ea4246f9eb00da32796a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7d8b9f5f329fdfc500180c144a7d55e3

SHA1
05c0ab325a848c2e1cdd83709501c17324c2f619

SHA256
808c3a4ea8a4cd3698e9eb08f63be8b409c982c80968dbe4115d0fbefe2367e7

SHA512
5fda0f6b532b2f3fd547ce96ae88781e1d74f389d1c60526be4b04ff5308147a9aae7dbe13f6cebcb890cd79ec67a664d6da7ee2fefe677a696b20b5c490a3a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
576KB

MD5
4ee70b19d3ea5ce3df66f322480a02f7

SHA1
2d2dcc778e81c5c9becdb84c31ec41967752a5d9

SHA256
afab05b262db334502ce1e7a257fac785bba81214376b72dc0cf5739ab6cc737

SHA512
b47bacf952006b2f71583c2610ed0ab6cf0db739e4855d698203841bbaa9919a598324bf56ea494b2dd4fedad2cac3fd02dea9166ddf27fab5e356c6a1c0058d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
640KB

MD5
a47277d7c3b124548c516e4c8a9df0cc

SHA1
75336228362a83157f5997e5e26f7e57fdb5451c

SHA256
8a644ae473bdbf50ef7809354405337f08afe6aea989209bc8190cab14d10470

SHA512
c7f0784b668a1a935e1222997020e5304cb4286f987d34c11a57acde61bd52bcaeade6f0e02308079c74c460695b0329cf1983977a9bae94afed4fb61b521060

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
10de1f10dbf202b216ac69f1d91ba8b0

SHA1
cfa8384980ecd250db91732a76eb947635681ab5

SHA256
089f4fa78f518524cc7edea13bb4844abe5c90fe905a02954709da265c015556

SHA512
106305652451774f117c96ad932156cc6f20c1ec801352ee6edf97cbc12d4f671e985909468403bb8abed0145c231f3a7a932d516b74d7e29bff40cf267196ab

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b5bbc224e69daee7d90f91c9d2d7e457

SHA1
d85e1e6d6da872ae5f2eb08fd748bad3f50e65b4

SHA256
e65762905c8a435a22043d39e084a51a89424d68ee69bb9187cea7b0dd72ecab

SHA512
36751ba87cb8be41e7d72fc6a57ea6aaa05b70d7b30a05f5ca15252d9f2ddf1a491265b4f3d3922c0ea64685db48c96206abbc0d3d940ecf8644a3b9e506fdd9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
448KB

MD5
e4c995395281f280399364c278d867a4

SHA1
50f8a5a678afa55c670088edec2751692472be96

SHA256
310ec2240d52cf677383a4e046624d7a1d928f57edcfa6ad16f409627f0d7a6a

SHA512
2778c2fdf28038de7d2cf88ff447dad1c75347e377126dc2684c7bdb68bd842cd0fe971c201220696470e42150ceb223cb14362b67244c39a327480eae6502e8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e67679c7974b0ecd0db03e46e64768d6

SHA1
85c68b34b7a269e3050bf3fe14277419a33ced59

SHA256
66360c775a5f4fc51f090ee19e93480d025d0dc563dbcd4835b2491b26bb4521

SHA512
3958cd0e8f3813550f94414d20e4e6bce9ef0748fb1f8bf164cfa570bd329fad9a4dc5e6b36ec89a99d168bf0e38936f8d1175e8d532e916ae9d5a3f7ca38d16

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8337ce5e341322cc8147a62ef137a31a

SHA1
5dc7f5c98767dfe6ab1b3a36997386dcccb6a925

SHA256
e5dee9b1353b5aa7cffd9843d201137fedee92c36434597f5755126735e508d5

SHA512
8039e38f3f6c5f2602a9d2ccf15a914ce346f53b72295504ac199966704e5f688fceb376bf6d6eb8de15274b7f6309df7e0e2d8d31f004074fdad76b689bbb5f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3a57f3dbf79c2164344f09f93c14d6eb

SHA1
42dc418f6153203f254c9b6abcfccc333486e4c7

SHA256
3da5be14e1fe8259b6e367be736025a0a4520adb34404f5649215c277c1a7830

SHA512
06cd061a9d5c0362ec731071c805d3b8bf239b764adbc5d0c37df745ed5b2918908f2278bec1fc4b5c09bde03d5bc601d168128218d447dc38beb8b12bacf597

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
739KB

MD5
f9a34b800235fdddc84cf1775aeb2c88

SHA1
948ad7a506faa4a78e4cb5cfaae015f3bf177a5a

SHA256
0ed895a5cb4fade87ab1d26b498b4bd49c4f461ed1b979d9965b4c2d83df576d

SHA512
084969f6914388ef8d6af53d214cedf85e7e632d803720d24004ab1022db5c9ad4dc196e06b01b20d0c852ca64fac1c83fb3703bbb27ba92a51ebdbb23c379cd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
ee6910273751944815b07dfe0f218c62

SHA1
1a593a04e7e3c322da05519364141d4cebd5b93d

SHA256
1c8cce33d0401b7300a9ca5438fa39817e14f5213bebc7ee27a148db6a48257d

SHA512
017260e66df8808560ccd2c4994672da615b5516db1643b3f09df4763a4393214d8f4fcad6c3e277072be96b2a1842cab1738028f484eeaf7b61b303ff352199

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
da7820df955182bb36fddcde062b769c

SHA1
f2a599ca92deee56a22f0dacf61ede567094731e

SHA256
fc034a47e78f510cba9b4ff91e8c51d8d64ed3e8fc3329641d8292deb1f74981

SHA512
7a98ae361576dc5118e0f9714937bb6c7a340f67f37760fc6f76a2dc164d69cdf76b477a96ccf7fff543cfb69b3eafad48784ead5d39c2084ba4fefe4da6e584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
0b328b48f7787f765459636b21dd0a40

SHA1
d8db8af2ca6cf6e7d07dbe309dc31f73afc5e92d

SHA256
1aaf6f8f5d9f846a8c2a53c697d5756928c5dc4147f847e051df9bcb033010de

SHA512
e39776eb7d6930638645b6bc7b6f05915b47be8d07b3dffb230e6c1c5ca879f29de5f8d77c0eaee962fc417dc173a368a8a27ada55112f2e5788bb014b85890e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
10da2d9b8bafe923b8a1da8e8c04d5f0

SHA1
c32b9f72b030a5d850f647cfef937b7cb1200c36

SHA256
fc6c6c9a4c542f5ab2e3486ab524e7e04729f665f8bd15aa401a4334d5ad35d7

SHA512
58829ca65e7f95e2e636287dc2cbe3363947bbd167b0f50e205fdf20bece8ca3d6e80f8fe0fbbd2df848976d2ac35c2c7b4549d44d6a75950b4304edf6ebf0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
4209f361b61c5561a1c643b3ccfe7a59

SHA1
72f8e3fe701016982e341c315d19f6a0ff5f49c8

SHA256
67ca4cf83f16b66ef5352e9c2bad0d6cdbfef964d57a788c9b7b19bdd7f93d72

SHA512
719ace68dbc2c18c04999b09f683e0896245049e9a26c36247083a0f1801a28d52b6f9ef8d14f78fec3c8617c55db32485f3c3e97a3a602d4a4e4a708e14d913

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
0aecc98de79a03081f1d0b2d83310285

SHA1
f186095504c4f0be553838e48f360e6e80d54cc8

SHA256
6ff849bc1757f6729830b7c1998402c3f44374ba8c174c267495f533623f30d9

SHA512
c6f208685a20c49b701db3dfe52b64724506ec225cf69f8c134a59b80182725e8e7217f89a5b1383d6a5ab684e6e191c675ad572e492d8b0b1638b34c61726d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
2385ae1868b7f869bd3c48bc850b7b12

SHA1
a549e1a0aeae6478037f3201fd25f89da03794f9

SHA256
d308c85c1f718429a33b7080427f8658fcefce60b19e21a346096ff4a8a6793e

SHA512
3e220c410957c1f4a569708dfcd1e2ae99d4dbf2f08dcf9cafa77bdce35d914297f21cb70c1cf895e19a059a566a931f353a6ad67c00a820bc10d68d0acbc091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
256KB

MD5
d291b4286e8682bf8bf6db0f8336e441

SHA1
d5f3d06f9efdd2fc408a05a2293afb0edaab7e33

SHA256
412f31237ca338625efa88ad69ada9cda6368a7384f9434f9e09f08cd0b97bbe

SHA512
194dcfa400370ef1c7f5066771ab170c90d4d1e143216e308585bf8d38b0dbad2a8cf78a5561caece2fdc679417de200026fa086a82c36a93500e79e2dc5049e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
e77ac45b57e06941437336dd82287aeb

SHA1
a93c6825453d5b5bb8bd65e1b69d7a6e329259e7

SHA256
11039efab5cd46168334a17caeac5b831b7bbb2f907b639ec570932b091edd05

SHA512
93c321308a69544b956c074ff31e5db7060a472f2394f07b9d67496ae1cfcad8d04716e01c302cdc1f1f41685b7aaeda8800a5a361541afea753c6d1ffa11575

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
b5ff40db80aa26665a4f018fecc20877

SHA1
3490fca466478a230715015c7999a0e37cf3bcd2

SHA256
d845616eb8c8d698dc2ae23c5123f200652ead6a1f4319d9e4a7d7e7be22cf7e

SHA512
6e7b4df59b8824ba8ff3f94b3130ea3885774a6935161747008895e4afa3dcbc0919aed089b6582b21281a78ef36395a464f938b40a2132829ed916434953087

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
26c73bedaa13df16a49f417ad563c526

SHA1
a23fb55fbf994dce6494a6bb87e1dad9c77c6c52

SHA256
8f76c88275ef2a6860ec404cff5c47f63d70ea07d72637bf2ed9010f67c1fe0c

SHA512
1003c5a7770852d970321f4c87a5d8ffc68fb7bf98baac643dc5dfcaf725ea3cd658db456120a5263119ec179fed8e73e91cb0f9517b7622e0fca2e2da64863f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
06ba71aae814da9d761b451b1b8796d7

SHA1
7cd6d81ce59a9746605b8231a48a8200604037a4

SHA256
efcd9d506a8cc6b9649a4eef0a720ada74645049684c99d2d6bbded73ee2ab8b

SHA512
1cc1bdc4e32f16d261496e06ef79aeb2c96a3f1b1d928b1b6f9aebb6d028346a47aae0b89e25332fec45cd558734a41a2c87be61708bfeabb479dd0cb242f1a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
a31b7c9ee70ac8b5dab9cf404f2659fe

SHA1
103503720a9064dd9d5065b45d8e2541d3490f5b

SHA256
f8ca4f66cefe99a65e58a16fa085636174597ab827178037a3a9a5570d61015d

SHA512
bb84068dd33f72afcfcd8f1cd5617208e57eb8f5e559aef92fd859a2ca44f42358a176f1325e4ca3070121bdd3a02c0a671b7a2a4a004ba155c579ff503f0af6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
256KB

MD5
c0d42e2fa0c6ad23cf6ff38eed9a7de3

SHA1
930014d97d04f4ff63612f2e1c933231f208c338

SHA256
4cb177cdf267ed1f3943ad504db31e5065da7c9f1ceddd74067848810b1d8bce

SHA512
7a98e582ff759e5c65e8ba152e2999b4fb7bdeab0dd35c8c36f8e31a6d11ec57f1dd535b54d3135a28bdcfb35932d5f4bb1bc3dbdfdeb67cd4eacf60fe822236

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
256KB

MD5
7d86ce2a8da037a0e9cd3126a0c83785

SHA1
48f0958fdc662133a278610e4061c3376b44d0b3

SHA256
4933513afd40a5b08f506731e26247755368d06c5cf6ef92f91788a19b7f4d31

SHA512
9929b3fca13918058b2d097b0de606dd733bdf7de442b162b23754484d1e6a9c8ea08d7d53b437598d49e7eb4c617084cd9b91b0b52004c898a08f3f8725e66c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
256KB

MD5
ad2c203d2678c397ee51452c612b2de6

SHA1
1799e7d8e2460ef58b3a32f72f25d3c7cb768284

SHA256
61b21ca8b27c41e6517ce14681101ebeec83cd57f3565c0c13657da807853bc7

SHA512
5cc9ff8f59e16a67982acac34502c63c318b162ddeef989b56f3506c6c87e4224ad13c49d1704953a15095cbb86414996858d3231be51d25bd53d725ac9b4205

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
256KB

MD5
d87b60afb2b4d5be1079d579c1233145

SHA1
0e7d6353efa2771566c6078a68d3cd35e2266860

SHA256
c86c95ea283b2e0b5e83a0945a1397581673d63e6fec4508e4233e5433dec400

SHA512
56fc50f4fb8569680c423ebebab4f528ace14ffbc992e116550be6b462c03d05df08e3eedf00f18dc84a5a30d58b1bc65b9156621dbb2367e8be26c168e43c81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
256KB

MD5
c59b29a62e826a11c12d098e0d7076a9

SHA1
1d6a9a83f519ab98c31eeb05fdce4b7aa5bcbd3c

SHA256
7fe47774f29556ba11ff2978548a5f1d8762534e9dc2d9b92fbc2f572b91922a

SHA512
52e0cae81a4a2112a02af292a939f18bc40a0b016b60072e035925562ffa25b08c20ba85244e64a2ff6d984221947b6295f28b2e61003707da29262b3a704f32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
256KB

MD5
f305db6bd88b5fff2091017d065872a8

SHA1
72491b6c6a22325019e3fdd66d87fa56c9b4abe7

SHA256
488cf2273bfffa713bca7c09e1505d7673e1a507942369dc2ff1cd2c1df97a2b

SHA512
2251e229a76921d39e16e3da6792ee7d4846b99f3733a289c5daff9dfbd831833496a6536f7cbc7cf76dae4136a9c55556c2621612cc21060795a0734efa4ee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
256KB

MD5
43c0377babb5c13e3419cc9b8459d04a

SHA1
526fa64245d8933ac1b21542dbbf3b6ffa94a1ee

SHA256
fc45dc3a17f433a4bc0f7bdbee818710356cfc8253c99b81440efa00a8dc2724

SHA512
b38cea2967847026cf96d4cfd1b6d0918b4248b4b30c1864406f1fe98a62e2494fa18be9eea2ba256d4ddf80462f0a8085e39399aa42c4edf9886e4c89ea69e0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
148d64dc137bc30fdd13f93995a27fe6

SHA1
979d3a33b956a3fb3cea675b2e94006426421481

SHA256
422ee43dc9b0dd3d6d902635421cba8d916008ba8f5fc9abb1e35991da328b3a

SHA512
07a2d546ec5cd2c129048a8a77ccca71420484139bc736554950640c27bc0c4d7a21e8aac73ade6c3b8ff907f67e80b29a200a1d910dc1d5a4232c9330e75f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPY3354.tmp

Filesize
794KB

MD5
29d1ef4911895b863579e5cbbf4a4c98

SHA1
3b82354e605501d00b940227f0b4367cd5c6a7ca

SHA256
27eec77c6048775746c8e91d5fdbe30aa0a97f44e479d680e3ca42361f5ae9fe

SHA512
d8af4129c78e3cfbc866275be56bf69efae4952aa9013ac26c132095a84c375e9cfcf8816cbe8416634f9f255aa19f590334f611e4cd192ecae222007aaa7dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPY3354.tmp

Filesize
867KB

MD5
15ab12eb90309740f93af0942904abdd

SHA1
6b24f3e099ff1e96c994de70ed3e108c2daceba3

SHA256
be82e76cc7233dd09c8f92af4b4ef5509ee1a6bec144de0410ef3a92bc1f3129

SHA512
8a14e82a4b696cd9ca0636e66f8e6cc003984e7d7eb8f18f0a005084179d569c344988c950f49a630c07f56b52cb73a537c3bad47e390613fbffbf7d5ba24473

Download Submit
C:\Users\Admin\AppData\Roaming\6a39e037205991d4.bin

Filesize
12KB

MD5
9cc2411e96b7839c85823f0eddfd343d

SHA1
ec19881f9c1f833218219c8429b4c505672fddaf

SHA256
34ab40437a7fbf4747433a4e6ff0d95e1cd672741f85a3ec6a0a56e316cf5bf7

SHA512
b55949fdd291a026311b57f2d73b6b32dd8114c2a3a98aed331c1f71a79e6134b8e0243e296e7b381e1f3abf791b00ffc7299375ae8e3b2245bb18001edc2758

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ab8459f550ad88745c48c29022f9af94

SHA1
b165994490f4e5bac646bda809c81ca8ad081f1e

SHA256
fc33be6e8450575458dfa9d311bfd316e7ba500e67ca654f623606faca6e5db1

SHA512
a26d1fe01125e8bb46110dc974e509af657b0f37e49acba5068b125fede9518604f71b03adaf855a9f1f2abec2b65dd662ccb874285d0a0e7f13803d49b03083

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
42219674ae9096a1e8e4e59954547d92

SHA1
dafbee48f11f220a433be1827679291a44a6f3e3

SHA256
036a655d3f64800dc2de9ead835402adf4e96f89cd912158c3b0f0fd3ef0716c

SHA512
090365584bbed2e048d43b59874dadcb2a65712f9b639002618bce2ab31be076b80c74cf695caead4e3dcbc96394c4f7de65cd08306b732a2a88fce1d801bed1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
ca12c4dfd46c026b2f77c732d7d192d6

SHA1
e6ae1038ca18b521813d64ec539e668e2c4f6dc0

SHA256
99f1e4a2da0ad6a05aa7d2153351af6f32763a04b7089b40838710092f3b1ce8

SHA512
5fe6d42add01a0ad4296fe9d37c9b5b1b8bbeadc8221273e6ef353606619eaa00f0337b41b89fc16385c4e4b0099d5c9bc20e3f36a26223da88c042776241a1c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
54319c276ea74a889729ed148a66939f

SHA1
a2039df4258c675412e8d2af99519384105a2eed

SHA256
4c2fe1d00cfb58a9baa6538a0c6601c98131ed31c6a0e542d838d174be867a4f

SHA512
ee3d0ee1a5df223901e0ecc225390794e0b31fbada3c7c4adfd337950df4f6147c07b743659570071539f8e4e6d9fa9430e1845bf6c7de7a70105b9f07ddd25c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
f054419be40030ab022ef14520ba9837

SHA1
72ef84e0dd670f4c98d0470a769e850ae16ae5e1

SHA256
2449a89ff27c95e744f2048970b3451fa19c1852a7762e6b741f2ac63a18cea4

SHA512
0048e52a2b064d94ec5bc8718368d6e9f8a047bf889d366ffb5444bdb7d1f7c97a0103d3e9f7e09d25d0a21b5e78b2b45f298eb92efc0945c146cf54605c5a1d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
61e8cab629431481ded62e09bbf12aa1

SHA1
7fbf79d1f3bd8f4a62b8b965bd0808bf6355e5b3

SHA256
0365d1b54556fe4b2ff502ee1afabcff1c09b0d3838e99664d9aecfb92355d6d

SHA512
43cbdc78918e5c535a7b7829918ff41e24428e0512ac93bdd5ee340faaed5c06ee77441bb045a5f6417bf45f16de0ef404f8fe1adb30f6ee2b0ba6a1f7a89bac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
e4e34aa8e7e90afe135e934173c5f8d8

SHA1
43607e9b682b0d0e5b69c1e84cd1ec0a243598e5

SHA256
9c5e0525e9e93d620afa75ff791e735c757fbf1557d03a154694ace9b0cc37fa

SHA512
813ee4c92dd3a4ee011a87fdca0a844aa582c4c8c5796ec203c9f678c4d4851b9ebbc5fb81ecd91bbc79d5ef4f0f3a370cd400c581fcec36483b9e5418316117

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c6260d65a0cae35e1e83a3c96c5fc59c

SHA1
b680553e310076c7569ef37aed232973df658cf8

SHA256
0209a09479a5265c83374373a2a12f311a8f29eb6b7af221f1413013e921810e

SHA512
0f1e9a8c54ce807ceb0a700745e379b572002173a8d66d8c99253e9ddef677e02203d61d43c1936d9fc2f782ac0e96a2e76d995d92c5c0f19b772e0cd9caca3e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
87526c76664fbe0ac85ee88c5fd1be46

SHA1
0b7f903554027434131709eae40fc11b4a9ad1e4

SHA256
50fa8f1e28bd503ed7f028938ec48d653cec9c4938c743fcc03edf01a95319be

SHA512
ebc802b691d766094a070db1d73abeff3222aff2448a8c8d19a232675119b2fa22e8c2d1a1951dfd5eb218b57b363af5a25d554e79072074a4c1c5f63bbb19f6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3f86b466061bc3c1d3f8a0a1c430496c

SHA1
c4a12b3a3c10a194cb3a0c2326b832b740c8e803

SHA256
a11d9ec8429575d4f517389a89410656d125b3eb7ee81d905fb4b206ec172cbb

SHA512
376f0a4fb90a6751db4d8cae4a9e49b78aa5474035dec3b6791548988915b203b885cc6c3aa1c37c8556a364b33c7820b085e590f7857cfc09c94a4b169b244e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
6de423140e35919ab18f6387905fad12

SHA1
a4662f9938aba95122d3bccdd9b6bef7e8160572

SHA256
7d8aa66fac8bf9d19d3694152ffa9a5cb673db2be64313108963b8014467001c

SHA512
26f13658fac2b93855692a964f04c1718604bc3636ceb7aabfe3d6a7016f6b14ef23627c98e79a94b617b93ff00a0b6c27119e64fa67c3a5d914d117b77ea585

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b1a03f51f6a8e8c90ba4d74c302224fd

SHA1
1f74791955e99c1516f8c76d5edd5c7cfe8caab7

SHA256
5fa3064011cbac812d5f215d7348ea008adc88f072e841a5fd01d727c881ce6b

SHA512
d982aa70f7b7de3933f411bc33d5cf28ac35ba32c5e6d0e840aa8e07b9280794cb9ad56f57c043afa102bb47de87cd40496e3c864f3c28560f8b59ae5f96eb6a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
cc832ab1acc0f86a438d955dc8774733

SHA1
5a7d624f85c170df49b525c6fe41d27fdcdb0dd1

SHA256
a9653833644ad63fb46aaf75802b15885e3ec645567409ebf67b13543c5e2f5a

SHA512
35a93056b828133b8d0e46ac292f72abb72eee2faedea9708da9d9d12831e62ee9ed1a0a5a17db07058c6948c01bc1b38f593b6e3dcd58a527466192f5d5ecd0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
64KB

MD5
eeee33fb5f6e11db1e5524dbd24a5c0d

SHA1
c7ac060fe3dbe4d75c84763b1b251c17b0a63a54

SHA256
19a75b45293e11f672f4ee911092bf43a4f61e904523b892e055e8eb49998520

SHA512
5475d1e5f41cd7c06030e82cc36a79bdb3678510218c90e638e3cbce39fa56a374710a1725f0b389fe9dae8204937eb344449141ebaa80405ad663b2a08348eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
ef11ddd79843e4a7acc74e91efbb4e48

SHA1
367029b13cfd89737d65c322a2a5afd4e5ff8bcd

SHA256
f05a39604c9e4c43b11655b2ae41052d23dec946f6b7016fa27ac4cea95a3ed3

SHA512
072a15a5914ea1a9200f35ec5fbb8956a07e9ddfd3a5633388ae0d13ed04eebdaee46241cbb51ac09c0509a3930ad565eb39ef87b975bbd4004db5e7feba0658

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
48f2e2d68df30182fbc8c0f7799a6de5

SHA1
4e878d302b4e57e4444d7ba7575f6c2c389ba2ac

SHA256
03709b4077933777205002aa47ebbb316e20ab74ecb8c1759201b4d98f6a704a

SHA512
b862ec66e62dec7b95ba5423cda6863fd1ca49b9fc3c777affcaea4c7b9e9515560aef7d48422f4707bcbd3e94ad924604aef585375ee851a2692c1c9b9fd4d0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
d64777fd131b453acf68e6d2cfeb428d

SHA1
afebbb22438897f34111ef99707799ea312346b3

SHA256
b17e407e8ad76482de84f467887f62f08a6707442151918708ab40e147e1df6d

SHA512
1cf1da93cfeee6d877b204edd4f2409a817c95bcbb7d991239e9aea0f234fcb36e0752651d08d73ed21157d9b2b692beefb5de5174fc1fe73aa66a8fbb0f9313

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
06bc643d6b4b7748dc06b59cd97889b4

SHA1
c82ea4b41618a0bca531913977a2ca62520ed907

SHA256
79af4e59a317ffd15d3b67a3a2309406f87922dd1b2d5cbdb16e77a5d6a50b99

SHA512
6eba5072947948840dbfbe0d715718a08c2dcabfcb87a915426477cf1302b6fbc1e3922c7f7aa3d0d24e0ec080c87afd2cc97bd879be8be5d01604276ebfcac6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
997KB

MD5
ea7a39385ba2183e5a5ef2b4a60ba922

SHA1
157c01bc8572af86f4fd90591ecd5f688a08a545

SHA256
1321f2b4f4c0da33f12c1b6fb7b21e8d96ca599f1f040bc665a474d95e8e8321

SHA512
be18fcb18f4ccbeb8f1759793e705e27346bfc9a68052c8c59891cec62050b76f58973b1e6184cb2c8f28c7434a693bc909856353d200f62aec8b05aa2d3cecd

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f347c0a24fe13bae1f6731950ab52f2a

SHA1
8580f8ada34973d0174b57321ddf4ef2fce92d9c

SHA256
a4c3190fe55565f488dd8db20b4a887c4c6625537cbebf38e121ec859caa0dfd

SHA512
22a70d852fef908ea2f8c3ef5f8ce65135346ff26f0813f2c59cda322855163fe8379185fa512ed62d1ac2530cbb93a502d38cb689744da6f0fe3ea87228c070

Download Submit
memory/1052-504-0x0000000140000000-0x000000014029D000-memory.dmp

Filesize
2.6MB

Download
memory/1052-510-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/1072-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1072-380-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1072-387-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1156-501-0x0000000140000000-0x00000001402B9000-memory.dmp

Filesize
2.7MB

Download
memory/1156-441-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1156-434-0x0000000140000000-0x00000001402B9000-memory.dmp

Filesize
2.7MB

Download
memory/1456-427-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1456-363-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1732-374-0x0000000140000000-0x0000000140280000-memory.dmp

Filesize
2.5MB

Download
memory/1732-307-0x0000000140000000-0x0000000140280000-memory.dmp

Filesize
2.5MB

Download
memory/1732-306-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1732-315-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1868-497-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1868-490-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1928-465-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1928-471-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/2176-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2176-71-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2176-298-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2176-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2836-400-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2836-335-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/2836-344-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2888-488-0x0000000140000000-0x00000001402D9000-memory.dmp

Filesize
2.8MB

Download
memory/2888-429-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2888-419-0x0000000140000000-0x00000001402D9000-memory.dmp

Filesize
2.8MB

Download
memory/3116-299-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3116-105-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3116-97-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3116-98-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3352-460-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3352-459-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3352-454-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3352-447-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3608-402-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3608-393-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/3608-462-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download
memory/3684-318-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-327-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3684-334-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-337-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4212-432-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/4212-367-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/4212-376-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4220-302-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/4220-133-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4220-125-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4220-129-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/4392-1-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4392-6-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4392-54-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4392-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4484-66-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4484-50-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4484-297-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4484-255-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4484-51-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4516-405-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-475-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-415-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4676-109-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4676-123-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4676-117-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4676-120-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4676-110-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4808-349-0x0000000140000000-0x0000000140282000-memory.dmp

Filesize
2.5MB

Download
memory/4808-414-0x0000000140000000-0x0000000140282000-memory.dmp

Filesize
2.5MB

Download
memory/4808-359-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4828-126-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4828-19-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4828-11-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4828-12-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4876-485-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4876-477-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download