c4651a3e8347e89359c9ba7abb8de69bdfda78ccb9a912de77f3acfc5924bd13

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
Size

1.3MB
MD5

4dda4afeacb4fce3b82836721f652ab3
SHA1

d88c9eabb38d9d80169974818f4bd37a507f6187
SHA256

c4651a3e8347e89359c9ba7abb8de69bdfda78ccb9a912de77f3acfc5924bd13
SHA512

5b28311d7ea6e7aa51262b3e6ce0f5f81bc731fae14b2760d17459ab0f563de4025691b9b3f07b08385bbc12a1770949295178a8e0cef2325da281a5f18acef4
SSDEEP

24576:q6cDtdda81uqgma9kf2M9jRFEM4XlhafCLTvt2rR8FfBhRJUEbDk1ulUX:qTtTa81ugMMulFnvt2r4PRSEk1ul

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3764	alg.exe
4784	elevation_service.exe
2996	elevation_service.exe
2504	maintenanceservice.exe
3512	OSE.EXE
3736	DiagnosticsHub.StandardCollector.Service.exe
8	fxssvc.exe
5064	msdtc.exe
3700	PerceptionSimulationService.exe
2068	perfhost.exe
1048	locator.exe
1588	SensorDataService.exe
3336	snmptrap.exe
4684	spectrum.exe
4652	ssh-agent.exe
1076	TieringEngineService.exe
2616	AgentService.exe
804	vds.exe
4680	vssvc.exe
3520	wbengine.exe
1732	WmiApSrv.exe
4808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f332ec73205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae22ae81e079da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002edd8b82e079da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7abb781e079da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001e7b281e079da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a21cd81e079da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ec0ab81e079da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df84b081e079da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b49b581e079da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
436	2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
436	2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe
4784	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	436	2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
Token: SeDebugPrivilege	3764	alg.exe
Token: SeDebugPrivilege	3764	alg.exe
Token: SeDebugPrivilege	3764	alg.exe
Token: SeTakeOwnershipPrivilege	4784	elevation_service.exe
Token: SeAuditPrivilege	8	fxssvc.exe
Token: SeRestorePrivilege	1076	TieringEngineService.exe
Token: SeManageVolumePrivilege	1076	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2616	AgentService.exe
Token: SeBackupPrivilege	4680	vssvc.exe
Token: SeRestorePrivilege	4680	vssvc.exe
Token: SeAuditPrivilege	4680	vssvc.exe
Token: SeBackupPrivilege	3520	wbengine.exe
Token: SeRestorePrivilege	3520	wbengine.exe
Token: SeSecurityPrivilege	3520	wbengine.exe
Token: 33	4808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4808	SearchIndexer.exe
Token: SeDebugPrivilege	4784	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 5352	4808	SearchIndexer.exe	127
PID 4808 wrote to memory of 5352	4808	SearchIndexer.exe	127
PID 4808 wrote to memory of 5376	4808	SearchIndexer.exe	128
PID 4808 wrote to memory of 5376	4808	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-19_4dda4afeacb4fce3b82836721f652ab3_mafia.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5064

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3620

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c2a8e7cc5cf3ebc5e913621eb337bd5d

SHA1
87414f3f7f40279027c231e9195b5618c1f7bc78

SHA256
ce673b2e4b49a02ec6e487ab96bd492d53725b2b1cafbfd44c37e814788767e7

SHA512
101c4adece343488d3490b0068278b83dfbd115b5633035c7a0284a73e6e1fdf744689873012b962ab11d9d56d91a21daf363c6f107274fd8e4d1b3ca75c03c7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b7133df30fecec1b6f8f4975e6d373d4

SHA1
59a214fcfb1df7738f69bbf995fab1ef3025cc0c

SHA256
f4f004c13908c6276602262f2b0ad9bfa6f25693121e39fd086da51e82c7c775

SHA512
734800d057fb56676dcd03d0474daef1c2f42a8c2d79cb32e7747b5f8b37ccae377e54d1517400b68c230620ddb6451e043eaeb00c230f05e0a2c3581d9cac14

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
afbce2e3260de192b3ecaedcb34af7a8

SHA1
5c324fd046229d3f4ad134719f62fd4e1a93767b

SHA256
9dd880cae0e13136813a6e6d25cf64ed2bf581385347a07e87bc73fb1a2b778d

SHA512
0b43d5efe6593d3923ce9935f306e996a65718e225b36cc66358016e04082ffe23e2a7842695607870d4d7fa523330d22f6003d05b3c9de8d036b08b4a3baf4a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
839KB

MD5
c7e7741528c791d581b4e96589ae50cb

SHA1
97357c6cb01a924088518c8ad7a8816831f1c1ff

SHA256
f9544abd5daae25072c0a8628821213af19772d18c0ae1eb50731d316e44466c

SHA512
5926c9168a025e261030f6984dbbc35d31cf2d14ef59fb9f2db81ce353f7297d1b419d8c6ee9c96bc89729cb157631724bf0b3eb93e50e816d25ee23fedad208

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
943KB

MD5
fcdf7c30a183c235c58c7b38e522a488

SHA1
737dadd09d156755e56dc85873cfb757d01023d7

SHA256
99de9929f9b02b5e249d64c8d95034e0453c76179e752ea5e661fc6f4568928a

SHA512
af2e171b23cf836b33e38698654424a31a0b69efd7b873f770a08e8f93c0ed03b02cec69f92b370e18630a26d9e44605997840cddc3e0e6397ed75f4e4bb37bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
63e6a1679c9c3885100f51df76b30bf1

SHA1
a16ff440532dbac646939b22bd317d1839289314

SHA256
c792cda3cc384d6347f427e0efc3b16e03d9fd5d958e18fe2c6b9b187e4b1173

SHA512
01cda83a5fc9ef41dc5f954cac13be53c72296e0629c2c483af87c22c7a9930922658fff22f8555966682016ef00f2cfa1e0ccb3f9349bedb4002b8ba888067a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
60d8dfa034ba7dc4d3edc7c7345e405d

SHA1
5a93182872f5ab99f7648310701d652c7dffaa3d

SHA256
14427d34deb71bbc66110a82968ad533246ec0c407ac7faaf778ab186e818041

SHA512
94167d8ebad1d0e0d23af4eb81aa491c58e109aa3cbcd9dda53aa0a3d5b5185834f6ca203ea0b5e038f8561f9cd475d6436a0f697a58a3a002b32980c6a82b95

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
881KB

MD5
adf77a1bd326ccdff5b42ba5522235f2

SHA1
bb5e8afe899ab55c3ca6e9446dd149af7d6bd8dc

SHA256
970cd4dc06a6b59845a43f3a5a0afcf35b6b17d310b966ea92ade46d1a5013e2

SHA512
e8c0097e8b64ccfebf4b144e599181c8e33d0a6fac1afaca2f9109edc61db90e2b38ca4b592f6594cf67a2652bc41358fd7985b1c9a2048485c05fcc4d26988e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c3a7f447c0d7e8e14475282ac902cc8e

SHA1
bc7a1cf357223cb2c56bd9cb53f4cc251818b786

SHA256
13378b9f5d94e3704c8a460c01af17c2e34ee9a6c9a464768612b7a3e53160a8

SHA512
6df1015859d4c97b51a341e7c2830bcfdc4c62829894da753eb20ed2d05eafa7e2c6cc32c4c0ef32ba4b8384aa3f04fe172d962a2612ee2a0d0d488d596bbf04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.1MB

MD5
d8d478cb14659ac4155e569a829fd24a

SHA1
e4d166ff39ac35ac8cf542a97beada6d76bdcd3f

SHA256
463097170cdf705729728fdcc8ba64f1dfc1bf882affa79434f88d0fd813bd61

SHA512
9f4c64b45a5bae9dcda4a5d0140c9d0410c95371b11bc602c9ec103d79268927152d1785a6a19d471d9306bb116f84190893ae374f8eb24453a7505c74c01036

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
840KB

MD5
a54c18c69a32b5c8690157c21a9d24cb

SHA1
172c0d8a74ff20255cbce58e0f2d8a6934c1ede0

SHA256
e02ca53b32acde81792d52512064e3caf6185b4045abc853e8dd6e8a062e59f2

SHA512
b0d604e9402d49391a4d7b3884442c0905b1253af8e75c2e598e1aa807f67963a52b56795029820a4c4614385b9bda6602f1a74bb2c054cf2849e9ffad564280

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
863KB

MD5
8f4bf3db2ab4d25ab4648a9ade8318a1

SHA1
3ca22aabafe7bf1f0a434c3d044f64c9a1c4ec7f

SHA256
f928faa71da3f811538b6c32791f72d51006314e182c6030cf423686ea707a54

SHA512
311434cd4dfaacd1041ab34872871f43d15ec674134c2958f18c56aee41d22b8d29b79329aab7470b9b28bc9e2dd8f2f3c14ba76264e4e3abe520e8c8e287726

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4bde961f203a6bec199d77e49a6d1d07

SHA1
ecefaad91dd17a9679f677ed431fccac573b2dcb

SHA256
ce59d655af4c5348790ca8a23afc5c8e437d24c90eed20ca3367721d067d81a0

SHA512
22ed94566002e960894c6e4d78222a2420c417613f049948058b36dbfe2dcb102d59db2d1feb3773a7e0b4576447e42dd0b04227f847b1960666287062e12534

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e0b6eb98da6fbd44cec3e5fa000337c0

SHA1
ff4c25dd66a3b98b07760f4e3de906d4c6924bec

SHA256
c05ce03f78d7b9b8de9256550f593c0c1ad30fef8dc41df270144af5fadb59f1

SHA512
2c18c3b150e847a721de4b2d9d0c12c56a47252854d2468975ee9ae5a87d4f66bde98c1d02ab09fffc3d28a32faad2c1b4fdde040ade0b312706c94b64523920

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
720KB

MD5
45aeb3536c8db4417a68d3cdaa39a689

SHA1
7e9f20b89e0de1572e94cc6b82dbc24f2f4c1700

SHA256
8e07bd5b456d6dfc80d2d016099f65c296603b9a05d9cef61229273dd1a1818d

SHA512
0efc0738cbf5b6656b12cff6eb0e93463c1c95d1fd1cab314cc298088d4f662958e9b8e3b8b91b72f8fb6cc79da9a8ad026e6caf43ef3c8af1796d5e5a0a1c42

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
611KB

MD5
1bd7a218c2016bc5890a347d5a39527d

SHA1
a831dc57e5a6815bf5fc3124c0334228cfe87980

SHA256
80ae9dd73273535d7a4a9ee1385eb1405c5407a3e1156c55c7bb48197e8f2468

SHA512
d01588e05cecdd9911481850598f1b64032afcd7418761ddcd0af67608386da89d65ddc551f2ae5d0786c4f94ccd16295823e82b3bd02b8c009c66bbbaa4d9a3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
777KB

MD5
037f2dcbf5acc37078850e97fdf1e2e4

SHA1
a82921e336b02cc63f056cd848d123451c18025f

SHA256
26a686f768d737e5da103938fc1f9623376ac3fb558e4b3e259ad0585a0be11f

SHA512
8a6e1d674fe10d2b5719b0e386a09bddffd6b777fbd9304b5c7192c2fae55c88d6058dda42eb2b7c782b5d45ac786c8059da5bffd012a5dea4901f9f36e264d7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6e44198cc4181f15ddffb0395b875329

SHA1
cf3b8e539f432c103effffea39ca96aebfe1ef26

SHA256
b7569bccf785dbc34e60d47701e4cb5b0a55e355a441c751c9155779e222241a

SHA512
2a96aea7419f2bdbc5c82c3fc75249045bea5cacda888950b6efefa91041d5721328004a9d5c3f00400eace37148307b80113a06d8e68e9ab7c81bd97a097ea1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
824KB

MD5
bb49ddded3c8716d10726118398be2c3

SHA1
fc0979269289153544f966e94732a43f4fd3353f

SHA256
fc422f4e2cddb726e31bd57db8e4d25b0b1d22752bda730296b2658313e895d0

SHA512
9ca277d9552c34f33eb1969416ffdf711df7b071e27c45a502aae914eac764e6c02f3d271e457437b68e5d6ccb393f834b8bcdc55b4dc31f567a3cd692502685

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
857KB

MD5
2a0cd4dca09f6a29d6a4345e0bb04bf7

SHA1
8f9849876dab406c355da639d110d0ccefddcc19

SHA256
0d4c7490d6affdd6c86a757dd36fa67455a714374c1506bec57a5c36d9cfc00c

SHA512
7483f9b5e2a32f9a78974f5b37d91a9803a751aa8c8a979efd10070197d04017f6937c9c85774873a8b806f0538b86b3bb82346db89385043bba21960ef8ed62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
780c6f286e78acedb651c3d66cb6ac23

SHA1
109b06058c6e575be167ea1d69aa174d8963fc90

SHA256
65ae74fe132190bf3a14bd0feb64b7dfb5157ed6d456364f2d035dcfa953d481

SHA512
b1915f320be0770d80e8eb1c0170d2752965bab88f7bcbfed2f986bb66ffe469961a35029ec04db7f1bc90ce3649bfa698e46eb7484ad05332c4c3ec610e7287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a02134f6a71d44439af7ba5ada617551

SHA1
1b4908f43abf9fe26f874810111c9528589fe0c6

SHA256
f44538bd0244d80421cf6e85db2fca6f3f40328decc1f92f09e23cd66c9a0287

SHA512
f12b8cf44162dee8e0f64e35c3a999e189f19ad743125b18190cf0f4f3c82ddaf23471f377814504de6f1734cc82a375f5f16d9f2b2fcd1782f7e121cfe066d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
425c7160a0d776346ff944d39dde0b1f

SHA1
0f5dfef2833ca2ff0ecb8ce33ea3e74ca9b212c7

SHA256
df1f074aa3fc365f0c26551f53b1aa43fa7b1b2a75a3880ba49a1ca86ad7acba

SHA512
0a4da09dec6b4e9fdf4b3e30741f53617299d7a677e2e41a9c01f21e2a4e09f6be06b27fb2dec4ea56608244b6a22c53d3efd3755abcafab3581927fbd8c3854

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
72912988708cb8e0024aa69aec3ea6a9

SHA1
7b54545d45cd2d0c416a3cd3f812168a38047b59

SHA256
d2d4df5fd5891ce2408dcc297262757b6aa0974de32e7bce4070a6bd455ec51d

SHA512
3157210658e48b632d580874fef9e7295fef8636be5f4d6d929422ca5ae02aa4ec432bba75703e8e530f1aec9710dafaf48c09adfba38188b099f7ed7c7bc1dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
17d299296b2c093cdb693b80203fbac6

SHA1
0fffa22fbbbc1947c06e9f22b16f7dd1913b2a9c

SHA256
628b2b5f9a9427a0df52c25489351c1986a88d7444f1c705eef837dff14e5173

SHA512
132535f3361ab31ab0d4c89542a17e499113944214264e0d73b0f570ae4b66027a8348ceed388655c46f9b306d773281bf7f43a66dbc04c59ca9710ecca384ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd73d1a89f34afe2e03a95733585ef5b

SHA1
edc817f24bc975bf5a6b587e15960bafabefda5b

SHA256
7df51844b7c02a4a5d0c6d8f225787768b7b9bd23313e3040622edaadcbde855

SHA512
edefff14daaabd75a17bd425200726acd1b83bb2b0c894b9659aa4715a52a467130733d93954c182d783d2433e0497e9580e5ce11c8948a8e711fb1540d7033d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
487605c9fae6695049fa95a07f75d21e

SHA1
7e6c929ee768a173c354ab1b45815e5c6b6f4d96

SHA256
270c99333e6f9632638319900457bd7fdbff5d0e60ae426d93ffc3987e8635e1

SHA512
5598b655056f5c82b3086d75dbbe4eee3251780de814b5c94bd4362996cf441e5b90ffad0a0f9b7165ed3e3d8a278358563189ca751cec2eb6dff4632e6ac99c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
713KB

MD5
5f25e0c009c984ee47a8e494933c5d10

SHA1
486976717be32e30c4a3ae03ee41c51749cca94d

SHA256
316a82ef5afce715aaea26c9bb3615bb2ea9f8faab22406898561780d913563f

SHA512
4fce3669dc4de083a30c22f3b648c8656525f551cde3506c352d2db8d0703f6bc4cc86e1191046ec0cc5d925b6dfb7efd3e48f588d9ff1d5e4918e15a6d80723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6ad8217cabf31456d9108b8381ef313e

SHA1
527d730b1bc72f4a4edc60945e015c80c0e7e4b6

SHA256
ca85c36d9a49edbdacef8b2a4c4e36a861ae41ce7d44cca20bafa67d5ca7879b

SHA512
9ae5ae5d1930e0d977ad9842d88f301806d7492d0f3760f32fedd31378f8d4557ecb18a7a5d44c7ba0083902cee63a4b56b21f12fc3bacc16c347ff4e427e807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f7f606f9df0c230cedbf22cafe2e68c6

SHA1
3c44a2d1e0333f2892c1d830337608abe2c18a2f

SHA256
254c3f21d95acc92c59d48bc0ee3fa8d566644608a4fec0362f3f09294690ceb

SHA512
3a79c4b740420c25277cc213800bdcc2ec4ef61881e3d89df5c8abb2c48ba3e5eb32208b8d728ffdc4d580507d89a794954ab25b03c423a0950f543e9a487e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
544KB

MD5
03fbc416ac79dfdb1362b2ef935b4ed7

SHA1
fd49e2ce9fa5ca08200b0fae8dc530af561487b3

SHA256
f8982a16b1ae25cdb073a2390ea227b12fd199ec501651950e8d53873ea84428

SHA512
16e278d89064e2ff548621f0df68a7917e0a6521ac7fca6ad80419e76894a0f843d73a948d46d391e8d25a19fcd5b66f9a68a2b6ac7c24415f78352764b992a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
427KB

MD5
6e7ae2ac2cb76ddf771e8b0ca754d0e7

SHA1
84e6cc37436b94c8cb959282a61080f488f82c98

SHA256
fe39cc360af93affa5c141e606d0ebfdbb2b96ecfd10bbbf9be6c64cbbe13a5b

SHA512
c32af5e9c44f01ef449dd4ac4ad395a157b0823d84552cb92991e6e27d118cfeefdb22e7dbc849403c482b1d3528de4d8cae476a87b50ce1ce9c670ee792b275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
556KB

MD5
3a4b715dcd0f44c28eb3f6c8491031b7

SHA1
7d142351806045c861256664a7f82c33e5408e2e

SHA256
a39cd808fb376679010b0114836fb42d4d7f50ff665472902c9addcafdd468ff

SHA512
61319072b4eb4997cfdc6220d5af73247982500f0bd69c84ec21b358c4387d6687d5150c99654306de8bb262fad8d9ae2bfe3728942b93a156c7043e5d75a9f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5ce4746fadf45958a6b750fb639b319b

SHA1
a86c0c3951761dc2ad8aee2e0643856edde41980

SHA256
f99db28505e6a8bc785aa70af6b0cd39600a8fbbe416ddf9652ecc437a307a40

SHA512
827360483ce41d0e75ae9750444f7e400705d8115327687a545ae8815f321abed6fe3168a65e48a44815f68c6914e22f14a5651aabf2999b9bfcc2e67318408b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8f0f54d847c2f9f0a662b27864f3c2c7

SHA1
46387cb33c35c7f60d0b36c14b3cd752aaa9a992

SHA256
c9cffdc701ed9b8412e8358a8ceab29170d703ad5959c921d09aceba9282e03b

SHA512
f7727d9e84d249897cd5457e0e07f84a61844dfd9a8a24abdb1596de9f640c738475ba5960d296a83696350b4fac3bde3d2fffdac73e7f6448044d1ab335633b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
671KB

MD5
091548715020450ce3bd080075c2b0ab

SHA1
dd29a8f0baf9ff56b90fbd6c98262b28f68a366a

SHA256
910f98f0a728b0cb6d3a4c8faea8d25ad3ce0a6276c00e46d67319a447308ebe

SHA512
27044f3fdcd68244fd3a7381faa5b0a45020fdd9e12575bd1c66f9148857abe98f0cfff3d12840e73c50123a53521bb14d3f017461e0f943c5b2925fa9a6beda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ae417ce9e7c8af65ac64ad8f59dd0f79

SHA1
d8ab06d7f282f2d9ab3e20aa830fc7b48f41c124

SHA256
530ca3abb7bdf6026b388d8376f8dab8efc37a9a4043cfe9f9947d5dae2f98c0

SHA512
b9a46c9359ab0b49b85524628e7af48c88499fa0491ff78bc82a0bbc36d2cee531f8b4551ac02f4f93d9686cc8d4545449a7fc2374c924489ce5a979a792e9c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
448KB

MD5
363c7c5d875a2c817f54d4cf0fab3ef6

SHA1
e7bde041e4b33a02da42bf718ea717f3609f0acc

SHA256
0c2fe90d0f6b69d66a6008ce7c8a17772c354e6728a5f59de7e7b8e07c199139

SHA512
004d7abe660e4f81dc19ee44441cb3fa6931b4de41ea19b8502e1d72bb620ad06a8efb74aa88e65cdb36118441111b01d07213b7d04164c7e6273cba8bca3724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
89a737bf1097409652cb89a550dfe83c

SHA1
945c070cf493379be179a13b849f897440d34623

SHA256
f86153b28eef00c9ef9581d06d9159c69eb7300437e9980bfa3b6a9317c1fe88

SHA512
322bb7d2f490621a097044a589da33628074549e2e41e05ae9aaaf91b0dd9dd5baf02ccb5e865fc6caf84b85c95bf0059664846ed3346eda33b47c06b3c55692

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
541KB

MD5
4dd6681443adfe60352478f35b519a11

SHA1
9631de105b8b75a45174fad17e9342a285c872dd

SHA256
99d2d94d212b1a922277b6f3b2acc3ceac3daa58bbdf666b32e176c9d897a8d3

SHA512
7e9439fc611e7a0373bd1c65ecf9f50886019b97b18e84d10ba68b506c3fe4ec05965de3ba4bc1a1a923128ebcbbad4ff839f2ec8b306beb8f316024dee57d2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
30af8ac9bd273c614e8619bd95b0f075

SHA1
ca618e1ca41b81f8dfeeb9e152ea02ce99b4ebd3

SHA256
4db9098cb6306b0ca8a2a5eadaecd512a04251740ce32658a939d794fa51b5f3

SHA512
f5877de3a5c125994b166826f75484cf20a8fdcb26350b4e2b25f16b6ac4b310f351eeba4fac4be24bfcfca158c5094feab3f01663e74c80d8fda98600fda736

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
29f3ddeb7b224e17319c2bcfec139d7c

SHA1
f768b25fdb59714e122bac2cf509ba6a33a6f32b

SHA256
20c130b1fedf0ce81c076c43f76257019294458d8f7ba39631ecbb0ce93803fd

SHA512
25f7d65619ef5506aadb16fb135a22ecffe62ad5124e893350b3b42cf2d7598517380bed4b8c7a72d5701ebbbb014a188cf5754ba6c7acaa37cc3a22ffb577e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
9d468b6e6a004a48568e951aaef08f6f

SHA1
bfeaec063b98720440cb0e8940e3920b6c5d8f15

SHA256
38eceff7f0524541a29c35d4a870d056f3a562ec84cbfb886f2ed36687fd0a65

SHA512
24a7f5379a61fdd5c2c7bc4abb1147637c374f3fc830bcc4d03caa50b4e6ae39bda31860153bb4dda6609353e18a13c991a6bbba0dee22b19362b96fad6821c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c651e19d54d72d546ca31367935d2c8e

SHA1
bfeb138c94298e47aa06c20f7102fee8825fbe13

SHA256
ffa7f90092c9f61f2d393c71ed582aeaa68465594c2a981569683073be57b8b4

SHA512
d84056304451dfaf20bbb12a799b374d01c6bc3b8522f9bee97a2c88e442bfbb639742c41cc11bf500a43aeb67bebef0f4013c98a5a3a3f5c1169dfe47fba310

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
679c09c6bd1dd48747d5343193615161

SHA1
3e45e90f18458649d6e446e8cacd400366c69df2

SHA256
616d8c91e811789ff4dd3b96950670dea0786618ba90849ef560763994749f3b

SHA512
c2c6f18ad0e76f4037f6e9febf54af91b12c9462003ebf7200ff0964a55395a8d941967ada005759950a3b06592c82891bf17e0cdea915aa99504f4598ecc07b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c07907c11556c2f074c48cd35d183725

SHA1
a4173fa98fd12a7320a84ae3544dc92c29ea3a13

SHA256
6b71c3e4b61be5a170f85b6fb362d76c99cd205ac32cfdd97760045705c48a10

SHA512
6bda071f1453752c2d35c2e60b788785de1c9feeb9d0d323af7bc20121527a76d376c626de49c3012d890027c5f0675a489c91a3d500fe6946058b283872b3e5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a967ed7b132e0ab8920b7b131b988621

SHA1
fcab468ff1c13e1168a30139d3ccfcc3cb01f2ba

SHA256
a2b0595626f37aea3ed97e2248fe0ee523d884f9e28bff5c0a257765209cb71f

SHA512
a801c8c377fb3c61df822cbd4bf8fcfd95f62f68abbab4bc9b042de614589a8d44f910441cd69c002a3e4f1cd31138bc630c30fa6941c0028cdc15707d6020be

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ed34c17a0c6ff3563253dbf0d0dba8a9

SHA1
dc8ac9238bc29380efdeaa1edd07cd942dcdc8d0

SHA256
6baea1a5f853935e26dbe467d16d872a7b2654434365a27e127d6e1fbdaeae7d

SHA512
e2e3401fbad299c2f2bfa890155fe2aab6dde0f3cc8fbf93c00468442a3c121264d39a1344b11fc0ebcb45f10599e90bffe0c2f6e6ad28efb15c9a8da4469205

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7b8dd6b5135f23537beda10d4a7493df

SHA1
5bd73ffe23861bc796752143d27c4a172edaaa51

SHA256
7766c253b80489a663cde38ee452ea0e6a6d68734b3e75d0638a1fb81558cd4a

SHA512
f00a0d8c15254e63121cc9d721b84e315b9d697fa379248824cca24fba0fcb0b240eec1d6078f1c8e27cc4f6e4bcbde929346b066b15ba07d2bb2e477ae4b13a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9eb1eb9050c9e8c36930d05e4f1601bd

SHA1
896858e2c1e99c878439a7624e52742afcd3267b

SHA256
9e1707f59ed00e7ef7972c147c44f3483868ea9c2583bb3f87b34846c2919400

SHA512
19abfe504d3a68a5ad34fb3480df40411ed3626363bd059a3a7b144114011038622f88490a4ba8e4cb41f9b25a5fa4f9333080eb5b06673900960cd3454c9dcf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
349fbc707b4e5f85cf96af5c7a33124f

SHA1
a1229afe495abf6e3939052684faa80f9bb4f5f1

SHA256
ad83127029b7f3fe6135dad31b332ffa24f4389e585bf5875868813ac12b957f

SHA512
4aacb32751ce61b76d70d11bc09d218de0b4445805b84da5cad67ad9e7804c659c44e5db0e5b00b274748f22e730f958cca5dad2ec84e6a621889ca201d01539

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d43b9256d3a5da8c4dada66de9262884

SHA1
bfc026adda452b5c4602a41ce519f6a91c618738

SHA256
66fca7b0e755ded03813b7f8a7d6fa98bb73755d7a56e64f662575877c220ff3

SHA512
c7735053c251a349030a1dc7918e91a3409948ace48dad046a721b9aa05d29f1bb57e7f8cae706a67c42d1d5e8f559346a81d91af743f5c9bf8a42408f3f53cb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
298KB

MD5
85c35335022de90abbf500dfd48023d9

SHA1
16cef8ecf93d0515584587e408a9196e7aef0a20

SHA256
d02a8fd3020eb1eeabc5dccee9e5810922d7ed32e269c342c8ea60f86416c8a4

SHA512
1f136a8ec9893e1d3287f32495e23021d75be2149319fad330a679713628f598cb65eda9e55b39219e655eb2c7e985de9dc4642509bd39c19283bb66349b3932

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
45af2809ca977b08edf6f7883bed2be4

SHA1
c92899924416cc151867ac8bd6dfa89fd5dfe419

SHA256
18eaa49851866fb6281117f1b6dd7faed9f86e8cf5da67d82f7d76d0e43cd711

SHA512
e81245e6513c96a8113252021badc89208d5f6ff5d6edb2ab6d411c3e8c897a67577191282e04d7edb7039d79e6216825b8930a3c2e401d76b16fce3800611a7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fd94fe2b7b5326cf278995c601de2001

SHA1
5c7b76be9f0e61f5e98d95f37b7d12380e5773e8

SHA256
b1d6d7d64c573f007e165218bfda4b3d049cc18a2bf1d11407ee2cea8fe0e663

SHA512
48a8d13930a26861f4d4e010b76d0fa3b693015dc4b10db3379936362bda51211130d44b6476359b52cd505b3f24544f4eab9f9642a93cdf131b0ffc1cb7524b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e4d8db5b118974697c006d172b776357

SHA1
b002d70db62ccdbf4827ac826af89c4694cad797

SHA256
c9a11f5fbf0d85c29af5fb37681aa4619b53cbad4a8528a942eebde771a116a9

SHA512
cf2d9f4185d738c0b0e3b4fd814a10eb9822d36d28dbdd2440a2a44f7701b49406233af71de5a880e20000ebc14a154554dd510bc8de9f7baa1321d697610961

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4205a3ed8af68c4c149eb9dcea552ccb

SHA1
d6a8a8a5fd23940076fae486e316035e437ae5e1

SHA256
f710d2775a80ae33e883a3da71b1d7fb528895e12531d416bd41bd68864f6d21

SHA512
1399a4f104bbb688d3b3f705a39895693c5b1aa75a679624c317cb460f531da2b07c99dbca22713380f2ded9785a4507362674e875fa2f7d1f1760e20151a076

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c0695126b7335ba766bf177cbbc31a4e

SHA1
172195fd462158aa37373ebba2571f7cf1079155

SHA256
18db3cb6ad85d15dfcc4dfbeb66975c89d167f511f86717507999aded9f37d65

SHA512
da6c84868d4162d5ff237f7cb36890738b8fecee33084e1c38375376f512c5140f36336a9b30b45242ef5ad265c08add63b4c556de69aa885555a46baa5696af

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb0be33e4a0e58cc26d0812dff989738

SHA1
b3beb02351ebda4abb41182b26da12906ff3781e

SHA256
2806d4671ae904ea101c26f9d6621095f22ee12e6a38a201ba1cdec42f80eb68

SHA512
eb2a81368200bc9e2e6b8aecf92dbe2a118a9a0a2ad117f4521c30c492ac0ede9e8cde090316e8354302e928b399032d27f806557ecb557d8ab1f0189e1ebdb7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8c7cacc869b5e295d457ec2c63741136

SHA1
38adc7714bdaef7d06be31cb079c5893de78dec2

SHA256
4aa5a8b40c4124a196d59dde06633929595e57e43e236f1a9a5a685935fc2cc3

SHA512
bfb65755c23fb6f5988fa8962e89e7cc6fbe455956e0250228ca819ad07ba69d435252920f1076506c9b9e78a53901f88e2794c7e48fcda4f0e779777550ce65

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc819f310d76b57ca357728f941ed3d2

SHA1
e7d767efe171e655784d9b10bb47ea914e931c2b

SHA256
b39e958e7c9dfc5d4a5445358f1a0b485189ec55ee3076989c0e5414c7b1da28

SHA512
41781c0b9af9f7be124ab7b6359f28fc9370edb9f9a8becb8847d3ffd216bcb1c39695de8a74433cb8578916fa3e1601f9f9941b346431320af078200f3e4ea6

Download Submit
C:\odt\office2016setup.exe

Filesize
1.2MB

MD5
25afc8fc216aedb165af75200dc635a1

SHA1
e9da59e21da299cc64fd204269e251ac75277b8e

SHA256
ace1a6490475bacee78aff6bde80d06c6f5fe63f53fe568a3b802a7ba39ef29f

SHA512
805775a09ec55d2d5963240cbc032f8f75442a65956582511491d4cd4609f843377f23abbbec3c9de40c7683350bbae1e74a62c2d27869c001d9e9b1ca20cabc

Download Submit
memory/8-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/8-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/8-263-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/8-256-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/8-275-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/436-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/436-1-0x0000000000760000-0x00000000007C6000-memory.dmp

Filesize
408KB

Download
memory/436-7-0x0000000000760000-0x00000000007C6000-memory.dmp

Filesize
408KB

Download
memory/436-22-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/804-554-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/804-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/804-417-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1048-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1048-314-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1048-320-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1076-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1076-388-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1076-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1588-333-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1588-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1732-456-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2068-364-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2068-374-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/2068-300-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2068-306-0x00000000004A0000-0x0000000000506000-memory.dmp

Filesize
408KB

Download
memory/2504-64-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2504-52-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2504-62-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2504-51-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2504-58-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2616-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2616-394-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2616-401-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2996-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2996-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3336-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3336-346-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3336-407-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3512-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3512-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3512-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3512-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3520-443-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3520-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3700-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3700-296-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3700-350-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3736-311-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3736-245-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3736-251-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3736-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3764-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3764-12-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3764-21-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3764-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3764-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4652-376-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4652-433-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4652-365-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4680-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4680-430-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4684-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4684-360-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4684-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4784-28-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4784-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4784-35-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4784-235-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4808-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-468-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5064-281-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5064-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5064-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5376-555-0x0000020AC97C0000-0x0000020AC97D0000-memory.dmp

Filesize
64KB

Download