48019c6ad4767d44d9e3156f2c402b8d31b6b49dab2266cd477c06ac5730b8bd

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exe
Size

33.9MB
MD5

77ece9eda14383e64ffe0556a5c3d8fd
SHA1

fcda2da05d27377f7dcd96de981126f92f715ad0
SHA256

48019c6ad4767d44d9e3156f2c402b8d31b6b49dab2266cd477c06ac5730b8bd
SHA512

71c858563aeb571db3eb90436f2f7935f9c35c09a650d97e4a9e2504386d3f140e23732dcdcf51bf9a8b77a448c17ba1e933f9f190605fdc9690f72b6220ab94
SSDEEP

98304:+MyxwpTT8d1vroblVN62GZB9th8Rc4yrrFxsnX98dXwV5Wv9a/Sa6OPUGsyHrU+B:+MyAOyVNSZyc4yrSbrOe3utXIeVQBWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEDiagnosticsHub.StandardCollector.Service.exefxssvc.exemsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
804	alg.exe
2704	elevation_service.exe
1700	elevation_service.exe
2968	maintenanceservice.exe
2376	OSE.EXE
4472	DiagnosticsHub.StandardCollector.Service.exe
2456	fxssvc.exe
4936	msdtc.exe
1912	PerceptionSimulationService.exe
3308	perfhost.exe
1092	locator.exe
4036	SensorDataService.exe
3760	snmptrap.exe
3688	spectrum.exe
3456	ssh-agent.exe
3652	TieringEngineService.exe
3268	AgentService.exe
2452	vds.exe
3136	vssvc.exe
628	wbengine.exe
4312	WmiApSrv.exe
652	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

elevation_service.exe2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6654fd4b85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065b5862cf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010a8f72bf398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e80afa2bf398da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002193222cf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000456edd2bf398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007659082cf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000350cdb2bf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003abceb2bf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047a2732cf398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

elevation_service.exe

pid	process
2704	elevation_service.exe
2704	elevation_service.exe
2704	elevation_service.exe
2704	elevation_service.exe
2704	elevation_service.exe
2704	elevation_service.exe
2704	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exealg.exeelevation_service.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4660	2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exe
Token: SeDebugPrivilege	804	alg.exe
Token: SeDebugPrivilege	804	alg.exe
Token: SeDebugPrivilege	804	alg.exe
Token: SeTakeOwnershipPrivilege	2704	elevation_service.exe
Token: SeAuditPrivilege	2456	fxssvc.exe
Token: SeRestorePrivilege	3652	TieringEngineService.exe
Token: SeManageVolumePrivilege	3652	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3268	AgentService.exe
Token: SeBackupPrivilege	3136	vssvc.exe
Token: SeRestorePrivilege	3136	vssvc.exe
Token: SeAuditPrivilege	3136	vssvc.exe
Token: SeBackupPrivilege	628	wbengine.exe
Token: SeRestorePrivilege	628	wbengine.exe
Token: SeSecurityPrivilege	628	wbengine.exe
Token: 33	652	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	652	SearchIndexer.exe
Token: SeDebugPrivilege	2704	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 652 wrote to memory of 4784	652	SearchIndexer.exe	SearchProtocolHost.exe
PID 652 wrote to memory of 4784	652	SearchIndexer.exe	SearchProtocolHost.exe
PID 652 wrote to memory of 1080	652	SearchIndexer.exe	SearchFilterHost.exe
PID 652 wrote to memory of 1080	652	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_77ece9eda14383e64ffe0556a5c3d8fd_magniber.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1700

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4784

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
af7a294ce223e83b0429b9be98652d24

SHA1
3aa6265ebc349f467892027448c4ea32ddbe771e

SHA256
1c655862552d5b91bd74f899ed5fd82f420ce16764c9970d3ac8e4bb207d8182

SHA512
4e0dd1a7d1cbf346aa3f1fc90ad30218310ec903c8815a0fd1ccc166edf49a137c3905f133107e06f39339d50d557d631bae7c42bc5b752564346cdbcc5bc3a1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
362b41a6168e11c950e0e2a83f52fff0

SHA1
a62c15019fc792d6ea24a6eaef2876fd247f9253

SHA256
561b91348a89480762a02dc032cb533af6f4ef63b57cbfc029a850e9712d9a2a

SHA512
a10ab6311fd9556eee970a779665c3a5f7000cc7238285c5b62abd5a0f54a8271ea79f1ae363f9e48279aeb28231a5f391993c18f975c405d4886685aff63196

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
3d6908a7e2331d8279df168b35216a57

SHA1
a7e82b25cea5ce6f7b08476eea343858fa17fe2e

SHA256
9cef72bc9b66ee1c053cb78e3823b1a76bcd9ce5c4250bf9aac735d4ebec8fbe

SHA512
b137dcfe1209d823c31aedd3ad21ec9dc6ecf03482e1197d5e43f4a84c04949cef3ca5ecc411889f79ef45f5ee08d3baefc5c803b9afef99871de3f9e1593315

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
21051b44a151c77b1837da5c18378560

SHA1
758496d075c1c0ef352436603fa686461bfb8c3f

SHA256
e9c3afa57085006b8f43305451147566c8ee387c24aae31e22fbefe83f43b9cd

SHA512
440f63add285e17153210672e2f9c5840974cf2165cd5cdb8d37bc1bdfe01aafea429c7a312f9f1a08dd2855d7e98c70f39b06957f0a443fba35dd5040da3686

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b03ffeb2aa63e7bd7e47a489dce15444

SHA1
64436f7e0489b13d4d0794c782d1ea5c48205576

SHA256
1650486e8d9837b569b1d3455f470f132d5c310b090e79a43355806d8ba5fa62

SHA512
bac198eaa5f41587259120b2535ac0d1bb99060169733abd236c13338ef6bb41dd9d39b84ad9bd2c3831e07b43ec55093bac8effe0a8b0c71dc440f5a7aecae1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
0259ad4ffd5efe66f9a9a1d3500f1125

SHA1
85436d8ee9069c09a9be0e25bd0cda576dfa5e3f

SHA256
b55b7324d828d8537b1502a8d54a320a3656b368bdc07d056a88357333832563

SHA512
c1e20221c637afc0099ea85a1b1f6c2f0475394914620bd66a3a7a262ff08d0f4070f15f416d059df5e3b2f9d1d5e84681c5456b41892e1306586bdb822f7cfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
60df8bbf073af9b46f2c1554a0c62d34

SHA1
2e096b20e693d9969b3b6e0882ad3a849866ee39

SHA256
829a1ccf93bb2a61ffe9f5f0aa80d1d06a853871da62029ca9a11bb6d81e5629

SHA512
b85091f369760f6895bb7d8208a61fe026abad7285c8d9d0407c8c125d7f30a5aaca772a5c38f8fdf97e421e9b64fea6b7bdcfb2b6a159f39e81c1ac04e02ab4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
61c0208cd4818dca0f12eaece9edcd2a

SHA1
07d9db1f406e1203ef244df38baa01d5da4af40e

SHA256
5a6548251192b81ec8403dc661428937715581b2fafe61d22d933cc81a0613a6

SHA512
5f435d4cf485f93d6b28e504116bb51d97198f68e0e73aa466dc6a8780ea17c00326c4f82f82deff9cebfb9cfccfffe4b87891dd8d990ba41a87b38b5578215c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
caf22e7aa58861b8a0b5eafb6e879ac5

SHA1
0b025881cb75f4bbd466055b86751a94f6bfcde9

SHA256
7ece2e4f020894b9e28be88c1f9172fbfb937d5bb64560f4a221c4042c1cec30

SHA512
399fdf681006898d571057bc35146da3396563a4d9d57ec371ea186c7db1ede2d08f1934b94a79a0126c5adae8c284199e3cfcf8c57e8d9ffc223bc689d6d668

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
bb97086cf7f7136fdedbc13e806711ac

SHA1
5ac7b61bd0ca3534b58cf7825febe498abe005dd

SHA256
653194ca1f81c72ddc73498ac0bb95501edf4f085ed3fa3c11b7a0cf433fadf8

SHA512
2c5290f0f3fae96e8a5e3124bdb5d2bf943c3019e0db8ea5094a385451226e3764ef9a6190f5c7ff14be766dd593cac0d22e91e28a5c849bcdcdef156bbc162c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
b0446a6f0f362c43c49034110916c444

SHA1
b15da5a4fc0fd6647a2b0662f2fa9139aa525386

SHA256
763c0763739d6c1d6553136ef31edd7dd9f2a3d85f042745ac0fe5ff63d3ed8d

SHA512
577f1896cc3bcabdae4cb95f6c0ae1cfe07374116072c15a2253a113163c1ee958dbc96a54c22c904f074d50885f9640fdec70881022660166a730b5d9434383

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
ba353c2e2a940e6af946c904229ccaad

SHA1
5341e6b2856e699f57ed1f410ddbb3c6173b55f2

SHA256
a4ae484616512bbbc38ce4494c1bcbfe6fb8420cf0ed0295785b275e083c5494

SHA512
0e3abb57255f63837eb13ae101f268053419046c845921dd81b781c5c3acfe74b55d3cbd4393e3f1b256005712dd702a9ee66526ed82caaeb075826364bb9a09

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
f4a779c90be3603bc4bd42f955a97661

SHA1
ad5e5b3e50438d5b1df0e43c9f05ce8c9bd39e05

SHA256
36a73e9160f8e61574f84779f6be5a19dca7fc806559a531c159f02380283289

SHA512
13242de94680601674b0dfc5cf82e1a82d336197253b2bb1b81682bb51866cea22893ed40348ad7dc45829017e9c7c4f21f9abaf03cbee0156511f2525681023

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
d2ca5fc6ce9b43fe9af37fd1d3b0b1b1

SHA1
d13787413444ee72e85eaa41b2bbd954c3ef4dba

SHA256
4151b5df831966859025fb3461fd82823ee5d5c8309cc9407bcd336b1e905298

SHA512
554bbae1c8de240760d5e117be3cdf3771a6a642ecab936f40bd6695faf065360c8a40b54c95e50fec2df3ecfd057046118ae8bb6535834cc6043941b6401bd5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
217b7de9e821b7cf8664b4319ccfb2b8

SHA1
3206dbe20431d98c64de4ac3a863b158338729bb

SHA256
b8c19c6e3630cee926d1471abf1e2b8b93fd04ca409c2fe7776bd378a409d86d

SHA512
4703236f885807a85a49d5f3689ca836afa70a9fd1d94ad1dbf38d4568c9f0f6ec488c3b778f3f5ab4f84bf3273aa6465b79cd478898efbe109b5f10d26665c5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
9115e4b13c934ac41c29d0158321aa15

SHA1
4d6da979256d160df3713288b12a5e8c9de40c3d

SHA256
29842ca2a76d33b9c664e40cc332fa8e15b78facf87ae2e2ce6fa8ae1bcaa69e

SHA512
c2d7932052f10cfebfdea8ed94512492de4da1bfbacd3287638460abc0d0c9c70a2085c42c537f57912209249b4eeb95aa4f5120f9ddf00af5a428672821e821

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
5f29bce7695c81f6278fda9ba52d1f24

SHA1
40ee759a65dc7a2ddf2707af7a4fc6dd6db5f072

SHA256
ae9d42747858c73a1055aee0d30b38d5a7d51e245a28e7a3bf2a3a5c995351ba

SHA512
0d892de48e79a3d519323c60e280afa2339c01edda9ad85db515b23ae2ff0564f9269e486e6ae4365c31c424819e2270b9e200254fa52938477a37207c631b96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
1d6faa1b468ebdbd25268e400b8a1282

SHA1
4e422ec7ebf300a20e9d77c78611c31c7ec34b54

SHA256
1c01a1aa2d20d66748025ab2698a4cfa678ee952abbf2f5855d548dda58e5fe4

SHA512
45a70a564b9cc17359bcd56d35cb098de48968fab5d762ae13ffe8827c6f2d88f9406e88c4c409751737132960ddb699d7964c791c8f14c1896614950259087a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
8e624b7c1b7684d9388a5f24dbd6fb85

SHA1
42a9900ced824e42f25b5ca332bc8b85554b5a11

SHA256
f399a484f2c1d5a83095a07220eb62d5558cd08067dc40a09082fbf88dbd1911

SHA512
f0b64b5ac71012ed6b3a5eb0cde4f12256459a0f7a67b8646f1e0a2762fc2ba3ab0c2430779269941a08104e554abd0ca543caee677ad528b43d22b51018c080

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
de06ac347006001baea66e3081daacb1

SHA1
106af498369ee8e2f0848312b5ce1f88ef6b276e

SHA256
66d79e3418c47307e90693c65e63354b42d21a0674569cc12edfb35caa4dad15

SHA512
8714d42435edaf77d08978f01a976987c1abf3765adaea752a1807326ed7d4dcf8ffab766541418fd513ad321cae222370c9b8e55fa4d78382de1eb4cf4527c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
0ded23c0b01cfe177fee85492542d443

SHA1
3c72e910ba772705b85fdf38e9108fb176a9ea3a

SHA256
258c79bef5f29cd6f0ffd1afd00cf4e94db61866b6b03e145a1e87912f7558d9

SHA512
3889793db78d95ab1fd27df10d6432f024645a6ee27eb45a87aa4462f89ca6ae37b548a65f9d642d29a91e38f0470fd8be8cd953cd0488fc22e2e087659c8496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
eea15534f5c8a55e522ee89b911aa724

SHA1
df528ff0fa4804c58b7aedfe88322b0275fe4cc8

SHA256
cf31c173969607cd5124e436c1ed3f6fb8fab1562e538286b566825ce4567094

SHA512
182c855b0179f81023f31ad4116009608a4f3ab55a616755ecd21da94ce8412d7408696cc3f0b4bf90fcced426b3e181583aa82124d9994d99711d2a8a7ad61a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
05ceed80dbdbdd790da134c3813d9d4f

SHA1
1901e29b7c49a6e5a9de9f63203456ae7eb75918

SHA256
0b27a3df8bfc6b27e285e3a87e085e1c07cb7387d00252e737a182b245081176

SHA512
79faf7e02cd339f5145303fc9fc0c324f67195c6b430f68aae3ded7682990d09322053adc3ae82c312d0c4c432f580b27e574ee02b93d9e4b0966ba1914c9983

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
d1b97536497a3eae738ed61b242cb95e

SHA1
1e100c95a68c7131c4b1fa15136eedbd820fff50

SHA256
594d0918c22d06a4637749464fba232782c873da0271f7a9e3a189ff354d123e

SHA512
0e1bbf6a839600d57c1934a8ecc89c4bc57d7afe58e902913058de1b9f2c8d2dcb4cf41ef1a162ce1ac33fc4d927da609b2a2311c81d5ddb3e6a1272f78a7404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
d0d9807924635462f693bd0a5a14404a

SHA1
addab708cc8899cf58cf7d2b89e734aaebb74453

SHA256
11d299cea0ba5ca53e14dce64f734ad8c013a13eb1fd343cf8ee7e3d113a5992

SHA512
b439421c0b6553e8747165d52baabdf649a57a4bdd89c7072beea7b638d2df265ed4542281d49e7f3c473f037bab66cd6ff26c9f41b533a4baf4acdff077bf58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
17ccb7134db95d77dcfae9c780a07232

SHA1
86efaa4d03d3e3629c2827f33bdf4c1b226987e6

SHA256
343ad969959082e89b445cf2cda4bc0b5118fd5156e0ed00629d85b39cd8f737

SHA512
5094b99c168adfaaf7cd5fc8cfa6887129ba52d6f03b7993b23b8cdf687f7c57cbbdcd297047305835e3124a97b8eac1deafd0cd41e9f2eea6044870e5ed5383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
61cc99c3674e044a55b4c40e6063f53a

SHA1
e153e3207636c703aec6b20e736ba8c84583ff38

SHA256
b7974a5884800f8c0c8bb4455e3984dfa9e5d64f9d4bb1f493ed5aa1a4d6f8de

SHA512
5212037c70b3de489ed8f7be7e6c92d390c9d025722a184de27e581643b1af63f890cfb5e563d48e35db580a8fab544c8df56cb6b4dcabbcd4305a50269f24b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
4e4ab2d4e3397448a58434baaa705083

SHA1
30271ab02dca86ba7584687a5a51a4a462b509a6

SHA256
e913b29e0afb0a1b81fdc09a744dda0cba7f37adfab858a43b0673c7a755a81e

SHA512
cda43c85412f63f8caf49a7e6ff5ffaac22ac144f51c8c91bc8df91de74b74ed701d97f14ced0aeb6cf78f7a9440e0f1334b6a7e60cee79ce81d40b931e960a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
2d610d1c698e19b86b12d6c1a27816ba

SHA1
69091a38b56878ee6ea58f0149ee38088c89d74c

SHA256
d09c2601bcfe36061522840c505456f419171bf4adb4f67cba2f0bd02a012f92

SHA512
3bb2339dfca90fa8ecedf537c2c1c1dc229291d66a8c0863847f98af9963fb836366a7ad0ebeb0878241626638fa1fdefeb5ec280b5959f62b92c64a7f65d406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
1c66c89b72f19b33f165392a2a1a2a14

SHA1
d4f963a57967230a8283b8342ae9834aaa1cf571

SHA256
062493f9164ff0653868a774d89494881222dd7de221bf71c341a0764bdf621d

SHA512
df3a7cc8954f0b0f4e078b523cff415441d38d69ca9c0a6b89a1cb8de6f011aa9450992f16ead829d911d88339672d9243eb80f86c3cd9c5116de902c14f8c6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
7286ef5e103eaa4ad9438d1d04978634

SHA1
820c9fa9a9e5d590ca819c69b9db94e6b6f73fa2

SHA256
9e244d960adf6ca0c15715ce07ddc6f73a15a6c30044abcb308d7f0d8100afdb

SHA512
b2423d4488d7629e2afa30f125aa5a9ab27f4aaea35b8fb704ee33671a2d31654c823688ae4188ce9066c0bb0db137b6c64b1ac47245f1ef17fdd901e6fd0fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5823dc3aa7c8ae68b372d2932c0a3a54

SHA1
dc0b04ac59bbe1694514f24bfa016f624b47fe2c

SHA256
3333538c305e82a800265c8b07f3ba2579b4fe77da20435810f331bda86a8705

SHA512
82675c9a4b5a48608ab6c1a41396f4eb1c30c77a802565c17646565997f53718f1850a2479a1d385b9de9bbcece221bdc01a491617235b4ce4edd5f2ba9526d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a5659954ecace1fd12dffd1bd3b312a8

SHA1
7c3e3a5b0b00f39c1dca2bb3ab17a3b74df110ce

SHA256
765789925a4d82a8301ab50e5b915350e8b2ad2a230fa3f5a44c7d9567fe22b4

SHA512
e89f727d114f72cab6eb0dc04dcb0b8a92f668fc0ad6bfa6c86b3fc73d7d562ab5d092f0e4345ca18b563dbf99c449c3c3fd884d3bfb288a68a43741b3d1796d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
804a67f8f6921646be19357aaf20fd98

SHA1
91b1f42f0e24888ce8dffeec43b0feec5a4ef664

SHA256
a568e81b68fe6302480d02487441b36f12a1b416ded778f6f54c242589021ac7

SHA512
446452a18b736637b4a372e7711e3b4b7179170280235a4fd202c5591d5aa91d91b3a22b89d9497ad2692a69bf1caf1fe3b603f3d0a87740de4fe787eb4b0160

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
21e0c61b8ba8f5870e8b8770813f3dc7

SHA1
b746d85b14d1db6266262fb6afef4768b1b18f64

SHA256
0825d597e3b4d0d9a037aeb901fcbf639e5ad48f38f28dd5e4576dd05ef36005

SHA512
537672d11a6711adeca9d3a3f23ccb95a4e394b797a43bce1454523b2e5c7d276dc0de6b02738db7da7b73e9284a56afdd624b43393c291c56bb41d3555de150

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
4725f8a2691623952c152f688b1932bf

SHA1
2045a3367d21130f4a9cb8012d512d2197646dfb

SHA256
a6f2561de787bb4538d09eaf82a83e74a14b7b6fe52b84d8e52b8eb4c03824a8

SHA512
298e46734a40fe43f395d4215044b2e58026b6c67f224916b1726f455110014d3b41b3862ed8ed383abae919401c604d5dc64c24f5da8d38bd87e4bad29778c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
707e07fdc3ddf1a3922ab4cd6b51abcf

SHA1
53c0b68bc4dfbabbf6985b06942467fa5108f678

SHA256
9fbcb50f257ca40e337989e08e772f27c7a0f9b45a9f5c2fe31bc621d6017b55

SHA512
2f69b7c999a97dfb04fc8dc29184c75cd430714c128831e99e6edad4fa401ba7f191103ba6dbf9eaacfcd6976d464f3eebd3ca1462f84e54a4172daeb26a886b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
Filesize
581KB

MD5
fceaa3f078875e837ed14fe280f4f183

SHA1
82f9566483c0aef23da870f0b9ef35f9a42ee20d

SHA256
09fa80fae6a28cbdf328a888d5b161a48c8d8b895ce4197adef21181ac33dbb2

SHA512
ea2acbae2e0eb88cec6038085857ffd7d0bee838f4fd4d1afc46a2abcbdc7d0b294d8c1de0ba0a51995b1db10e20c89a0240e2343d86ce125ef2d8f1f5a7a322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
Filesize
581KB

MD5
a026e347c95867e6e91c060a7b6bfd90

SHA1
9a1379310af8dc046e767339a10bf423a5fbe63e

SHA256
a106f433862c34903613d15f8cd6b164cc75bc9b170f665447c38e110b65f009

SHA512
141ed499a79bfd64237e73042143fe1166477c65217772c2a8b474ec939cd1d9ee8203c0ea3b40c8a1125821e7cc6ce226b2ee08ea245475ad7529a683554cfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
Filesize
581KB

MD5
bd5ee4316499e937b9ba084b1737abee

SHA1
a439c651813f56718e3cfce23a23e7fc59570428

SHA256
3f75580341a5313eb0b79f1bf6696c5131de16fe2fb1708d15bd4589aafa9798

SHA512
b7e6d8d61ad9cd00118bd7652ee8bb73339c05487604d7fb7e28e9be83f51eda3cae461a26568017ed1e94280c9003379df9cb0898c0f4ee22b2a7a47ffde737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
Filesize
581KB

MD5
0a8a5d1729b5b6f97a70084e0fa95fcb

SHA1
4fc1fc1b81f7b920813fb7640b41fc162609b6b7

SHA256
58f56267c35aa52c496ec97bcf5f6583be3a64d413eab53190748f2dd17412e2

SHA512
5beb9566eec8aff062d8bddcc94f5ddea3913d9f72156ace5d4f3092e94432a5fd85ba152f92410f534fb95f68646ec6ebf3ec50d44fbdd9b339dacdf010ee50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
Filesize
581KB

MD5
134068c5d476807df4539d60ef02665f

SHA1
995f2a7173a5231ed4d5d676e1706f8d5188719d

SHA256
bdb83f1d4f37df2e941463f5954fd7c3624bdaf877378007112745043e38ae56

SHA512
13266a55c89120cb472657296eb6a2ff65c773b217ac97963600d4035dd5899e9e1d11a6fdf0caf15b45545e18135d68c550fefa971ffbf209b3d0d5047740eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
Filesize
581KB

MD5
440b17c57f638dce7c393234bcb8ef00

SHA1
9f8baf8da0a79882bce0b335a45fe96d740f56fe

SHA256
38ab408dde2afaadfc119751e2caa166e7f432917e3f9214c69708073889cf33

SHA512
c24820a367f8dac377e1041c0ba6c8a180d92d7ae3c38dd2734c1008400b6c6aafc045ab0f90f435df680b9f2b14201d717d5a380732702197bea58b563e9435

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
3b0b97b4a3038a2cdf996b5ab5945013

SHA1
51377d5f04eeb69baff432d978355c15027faedb

SHA256
627e73f55aee5279b41c0ad2fb1f4f403770c3ce3633c1efa1e536f5876d095f

SHA512
b65ce3633f2dbf6a223c0574b0fb04a3b9dbea8b9e4b5b0c7d70e4ba3fd93644f83c66c90fc9c357064f9a41bdf2f11248f8cb2a06e7f48a4f3b97a55699a80f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d71cc6d4af6f0e96525db92c30da0208

SHA1
f6383db7d64b633b8b865a462e887739d7e08277

SHA256
36ed4c11f270fe7723cae155de617ded1362a7aa396abb015405efa8eb563219

SHA512
b4cf01207e8718d05ace96212c7b790777dcc9ad223ef15a97ca45a6dbe680445ffed3c75852ba1feb62c1b10908efcbb0dc0339facac178574aeb1aa5778e87

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e3560788914954aa21fe5aefd61198af

SHA1
6e92a6c95908cd3a892f0e947e407a821994047c

SHA256
9d5c6150c0ac818fff74c671f3b7d034fe9d3ca9295c03f2724f2bc1200d4fbe

SHA512
11595c9e1c489685d61cf6d446d3e81c698a898eadeed200f8dd136b256bfa3422e86dee7544635b55b5ac73f54b2edd849475cfa1903774c21a508ebdd4a06b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cf954ffe2d3f5bcdb96de007a80ad4ec

SHA1
96d97c6c1f67f3e28badc8537ae9cc9a296d58d3

SHA256
cb78a387f2a32c8e374f2cef9d9112c5c25551c36ea10cdd4ac65efcfbfe8336

SHA512
4b3dd6b6d18cf8d6678626a3063a589d05174cfbd2bf927898848eeea8a57f435618d875b27f4c3472611f9e22cff3444d2eaa5df5df3a663f0dc4fc8a9184c5

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6734baea71c8814605b09bd8d00d9e01

SHA1
cc56188d4f079536c55f9627101bbebbe2145f9e

SHA256
c488722c7c8a77179c2bfb84c17d1485c1d6df8e17bfb07baa2421965db6a97b

SHA512
df0a2fe572a35f9664d74c7a3343195bffcdf45eae9d56a5072a7cb0d10148488159f93dba4ff849aaad524c7a0657933bca8643664a8daae0174230a78bd733

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
21a3d408120563d287dbcb188852d743

SHA1
4e23a0ec8c34f68d47c16180ec52ae01e410a0ef

SHA256
053ccfbc4e5496b8032692d4f032da47739d1f9ecca51adc404a3e7d6bbe19cb

SHA512
8a466b213a3dfce5a927ce8fa308ba314169a97704a268d3e2ed6ea3a3270b8eb81c24a5155b639b0eb467f8db25f5753e63692d3217a1071c9dd334b9dd9cf7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
b56e641970e8d4ef8ab39ff108f8da54

SHA1
11fb71071ae08aaad03424b8694efab4b0896d3e

SHA256
58e7c5192670f8a52aab9e842c1ec191e29a97a329715112741db7707f096377

SHA512
06ef0af54a4ffa62ad380d2f2fbce15fa5d6b61672c622dc49f3f951efb5ac99a676bdddbf3e6875aedd8096dfa0713dbd63d6fce761d1a8cd1f2b8ead8af43d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
1aea1f6fc6ec1433e8ca8bb498268ebc

SHA1
0707d410cdac659c459cdd3322443690c6f14206

SHA256
b48e0e7c0331129cc66d23c63e7df155205093402afb87ac54b160ae961885f8

SHA512
02b96d609d994ea63c91cf371a1b6f1c6ab46130dab38979ea1c72ddcaec5f5321b4d21433ebdc48106eb8e8d224342cb231c8094fda0208c519f536e24c71f9

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
12fc1d8dd96376c97eb49dafcf6d4ae6

SHA1
33378a3ad5f8ba34c1a2df45c2bd95e4d06eafa2

SHA256
db1dde90d7e60f81cdf5576e411773814f205c58cba6c13dfcc51ec8810cc47d

SHA512
8de6cc6ef0ddd479795d2a95845de445da25983efa1535def9f8d04879a4e050292f5162bceffb094e15a87ebedbb659f216c6bbc406abfce8241fe709e018ff

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c391a26ef4941710c564dcc8c8d910c3

SHA1
716765bd2db1cb2d7d7bfa454fb5d2bd5b791dd4

SHA256
142182a0f4031fdf31a2f0bbc3b655b90b5d436a4f15259d9f86a4dc56a1dee0

SHA512
58b77804aeade512a7c586cd2c4403e0b469cd843890e00f7316a78da7c8b169a0c975792b81f640151214810f881fa08b0473682eefda8ccde11720ff4ebbd8

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
1781d24e795a8f0de512152d709e5a94

SHA1
8d98427babdc080caadcf0814581221e1d8b41cb

SHA256
2f4e44097475ee64e652d10a80fc67544d262737637e4e093563bdaeab476bbf

SHA512
4be5cab78da4ca323e6bcd09b027a4157df8b05e5d1529b7d714b614a74a2bef31ef177f3f0052c98251e5fbf5817ce2ae91c97035b71337d8e438013937c05e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
32484d8b39bef996941a4b883a088a2d

SHA1
16c5f6d6be2ea53e6edd0c8e340ee7975dc0d860

SHA256
6bfc834f7cb1f0317d825ccbe56e9f5b9fd761c371372067bc057096e79cdd21

SHA512
0510cf0857ae50352348a57107c4ab0f951c01964a6699410a533e7dd571c19e4b7eddf8ab837a5d5b8359cdd0d74f59a07a1b0b4ddb6db819b5d2639e6d2aa6

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
b2636a26943848376f0517de265455df

SHA1
3ef18243b87b75590ca799c23abb5620f13849b2

SHA256
d5f8eadfb54fc9fcb8ff6b949fd07cb925547866f9eccdd7b3c51c8278620c2a

SHA512
f222426aa0da64a71fd9fdfd2b5cec95fac7fac3501876ddce503db3142269cc9d63f6ad9f54037fbeeaa05b1cb6c270d649f251840c187b4750a53d15caceee

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
38680f158be8167e23198167cf4fed87

SHA1
cb85474441f80e04672bb81b08650d202d7da92a

SHA256
c39ccbef454f4997c94580b99e0b923de8efd3a4d62669e0469623a6f6cc2fbc

SHA512
633ef5bb57dde144526de4e8f42732cc06193860a1cf07cd82ea5b3fb6869aafa73234300229f2895875efcd89fef067887712b97d54b2234aa5a5322fbf1aa5

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
944dabb1541229a18db75b55ca117967

SHA1
af46e14cd5d6cb49653b65f7b638f7721e66c486

SHA256
4246bc7f7e42cace40326745a49eaa444f1f0791995989ce1223a636296a8088

SHA512
a6b4cf0f23f766ff1e935ac7c296b935bd442249a16ef86b4f820e9b2d4a45b32f3947673bc2a026fb055d1c33df3f8c8b1cc783448e5ec5cef5fcca6e3b318b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
ad739fc82aea140c77d4d24151c86039

SHA1
65dcff0afbabee95a2b6bd8b01f37e5cf222f7bb

SHA256
6a3aa478416cad38c778d5fa442757a6b223b479fb8d593b33c39742e61e6b8e

SHA512
e14d0b6271a64ce3c186443f8993b4d8bf202aa952faf3fa8d83356d8200b23dfc89aa046cb4979439d1bb19cfdd323d3d1f4112db39f2f1cb10e195b3795ea4

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
89073e58e0018c37f61e21e40c2b8be5

SHA1
5a2a0b3ce207f5cb22f2bfb91ecedcd957c0613b

SHA256
22ddab16d4d4ae21b52522ffe0c17abd2a6c5aad2f515f0682ef4c9a3cd49e81

SHA512
d8d0685ccdf5f60b48acabf06b3ced23d4390aecfddbe2b87f41a7eac62768907393a34a3ea6a1df702bddf119ad78b969dd3f65937d4043cca7ec5af276519f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
ffdb37e31ecd4deddb8d28084507fe27

SHA1
e4105cf7f10504df85c60c22ae0120b67fa6fc15

SHA256
b5286775843c58bb3f61b88449ba739c1e0b42b34cd042dcbc9dbc3d12baf3aa

SHA512
4f74265d0cbcdd4f193e4ef44b2a56716e04f5577757403dca6c6e694528a2ab9898a6f5bf859b3f3d0be30b2525dcb484539a67cb0223ad419bfa82f8a84e8a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a5b8c5da21c54c1aa4361c6cfef03a2f

SHA1
4daef0501e30825ac02bf1fa6d9db6fc2f5dd226

SHA256
7ac7bd009bc7b6e5154287118e6cad9f035ecfe3c53916f8410da15ceacbf3ba

SHA512
9f38bcd2a6d9a42d32d398a6ff03e6cd21bb180031bd12510d85a782642d856dde21f51fc721c9b1e62aa79ae3426722429df2cbfbeac3c9bdf28d602b90d596

Download Submit
memory/628-403-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/628-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/652-593-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/652-436-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/804-14-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/804-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/804-47-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1092-295-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1092-414-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1700-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1700-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1700-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1700-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1912-390-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1912-281-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2376-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2376-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2376-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2452-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2456-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2456-252-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2456-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2704-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2704-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2704-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2968-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2968-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2968-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2968-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2968-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3136-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3268-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3268-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3308-292-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3308-402-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3456-341-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3456-584-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3652-585-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3652-353-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3688-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3688-580-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3760-326-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4036-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4312-591-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4312-415-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4472-352-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-247-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4472-241-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4660-5-0x00000000044F0000-0x0000000004557000-memory.dmp

Filesize
412KB

Download
memory/4660-46-0x0000000000400000-0x00000000025FB000-memory.dmp

Filesize
34.0MB

Download
memory/4660-232-0x0000000000400000-0x00000000025FB000-memory.dmp

Filesize
34.0MB

Download
memory/4660-0-0x00000000044F0000-0x0000000004557000-memory.dmp

Filesize
412KB

Download
memory/4936-265-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4936-377-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download