42029c395982ed6a58b4c3751b21c13d1528aaeaa60b861bbcfb5fb24a48b59d

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_be2e43bc89a89e7abe28706c26b29b1d_cobalt-strike_magniber_sliver.exe
Size

9.1MB
MD5

be2e43bc89a89e7abe28706c26b29b1d
SHA1

5dee45204e67d13719ce076ae75e8ef581a36e3c
SHA256

42029c395982ed6a58b4c3751b21c13d1528aaeaa60b861bbcfb5fb24a48b59d
SHA512

1729313b32206293c087d661eda7ec5272201385d210dcb8f02a70276ef3b480ad71d879d7ea845d6e4b791b8b3d800f40fd12342cebc89ebcca680fbb82c843
SSDEEP

98304:6QDws8wjVIKlhJKt/VNdN1YeT007kxa+PZCN3RIY5D527BWGf:fL80IKrJKttNDK9076LZCN3R95VQBWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
512	alg.exe
2844	elevation_service.exe
3704	elevation_service.exe
3556	maintenanceservice.exe
4844	OSE.EXE
4984	DiagnosticsHub.StandardCollector.Service.exe
1136	fxssvc.exe
4720	msdtc.exe
4184	PerceptionSimulationService.exe
2380	perfhost.exe
3088	locator.exe
4404	SensorDataService.exe
1436	snmptrap.exe
3928	spectrum.exe
3716	ssh-agent.exe
4632	TieringEngineService.exe
1980	AgentService.exe
3100	vds.exe
1464	vssvc.exe
3968	wbengine.exe
3544	WmiApSrv.exe
3176	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad582a31a29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-27_be2e43bc89a89e7abe28706c26b29b1d_cobalt-strike_magniber_sliver.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6cc09b89710db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ece762b79710db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ac23cb79710db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fefb56b79710db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fefb56b79710db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004ca47b89710db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe
2844	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3672	2024-09-27_be2e43bc89a89e7abe28706c26b29b1d_cobalt-strike_magniber_sliver.exe
Token: SeDebugPrivilege	512	alg.exe
Token: SeDebugPrivilege	512	alg.exe
Token: SeDebugPrivilege	512	alg.exe
Token: SeTakeOwnershipPrivilege	2844	elevation_service.exe
Token: SeAuditPrivilege	1136	fxssvc.exe
Token: SeRestorePrivilege	4632	TieringEngineService.exe
Token: SeManageVolumePrivilege	4632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1980	AgentService.exe
Token: SeBackupPrivilege	1464	vssvc.exe
Token: SeRestorePrivilege	1464	vssvc.exe
Token: SeAuditPrivilege	1464	vssvc.exe
Token: SeBackupPrivilege	3968	wbengine.exe
Token: SeRestorePrivilege	3968	wbengine.exe
Token: SeSecurityPrivilege	3968	wbengine.exe
Token: 33	3176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeDebugPrivilege	2844	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 1680	3176	SearchIndexer.exe	118
PID 3176 wrote to memory of 1680	3176	SearchIndexer.exe	118
PID 3176 wrote to memory of 3368	3176	SearchIndexer.exe	119
PID 3176 wrote to memory of 3368	3176	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-27_be2e43bc89a89e7abe28706c26b29b1d_cobalt-strike_magniber_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_be2e43bc89a89e7abe28706c26b29b1d_cobalt-strike_magniber_sliver.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3556

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4720

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7dc6f378c47c9fa301822c00714b7fc2

SHA1
b268ea8f896ed4dffc5329a5924da27e2c6b4508

SHA256
b1e008c57050533b2996f51c3b888991ecd84fece9e3fd86226fa494e89be090

SHA512
aebbb2c1daaba9038a511278cb86aebed8517d1123e0367ced01426009ac86ed1e2c53919066bb7330111a9d82158263234ef68b4c159d20a0fb5e25ea66adff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ce7dfe11bc802afea1def422747f837a

SHA1
e92021a29da4bea81c598fc0e9116ea1834ddef5

SHA256
6dc0a53f5ce53b3938b8bd6d7b162711b9f7e993b6adfad074416da851079f53

SHA512
efa6b5cdeeb6f1b75e963afaad332cb31c1f92c91cf211ca082c1bd11b9f7a883efe11b2aa3c00a933764aeb39fcfb23c364486af33ceb5950ddccce8ec9ee80

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
877b43829287df650ba7dc84e811f0d3

SHA1
a8d398e11672d3fdf334244a5d000e37be37a603

SHA256
0c7056984deee59bbb3e953f3b3c67b74871df3134b8e5dec81de3b28bd7957a

SHA512
6481b19a623551fdf05b7a578434ec280b561c3653a1f332d56a8c93e6c3340a4dca4d9a6b07305a282cae410739c3bd7210e1acd535bb1727d75667d0f9e2cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7396232b7e75d1a5032246d50fa2e469

SHA1
0bb429ecc6f455083bd3242075a671c8621d17b5

SHA256
9b53b0e2e0f8b69652379a6267b6eb6b0ccb2dc89776084deb9e689e2b6711e6

SHA512
771141a59a1b7b2d8e16042e990efa44b14ff2f61a2c68088c6a59169f2a48d7346040aabc15f4a8932bd8e2a159f85a73faa0c98e80628e70b2318077ba5b41

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aa750b79458e64ca92e4f5ce55f37a45

SHA1
ebb0c7e4fa57f0f2476d4668463cf1a4dae9ad1a

SHA256
f77a04e05a48a17691f41defa630e9433015a5a52a1b0dc8b207d96fa2912346

SHA512
f3095200ed1ea56caa054f48a77b4d3f9e657adab0eb7a1a340ba99cbc98b7cc0296308b64cbadcee2182af1501ed51fd5cfc3d4e6e7fe705c487a860dfafc41

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
23a92dee7c8c4bd05317501bf595ffd0

SHA1
2282cc9c91f7a6a19afa6b4ed3fe51316804b24c

SHA256
08c2d43e07e41a7f739ccf8898008f29e0c4013628c50427c751d4eb47065a77

SHA512
d4f44fecb6de4bbedd374d48f6cb14a26c79ab427b54337defb7b15aee80f84b4a4b3a4ca510d1d35ef2ba821b7bfd24f60e8ed260f684abcc054b6a27647dab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1a34388f62815d42c489cd19d03cddd3

SHA1
09dd3c7548a4ea38430f9616de469b72592ed72f

SHA256
752abb6d8b94527709c99f124bcc40dee802b00b9e8d9f3878210f3be6d2555b

SHA512
a34d21dbac33e81fe255b15320b753c13dfe6597cc9bc8b9fecd4cbd817622928a6cf8e6cdad5aa8d53266e5b2ca2ccc9b6ecb426d68262a63e9b3f9bd139985

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ebea8c304565bbd2a96830965441473d

SHA1
db6993acabf343117086b8bd2cbc35f8b3258c8b

SHA256
c9abd33701fa5a2d7a1858046b6dad5bcc53060ff7e036ad1dab97e0c43a8722

SHA512
d30b1d0042c85e2c847f464c904c9f1315d43e94f1f8a9d1a4fcaf4d8d9c29385df376ce223868a1b8157772f6138aefc401eff2c093b70ce7fd10f2b4112c78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7c527fd91e1fccbd01c237c02de7176c

SHA1
8534fe02973a01fa5a3d71110073977044238bb4

SHA256
15dd3bda25352124ab5aa0b3610ad0f8840839c009ed9a9b50177b878f082d36

SHA512
4c27427a1d92b486729d193aa65bea8c48bcdf850d08c12680d1cb793e7051a1394466bbd0d30ee9dd1998c830a8f6248019153199b9affe3baac1281c05b93a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
59fd119f22beab2df80d478e961c4d34

SHA1
87a171f4fb4411d151bc161645485671260170a6

SHA256
98d11d7dacd229e5ba45c33684fb4647c3559554f55b17654a27f6e53d2dc4a8

SHA512
940ff129a206695756dec28800e8060cc5bb18b7e3f2e2902df605465ab532f5b3bead1f7ffc1ed5264e17296d156a858fea8422194c83081a2b070df121e0b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3f3ca3e9f069f141321af30172453506

SHA1
24b1c4fc90567cd6b468ec3991d197764344d24a

SHA256
8a558fdaea4d2eb06e443c4c544d2f97ab9ae24c6c2c576c1bf863161e9fb75c

SHA512
e958da5cc446efa4c2259b3b0a47e6404266c8ab000c8859611a84d323200383b82ef9137a50eb8c328f61cf9ba86f6d569c4d513f722ef3c5a679eaf723afa3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
446af3a43bba588b99e2273f01a9e07c

SHA1
97bb746fbbd76fa3e9c4d339a70e817ac7f39441

SHA256
4bb662c20a07c83d8cea4685e4bc66f160adb5acef2d35c38f7af370187d538f

SHA512
de36f6111f12ea1884a764dcd0c3647aa56b64b4094049db2d38f4d7848a61db4c8381ac7835052b012ee9edfb8a3824aa23947518823c185bdc5c96eb162831

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
701f57ac09ec70db74b3e981b18b2adb

SHA1
412192b6a36bedb68b8b23dff814229eeb465858

SHA256
84e6d79b75247842c384b3c8c8ef31dad83e554630c7d889626a8cdfc395160b

SHA512
2677f7d3e0384932a850181131b0fa0ec48867409c5ab89cf6451339d8fdb87322a472edc87575737ca8ce187edfb0b1a64ea2d7078e988a45fe489df9e5d258

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9145172d641b38de04d95647af435d2f

SHA1
08879e2ae1a82af3d632f48d21f89097279eae73

SHA256
6aacf89a680f4b9daf971e025aa55e972e1634a457f736b0b456fee88157c320

SHA512
54f7392cb3aa508826ebf6164dad97918a6cb059e8aa605005a956fd9b386ef4f86907f03e32b62b29be05651b5c62877e131fc7ba50cf2350714c0252a7c6e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0919b0e8d7d64ce1b1e002f26ea09963

SHA1
e16b74db54ce000a725cf0fe29be2ce11af383ed

SHA256
a173fa4fead64dca916aaa2e31666858253f7b4278e39ec38c3e72371b0f15f4

SHA512
71200103c770b3db0534dad38694c62a894dbc28683bfe8844726bfd48170f5275c6ded8d42d95246072766f851aa80cf2ee9ef89c6eb8d8590243f61dc33d8a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1547e1c3193b26b341a73993e0b0926d

SHA1
d2639ff0e62a8391bf6593d7c761959178d27e3b

SHA256
048429868983fb0cbfe548f1abd878cffa8533bc223fb8a8fefe079fc6263efe

SHA512
68371695d24eb36559b916f03fa0dccb716bc50dffce8ec8cd41a9787cebd338b26a455e6085fb46080c4740b58fe70703cfbe818cf66ada5a8f773a73137165

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
46742a62d7d3e97f66d83b432940b07b

SHA1
49479699d96b5fd756b43f86f3a587a7f3349d77

SHA256
17afc50e2810ed01bf830988593809379a2a8e9db2010c93d0caeef0847cf712

SHA512
a8de20b28b81a81ad5801834f3f0c1207228c06f652a351d7fa03768db50288d5c706bd5c8cd6b1be770ddeab2c39d0eba46aa100345b60e9f00e331e3621930

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
7074860ede573501b929e7af45726eb5

SHA1
bb6a44545556e3b617c62d053eb7d660802c86c4

SHA256
3abd12dc40e5a36a7c5c7510d44b9432485a47b7bb47c2a5919e618e70cf1e68

SHA512
fed9ea43b4b24ff4a11a4e2b8621d8f6887be40fd1d6f4a1bf67f5b1aebd19ba06e3c9cc7de1292a4a53e8570984af8b9ca5ea98a383be1fded2cc668643e175

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
6c53b3d23ba914a97f16969ef03490a0

SHA1
29a72da33999ce769219d9fce730873eb093137c

SHA256
82d9e8100af71bca1550d79201ab3945bc8a38c2a5d044f02589f989e7f31c9d

SHA512
9f0bb99886d59501d8b415c8db970dd558b127b25970f18d4b4df5dbaf192dcce93bd90cb4e58e74f0db1eb34e558000eaf845af9459b686775743276a58fa7d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
77d848fc85f9b6f3fd74c8496b615636

SHA1
cfec337c3a1edf4283f8ed5492afb81f252bbcd4

SHA256
c93105d6326b584dece07dee041daadf86bc727b1373c80f9179540a4b1d10e0

SHA512
4293d6f4fbbd5b2e5e2090dc635ff0c8e61d219f1d9c6f455e92f39b6bc7c5e175fdec53b0f84200f4e26f3da47df08a266940ec10b22922db7f6917c40aa4e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f99ef4b43f1459515acdd0e8657364e7

SHA1
098ef52629d1e20d7f47aa7b56d3887436db713a

SHA256
c817d84ed86402cde1f3120d4c408dee6c3a10ad629766802e80dea5c3f64462

SHA512
9bcadfcef4462192a7cce2ed52df79a723b66eef23ec7100d117ae054f481600b09b265cf0d69ead5f301475389822edf765b54a580f2b27f39e78fd77d5bc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9e01f3c9b3d0c773532e8bce374aa678

SHA1
5f2d4b91d719c9ef1a9bf8f9dabfc3a0111eef3f

SHA256
1eeb8fa0cc2bccda5d720160d7f531884689baf8dc95553f8d114c016a4dcb37

SHA512
f537550a5ddbf1c4ccd6901da6479c7eef57437243f78fb99e6b242d0b522822a0aa53503e56fc01f3e6cc4afeabd31cb567739625cc071ca63b9f87898f3b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9a264f900804280eb2084b3b30435231

SHA1
f12a62ac906b89aa27b258d8202ad48a89a087ca

SHA256
6498836c436bb578d757bd80a64b0a1a2b9f4d2517c048a335dfb498c30e749e

SHA512
1dbe25d12f3b751f04bbae29e27d16e7b48a5d04836bedeb36dfb82520a3cee0016fcadc6f2025fdd543435379bd444c7284cb66bb521381d9aed5ef378df1c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d5674a803518b852f1670d42ff438ddd

SHA1
e6b40d200fac925a77532d51b4cddd32871612ec

SHA256
774c16dd2e0c22c881ba7b892aa7964ea09969bbc3fd29122ab54cffd989892d

SHA512
2bf0e5c3d506de0e16625942b329fe3727b8025defbbca403a47c5f781e8b496fc2484c9ed12321d39b0aaa3c8abf3f520bc480024bae4ee8d6912ec6579aa72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c22874b86b9b16bb309c6401cdaf5ffd

SHA1
f7a4ab3187ad8bfec3d8a76f8237b6779b112c6a

SHA256
14404689aa609e5815749aff99f18f608fe55083ee62c9c1afa14338402c4fd6

SHA512
eeb1d7e485f5c354c162133dd240ea44524dc7ac4a6295e9303f92c066b636a1a5f8a08c85f6a149cc817261d7f98c73eb3568b0442995a219ae1f15c2cedb6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fe6183a22450ada8cf4f0abae7eb37c2

SHA1
bae9942cf9b1c6d5dfbb7871231dd4b090335a41

SHA256
ff8de81b28191388dda1d77985191f84f6bc3d86d6abab2b9380ca07f9f27460

SHA512
eab63663ddbd6f23c23e11e9d44c46288f1554ae45b81908005c4d97a34e4b3d1e80b3d0b8ffd14175db28ecf39831b7bde684e3a8f3d8c575f619efe47038ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
27a8870a619ed2b0ec5b34c301497a4b

SHA1
810769d84428d8ce1af46ed458def2834d01184b

SHA256
b72d3d1271476ddeaa5d4164a5e615f281e522a8e29e6faa9cd8aff063784c70

SHA512
2fa72243553fb545818a8d91b6ca6ced5516ef8ce7b6b34c727d888a28db7298038fded24e477896d235bd35ced874db4650f204ae4114eb64ac6e9b018e4b5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
4b43118c4b999f3293033798ffefca36

SHA1
e2f83861fd0061a033bf5b587959004669a84fa4

SHA256
b723bdf51c04f6677cb235ec9365ca70154fa7cfe2f6642c7ee2da0c27ad8a56

SHA512
6f738dcb50ba94f3e05a26935bdbec74789c51c6ce62f27be57275ad78d0f6c872314c2ae725448f9512a268ef41a9c93711321e5f7e5fbc80ba037258fe0dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b5e6a79d0b271fed78cdda1d01ce46d7

SHA1
a320b58579e87a5a6e791c69b02e84fbaea040bb

SHA256
1ebf9d4c895fc5d70a6920d8a1a931d54e4d2c9ec023490d9253e624e7df3694

SHA512
69f586d7d121093e314845a24e6b5c3e598053c11b17bfe10e74162cdf6f19817b0ba5bf6d61a93ca13f03b998889252f775282df83569fab2305f6aad5130bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8bf547d5ec9eb6bf9c92cc27eec11d0e

SHA1
a0d16958b5bb7cc090a9e2e0f66cb3db3fa7322b

SHA256
1481b124a7306d18a91a5b292d46803e10a8f4613d568fd97771cd222f11f872

SHA512
ec5109e75fe9e97c100e3a0ec2e9243a5af4ff8bc1c8d6882c95ef46ec6dd0eccc5685155da4cabf1440043b277bc6723137eb696fcc684ca7e1b9ba066f1b28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b11f78518e26342308278f317e3f3fa4

SHA1
e7ff966af03f316d2880ad7d94563d0a49e9e73c

SHA256
2052a6c7545901bde20b9f5767570479d2e305658512fd0c5463ce0904e4d7d6

SHA512
b52013c2db11ee1cfea6ed903f34e94629465d5a0d619c6b5b7146ff816e0682db36808cc29317cf9c96fd36e1b4c2dc4d87ad70a89277b5fb185dd051dda37e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e0a8acafb8f13158dac40d9cecb34c30

SHA1
64db848a84470b3c26ace03d36a52b5c3db52d89

SHA256
4c05d803ff3d6a9c64037b9ff10413780117365e8d393eb3dbdf9734f4d5b050

SHA512
c5022eba37cb8e55470af17515a6f646984b8880527dba46f163fc7e12bc7f09beed127b987141f009f9acda44771652945762c1e2deefbbea4ac6f97dd7cd5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
78d76c3d612a0325143d6a025136d017

SHA1
c791a8ca53875b1d025ccea564c9f2f1196ec5c1

SHA256
f459caa8da6efc09d3d1731ad5c411c4234789db076eb70bbe2b36175e57cbd7

SHA512
e3791eb912b6a185d2637e4761642292aeb20aa5367c0925266b14651cba3b82bacc0b168277fe7c140f89a317418a622fd7633e22fe73ab6fea4ab72b1772ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
73c10cdd79e9885c60a9c6e2fb6b5fd8

SHA1
7d0df32fa8f52677549b530a9b1d3db79c88cab1

SHA256
84bade45190936f98461de9e4fb58069e1bafab4be281e64f60568f0ac238e83

SHA512
e6ce83ad84503ba6d869601408b0236c4209cc8543a208de9ea6b1550926aa8be40dd0fe19284603f00809916e6bc994c0d53b09ac9e26c9ad0ca7ec401dc203

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
beeb646c0e6edbf44f40cc1ff37511a7

SHA1
4441ed203b076582c0ee9a37e954e3d2648a6a99

SHA256
f237dc7efddf14afdcf1db8d0b96b849863e1afd2d4ca318654f589228e0715f

SHA512
defe54cac3fd9bd36e830f596650ec269235ba48e55ade0851c272fa986638db135afeac3ae74df508ac4e4e8b9c4297758d28c2f484b5b1c0e39c12cdc24bce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
491711fc9f4590b3f29a6f5b619a5af5

SHA1
c4d07f5f1438b29c56f526f30a5f14a2f6e03cd8

SHA256
4f3af17b19b93f14148d75179b64155f9bd68245c57c242bc3e544e447ed1889

SHA512
ce4a903f5d021f1ce775472f040b04d6a876884773332f5a6ef7b4fdde4fb2a23ec2a6b297b982dfaf599cc69cfefa37e8d8b02f8ad5b333d4cda5eee84f0578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7e5b99d45ef0ce5591104b8445dcb9dc

SHA1
d10e7eacd8f747dc2bf333a918af0f4f0314d8de

SHA256
657fc771417409a855a26ecd5717e2248db4a4af775833c4c40f548b9a65c04d

SHA512
66cdfe55c0420363e24db2e4fcc2ab743d5e7120c9a4488c8dfaa8feccbeee607f41efbad27e61a9f7605df61e60053b90ef7e3addb76a9c86fdbd4a0dcc9962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
93957e615ef10623cb081e8080e962e8

SHA1
1de60e3e6c641e5021bb47163af00b05bfc25673

SHA256
f293de83def0efcb78f01f831c018bb6a04d442d00920e169b8354aaeb6d040c

SHA512
06cade28a52012a9d903f594976982d6b5f8e099d8d3e1cbe3f18f99871c908e18f146f250696aa54a990888c43236da0ea8c7e8d0086e1674d0a285b097e2e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
83e738832a3ddf042fa21dc5e4886da9

SHA1
03ee41e8865ecd5a6901a89e3c2a9d8b9d296aeb

SHA256
a3dfdec869959778e04d10ae30bc7208e5625773f42b7e06f3af3947822c676d

SHA512
7cf54273ae7b48449a3bf50e1714bda6b73e75dd6a043edf64a42d346c1fd3063e335f36c54fb2c4fc7f101b7fafdd60566cfb4113431e0a5149fadb95f3b3e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
4e50c0fcb3c8584865daa21ee824d34a

SHA1
6233a40c2b584cd62d91b72a222083e822b8b00b

SHA256
4d50442a7944703c7a4206eaf2d602033abdac7304f25aee5fbdf78d5ca57f6f

SHA512
056c8d33aec5488b74918a4ad74ec464aea1cf5e7928d0b9dda8d362c3fbccf13f8563c15289b0c81dd6743eb9e5666a03a1db58f8adfe190288df2c8f52522e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
03a3d17640b43a3d05ce8454909184b3

SHA1
ad49525f34f5a3d3c5c7c943000ac9fc5b48ac13

SHA256
e896556c00efea0ef904bbbc3e256db7d2dc86e579c5d4db6867d44c0a32df77

SHA512
30ac3918c3c8c3ff0c614478d9a41b8903501a1871f34dd90b0ece7a5e2bc1fd3c92dcb46acad6e4df0d205aff25ee0ae6517dbe76c20626430737b23562ab73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
647c7ccb74a50c8eb0fa499dc2cdade5

SHA1
89b05e1ff92d82f1d954ef78f46d4c3d5b613e32

SHA256
bea3e2f2e677511f1c8a4e22274310acf3f72c21d21e7091b7b47153b71024b3

SHA512
2799f523476e9a39d449956f8d49e0f4641b7045e66f16fd689666fc8d838c5a23bc9629347fd9ac1cb04655a43d4fe77dbb7c4f2c54ff39a991879d7f5ce3de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
c3c67edf50ef943dd298b1fc8cca8b86

SHA1
943316ffaf4e2bf4b3a01a0171db9b1ec61bca3a

SHA256
8568906142e8a8b1503e66d953179eb58f8b6d51848e823cebca7fb9aa0e67ba

SHA512
d853db1d058d1282b8d456f427e2d148041ea9c0b8ed8ec8195fa0beff1e44d90dfbf2ed646bba68d4a08acbe57d9a4f022ca70ae4efa4c3cf8893b50b9a048e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
bc670c2d730187692027ede05ba71dca

SHA1
ba29cafc6745cdc59611fa6a06f466028ddd1d21

SHA256
f88ca4ca3f42b2c2e63270dae1aec9e9a0553c1f427e1cbab2a6bf3daeee1a03

SHA512
d12d75e36585bf6e2e19d9c541e9bcf4d8d495a426301d984d80ea8ac1ce427a64d637c73a76259ef6d0df047d9e559acfd835612b1c0430d04445afe643e59f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d700f1cfc9e763a611328a7619c4edf7

SHA1
337d4c03cc6eb438f6e0ef59de7559dad20984aa

SHA256
cb6099e84f8b6cb0ae93d449481b9ea431ca498a79af7c1f0f804a75744c87cf

SHA512
5c2525f3f381b107dd5e4aca0d5eeae32d5cef8828fe42a47d2f2f03c3463351bd52dc4339e53e753b57b05493eac1f66332690b7a7baae5e40a42e4263eb63e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f80c486a95e2b5a7466df5a25e94b105

SHA1
0f5b64d7cf1d5c38291addba0425b11523e945d3

SHA256
c36a9a3887e8d2e9b0355c3e5f3e1b01ccc158b64f92152706781fa9a6d7b1a5

SHA512
49894243f2c0b1468255f76f5d8cc982ee3bd589a32e158cbe6f832e332ae03827019dbe8e80025ee3033224e8171e7746df31ce62ab5338f330051af714d5f0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cfd5ee8b06a1c22240695d69b4fcc630

SHA1
2c00357c6a15f83a97c644ed5a0fcd344e72866e

SHA256
cab62c5e6b14e8d87ff46b5ddde2d5ca659f60e21f0a5ab05fb2261bb8829ede

SHA512
c8df9a184036e5da00a1d859529d4dce0a4f9120d1460fa0af1be9647b8e45dc4837748d1ac5195fad0a4e2d7b6fbf0e459e81b185f4aab836ee097f6e625177

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a8865dd4523bc9d7f8d99a3348c88013

SHA1
8a5a0b48f9ab2b0baa0abf8129d97b7825a24a08

SHA256
e3ff9e53b2c8596c8fda22876782e6c4b7047aae2e4bc33504df137c69b43e1a

SHA512
596287a2751eefaf6fa0a5ffc97a818f64b18122c9859d1df395b891bfd8ec34153250fe9f25c138662bb240ae9d44bc45882aaee4422e14b56d7462304e95a1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b9ad0ee61c95623df7f2b674cf1bf207

SHA1
e1a7a3dc1bb818ba15be79117ae341c783b8feb5

SHA256
c9fb1b3c4b558482b88d4eee9dfa1cc118f784551335bbf543378b49b5972075

SHA512
7814b8772f04b98b2c86895123cf2733746ff0f382f94f86eddc70efc670cde99313cffd283ffdc41b5f68109bab3204a6e6d97fdda5cf4a340334360aac0259

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b9f7421eedd4f8dfb36f9b084ed1bf80

SHA1
c1fcef780c1d0ac3427183a41fecc6f13fb2de58

SHA256
bb5b8a2971226c77894241703c1ae87f8238b4ce013cc87ca8e4fe15808143f1

SHA512
9238a0835f929a40ba4ebbdeac30a5f05d29b83c5e38253a7279ba424cf4756cb0625d16f347871399487a70dd5446980ab041c0dc52a303ffe0ea947f6572f4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
720b1b12e174862ad095b0cb2f9c105b

SHA1
40b572151d47d9a6d146f536333d77e2ad8658bd

SHA256
40f9df5b8b1175a6ea60b4485e65c5a11a5b57b084ad889d327c23547f4213fe

SHA512
87401704583f03972ecf85508bac7389b50756dbe66f07e8750f00e02a8936afdbef69dc44c98ee53247568c997cf0ccb1d227eca2858a7de54d43861261afea

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
01f3122ffaa3e3332401bd2a799e3360

SHA1
e5ec6f48c1cd8e4ce9634464b0cf149b99523df5

SHA256
91090709af8a352a9e7c7b59625ef1d0d3c32e376a129b6ae9261995b1b5c210

SHA512
c21b3c454f89241f5ac80c01ee27c35575a7bfa7612d51909055216266f838a8791f9875002be97a57c01bd14f1592151e3d4eca3d87865bf447e30b740d7d06

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1cc77291c9bfda91c10d562e837d54d1

SHA1
2711c21b6382088406e48695fa0522c991bc18e8

SHA256
5fb6184f4d41d75830da1132454411db3d115c6b92bbfbabeb8e42c2b661ad57

SHA512
0c5f2196d57e67b3ba08dcd5cf800852f218d4417bc319f26991e8d0eb2bd039c2ed258413f3a10ae10dfaf71e7e12613be2abcf94e5ab4f363ffd9d5c1180f9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a94abb2c7f1ea86fbd53a9e88d28394

SHA1
ab8c487aa0316d1e626605fffcaa3d34390a0a10

SHA256
45697b55c16ce2bfbd7b70e15169bf61ff1193c5e91276e48208da2de9dae522

SHA512
a6bc0589ed879c9b0bc764569582dd3719b403fc0df49bbc50ee1febd1fd0efa5172c13d31f0ffb07f29ff6ecdfbd6ba57982cd93abd4e7ce39b474eb9f006cd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8493fe11e7eee6dd9a42f799c50078ed

SHA1
631d75e68ec9be305f7371cf1be47f37ed3d5c37

SHA256
6644179381aecc64b8684859adf032022e79dd44309a98b6d96b7175e351e3b4

SHA512
46826b59394b88541404493d1c8b2ac42fd77e5c8f3d1c2864e36f081444d4938683cfa007a4e11489b09f2deb1a7e8c85d1735049b17469a577a6f6cdbd0732

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5281495aff7008f5265357545b6b7ff9

SHA1
5095726da7e8082a455a918159420855a05463d0

SHA256
a2b851f54337e5f4ad2059c589411b8378e9ee9ce1709c4f9ecba7b929e70e5f

SHA512
fc0e499b125b79412a146f182318308456b8c69af422e7ad38a67a082791676afd16dd433235ef2efe2c5bde2af852a6a0ce4dd0497e2475f434fbf335eecf98

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cb797ca6f19aae143500a3b165a29df2

SHA1
347a6516f9fa8c02634b87e328a178d3f045f639

SHA256
e212555c588491f66ea6b21bd8e1e608a7b74fbef447ce880ce565ab02fa0531

SHA512
ea4ac62c58b0fc43c10e0a6219f05cfbfb1ba2ab63b2c61a70146bd615f37e31a7804bbf7ebd9e138069a9081cde3f494c9df75a852e79c8312c4c71172e5455

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0c507a8b308f595d3406200eda920708

SHA1
4d1b7ed2b39242a5d62d118cd4b92f82ceddd31a

SHA256
7e26cf06f8546e364aee02292deb69d28c0b7f277d5babd1dcc739b9e3e22a6c

SHA512
8328c520deb07c418261e17ffe2ddce93e9ecf88da8857b5ba52e215228671c3a94c3029020b4f969dcfa19c6f453d9a9036d5ff3a1f8c79ab60a85675e1f268

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f931f948548563d15e9444fa9757e75c

SHA1
4674e593f3ad4d38e1bf824ca025f7db6f0605b2

SHA256
0dc49f76fa9f39f3ce6f5814902b7b77a12737db4201af7118e3ec078243c48b

SHA512
c2bfc4696a131794f0bdbee4de172fd4c64c3c48333b954b50bbeb2b44de3df55484fc298f95b871999d4c021639048af49f901db9649197f5d25ae8fdaeed52

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b41476c06f97f20c687fa760f4464fb3

SHA1
f2af44b5c68ff3a77a0e56b0b7a61c6936e1a7ed

SHA256
b366f6ad538206cb7fc5f9bf79bad90baf81675d82bf0de5a259f003b9c8f997

SHA512
548211d3867bec36905f417577e19ce14769e1dede63a3020ae8c17a5a00f2672181893c6c72373cc648ce829076854b997b285e8eb118923eea547bc4483b44

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ad9d553095bc9aabf4ad2a2fc0ec299c

SHA1
f360b44fd36be10f2c12acf48cad423b61d78545

SHA256
768626f520f6b5e905020e24fc3a96320eb629c5321c8dca682126a68c244757

SHA512
69f322bf22fed678b0195c0b999d71d9d80101c84e721320c2f8df0372b056dd9fe8c5da47b0f5bf4b27f14ab7a07da53576aa8042ef771dd96cc94b912c9fe2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8a9bbbf2b488fb144468ac4cdbbbc133

SHA1
82d3e136cf5c915e43fc65f1f152644e5fec0aa1

SHA256
22088f04834f8a088a39a8ee6d213330b04e3c45ec7416c9bcde3115527573bf

SHA512
7deb5dd487e3741e746e04ae03daea4155f42875269b45a2b92588bff601f5c78de8963ffa0bf0a6df8ed5949950ef23d3a74d9c0c9813e3140b7912e1e8ffa8

Download Submit
memory/512-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/512-86-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/512-24-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/512-17-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/512-25-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1136-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1136-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1136-255-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1436-327-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1436-514-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1464-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1464-636-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1980-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1980-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2380-405-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2380-295-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2844-31-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2844-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2844-30-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2844-39-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3088-298-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3088-417-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3100-635-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3100-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3176-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3176-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3544-424-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3544-643-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3556-54-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3556-55-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3556-65-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3556-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3556-61-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3672-7-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3672-1-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3672-14-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3672-16-0x0000000140000000-0x0000000140927000-memory.dmp

Filesize
9.2MB

Download
memory/3672-0-0x0000000140000000-0x0000000140927000-memory.dmp

Filesize
9.2MB

Download
memory/3704-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3704-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3704-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3704-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3716-344-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3716-534-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3928-517-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3968-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3968-642-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4184-292-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4184-393-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4404-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4404-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4404-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4632-578-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4632-364-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4720-381-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4720-269-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4844-236-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4844-75-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4844-69-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4844-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4984-250-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4984-243-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4984-355-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4984-244-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download