d97bf4249e7c2261cf807909214e4cded92c4a42dc51092ca0e12ea5e0a66f75

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

494796ee4da239b94e763f2dc66bfe40_NEAS.exe
Size

950KB
MD5

494796ee4da239b94e763f2dc66bfe40
SHA1

5c93374e18d9da49104f404c8e0924dbb94035bf
SHA256

d97bf4249e7c2261cf807909214e4cded92c4a42dc51092ca0e12ea5e0a66f75
SHA512

38b656a5c6d6a2ba6d8856793a6004088c89654e3289ca621b315e02dc2ca3627280aa39abb898de5f97080b37e8b70c746d6615e51926484e894ba8e6e440ad
SSDEEP

24576:oeoRGZwOf1d4SRQ5UOOU62FBnO+E222YJbNEUQKGOb:oeoROf1o5UbU62FAQ228QKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2420	alg.exe
1628	elevation_service.exe
3900	elevation_service.exe
3168	maintenanceservice.exe
4748	OSE.EXE
3200	DiagnosticsHub.StandardCollector.Service.exe
4492	fxssvc.exe
3104	msdtc.exe
4488	PerceptionSimulationService.exe
1612	perfhost.exe
1928	locator.exe
4548	SensorDataService.exe
4616	snmptrap.exe
2068	spectrum.exe
4840	ssh-agent.exe
1676	TieringEngineService.exe
3868	AgentService.exe
4364	vds.exe
4224	vssvc.exe
2760	wbengine.exe
3828	WmiApSrv.exe
2364	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	494796ee4da239b94e763f2dc66bfe40_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	494796ee4da239b94e763f2dc66bfe40_NEAS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae4088ad7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	494796ee4da239b94e763f2dc66bfe40_NEAS.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e09617e20a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000082e877e20a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006283fa7d20a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d309427e20a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004ce657e20a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfc8c27e20a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f20f87d20a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5f72e7e20a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed960d7e20a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe
1628	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3400	494796ee4da239b94e763f2dc66bfe40_NEAS.exe
Token: SeDebugPrivilege	2420	alg.exe
Token: SeDebugPrivilege	2420	alg.exe
Token: SeDebugPrivilege	2420	alg.exe
Token: SeTakeOwnershipPrivilege	1628	elevation_service.exe
Token: SeAuditPrivilege	4492	fxssvc.exe
Token: SeRestorePrivilege	1676	TieringEngineService.exe
Token: SeManageVolumePrivilege	1676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3868	AgentService.exe
Token: SeBackupPrivilege	4224	vssvc.exe
Token: SeRestorePrivilege	4224	vssvc.exe
Token: SeAuditPrivilege	4224	vssvc.exe
Token: SeBackupPrivilege	2760	wbengine.exe
Token: SeRestorePrivilege	2760	wbengine.exe
Token: SeSecurityPrivilege	2760	wbengine.exe
Token: 33	2364	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2364	SearchIndexer.exe
Token: SeDebugPrivilege	1628	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3676	2364	SearchIndexer.exe	133
PID 2364 wrote to memory of 3676	2364	SearchIndexer.exe	133
PID 2364 wrote to memory of 2644	2364	SearchIndexer.exe	134
PID 2364 wrote to memory of 2644	2364	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\494796ee4da239b94e763f2dc66bfe40_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\494796ee4da239b94e763f2dc66bfe40_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3168

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f1fcd39810dd13353164a335fd66921f

SHA1
7ee05f1a31a03fdeaf43b6a447476e2cd85a62a1

SHA256
b3d8a5ae7f50171f33e0fc24edb6e937eb5bcbf4e344c9b9ec6c582deece9e25

SHA512
f7970c728be4206e004d25feeef038d3ba4400c2e83c696966f8adea3f9e2391225bf62a633348a260c7bc88bd612ea3a3cebe3e073e22b18b9ff673b11c1e37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
a7d04c8dc7b4081422a738860f4a4563

SHA1
881b914e42e1cb3d8de9182db3562a29c5aa6b92

SHA256
7235dcf365ab322c0197da0ccc8f7272838a34080cd9706f8ee727f021f284c3

SHA512
91e703182a2bf62d1893746d8e7b043f1f1df1a73862e09f751f9d731912265f974fce24a9bcf61319d115228a53363ca431e464380144aca693cb9a78e6d289

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b344c04f89a9fd1fa01612d8245be251

SHA1
22428f20ab3e3f8aa16f0cea9b0c1ee06ffe7306

SHA256
839dd310af0cde6b35137f659e4c80bd19d5bdc143ec3f67d5117ae4a45a6ea7

SHA512
8aeec7b9c6064a8598c74dfb07a4827e87a7dbbea00ec347ecb65f3b7f083eeeadfccf5b5fcfa4a1b08518cbbaabadab394f33745ff9478e9564ab93f9f2c8e4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9361129c81c1348cc6a8fe1d71a2409f

SHA1
c2ebe5a5b24eb3a9e7162d8b83ccf38d3479c462

SHA256
1fe36cd8d32ec6c64d62a4cce412c4a93a806a60a408f9357b5296f7e10ae3f1

SHA512
cd067abe0f0d26a58c301d6e01d4e1f924d561320895eadc0cda2b5627c41e71be5fabf678a12474499b0aa71a95bea3b140987fdb0743557c29b13e4e1525a7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a5ef39fdf811d35df395cd1e22ce664d

SHA1
e4b69a3158728b6b20e33922a1aec382e394c6a3

SHA256
16e48a903e215cdf5e44a6c13cce0b460c3adf773410eedb7b01084428bd1a92

SHA512
9e6e3c556986ea0b16ae8ca240f0282bd90b735920ff66ebafa6a3c20d1abf600fd80db9f63980f03b3977dac299c80f2f4510a73759e9da87a3d368464d3ccf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c69778d12dad83c26b94da96682b304f

SHA1
a003318e1d8488cc660c82fe57344ad8f23f6770

SHA256
68add310ad78f607437451f78923ed9f47d25e7b30c86897cb5c934b87a4e129

SHA512
804a51d58de4febddc23daaacbe41fa999666e3896c84ddd62342e770f1c74df1f055b81951bfc14e943605f3613e4dfe78d5c4ed510dd4f364a073d4a38d51d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
684154395ad048db54eb4d0b20428b2b

SHA1
805b5c2644a3230d36faba10d363a2dec9fbda7d

SHA256
4160d3ed7e423abba31997948a5a1c814b64d8de0d97e12a2511a40e43c98f35

SHA512
ab944a47a02085e7330c98dd68b476f8a8d5e774639faecb43473d9c992f5f4055cadef6dc355074879f88ffddff01cd6049bc76528a1ecef313c94bb1b170e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a2482cf1992e62f1e339d2cdad7253c0

SHA1
54c853218a96ecc0678b0c99a0c79cb1f725667b

SHA256
983db6f8bc94f7fc30681924b175f69dac0aea16f8d4f536cd6b2e3a0ce5563c

SHA512
c58a21be3d3266f6b1532afce087220395bf3d538b9eae0f7841a32cf8b9a31b4b47c8f1ff11ad17d69f88adf2bf50c95fab6e53cc53066bd94a907982fe566e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3da6628de132784484121743460368ea

SHA1
62720433b221f595f8be929af1c6b23f589790a3

SHA256
0e45924eaf441cbae757b27cf02e89d8ec92aeda6a4235cb8b9721dc8a9c8ea6

SHA512
70f3b12e759b318bb36013696a99dcc4b7293e4f55c69342143f8f7f3b0fab40c61f8bb86eb36ec5adff0410a9d3deaf8c5f483acc8100ba4b471f14953400c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9b29e27dfb2079ff41287173cbc8f4c7

SHA1
b5ec60cc4e47a0cfa52278c84ebcf7da63df9243

SHA256
87cb2d6891488c03dfe0ae542e899a75a614b0efe0abdfb5340d1d5fefbeaf53

SHA512
370a4ff27fa6a470b7da27921585ed03732958ac314a607fb4f274e07c190bd7b1a7dcf615d26b6d4743e1c528b9fb84eb71d65f52451d1aca912af061da0aed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cebc40ec0917410dc6dab1d653a900f5

SHA1
b96915fc09669f3255457d1a2de75d4a48ccf1d9

SHA256
0d4f22b9a87a6dcfc34408e331ab1ba85d15fb085e3fa072adc69582e76d5855

SHA512
bbc3b3996645cb0c37ef23364a4cefeb1acb642c23ff396d0cd1e8ee979fa8ecbef8d269d14726fe7601492cf6201678cadb7bc10b0e9e6660133b69eba7e1eb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
20be2880129991b873bac1437b47b58a

SHA1
e7fa218d27df17d32b37cc0111b7095f56acbac9

SHA256
7203c69ad30d269da958ded3eda42b225566263e80b6a4d6f11f4ec89b7f62c2

SHA512
823fcd5180f72ff058511ae00fde226a116c4f9781f79228940355e26ac82ec656e7208c48ed04cfba6d57c651200aa538b01ef24db81bd2a06714a3575ceea5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5e51be697102ae8796d8ff994353e75a

SHA1
b340aed8df590104ebf5851076674a7c71843221

SHA256
d0881a0b297f1990e23e9cdb3598076bd84fcb449307fcb8e196a2956d5fe2ea

SHA512
680c15c23efa8ef971844ccbe3e0c69ed96819c5eee3377b642cdf46a92a62a1afa2784cfeb8b0b66c5467dc08e5b434546f04cb73364489c5ecea34174d9c01

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e4a692da21802face41e096108351e0b

SHA1
3fc56cf64306c3f5efdd2b740fa12a363ace530b

SHA256
c8d6337cbb15ea3721e41b6b07c74d986f31601e144271975e945c2e29db6fc9

SHA512
1c7e8c99dbffe0892eb57d3df2b1c4bed4fbd9b226e6c1d8d0ad1c04046817559634658a982f00e200ec481db3aac0e79d46cee041820d7c926678328f37f3b8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5b87deb68fc23effd732f7c1c71aa27b

SHA1
80564a434a28e255ddbc606848a896d8ff06fb28

SHA256
b732ce17bd35858a53394bc7afdf7b92f357fbfa6f8d6998c5c5489558d9b9af

SHA512
bd837caa6651171aac8fec18ecd06ce9f42d332194167136c3b023dd7eb21f9d48dbe5bee45fb7430da2030a12c9789b97b0823cd9c8e59b010c43d4f671fbe1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c9f565359c4e125fb676b9ce228c8f2d

SHA1
7ff6afcb0f79a2036cbe7c8b98b7eee5e23eef1f

SHA256
e1272903e59f08fd54024c8f34b5c5533807d6dd9d775467b160493e0359e1d7

SHA512
287b4f8e2a191d69a4bf78efecfd79bd2537d276cbe30d81a309ddb3fc2668cb99e92c2698f3859edd2349feaa7291786053999ef24f3d755b6f3d404f19662b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ddb292596692d58d9a54d83670c8e76e

SHA1
7779a1f7c5607e893b055d85c4d84f9ed69c78d1

SHA256
a4446bc2d8b4dab4767dc9cb87ed1926a2706353ea9bb8d4b99880f3e0d25787

SHA512
3adf5a01b9a69dbba53de0b32c40cdd95f52934a3825b9c441048bfad5fdfec48ad6dbca7b345b333fc786910487349c1992855ff7b882917f9f1735251ef1ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
2f96819a1c09cd1b4de94443da7cd80b

SHA1
3c78a76aa96b176ada9cb7004c6682d20ffa15f2

SHA256
f3bf93e25bf3cd28fee4e1c6b05149c54c80dc3e2c0833e96d37e42248a79de4

SHA512
533fed4de8406b5727fe930f09b1c61c15f4db8a1841d1a6714ede8a96425d4021df13ab2cefbc4f7663aeff0e845af12e971955af50c8744d190b883c6d7c29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b610589bc366ab083e3918b4cc3365a8

SHA1
ed725eb5ad219a6b6b5853ad8acd639e6c202b05

SHA256
c5ef26fa42610b77ff25fc118f338e2188a18405c548e9130cbcdfbcb23e5695

SHA512
9be7bc7172ad1b9525ef429f16a31d741d392e61c7c9940a2da41a30307ad81cb63dcbcd045a4d00e02d16c0f0037d1e7f1152b69d69053396104b974b0a07ff

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
5075baaf19cdaaa5fbc2f59d47eacc81

SHA1
2fce3c0d337e9db4738a53b6fd4810b38d745ba4

SHA256
af2e9b4cea2417739ce79df0843ae07a9b2a16efb49cbd1a7ea8f91526fb7048

SHA512
a29267b6df9086b0d7f57f5211bf74818f5af332dc653b2f2601895e0b81a1b8ef05187d972ff3bb77d81dc87f2a3178a59187bfbae68099f459c75c4e0c74ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
835a07caddca54e6152e87cca3e050df

SHA1
5c2d42b4068393b6b471cb9f6eaaab4d844439b7

SHA256
e705907ad4f8d0b17eb2e6a00c238e98ca7966664df89ed2fbe1e1c154153f84

SHA512
66915602d453a68f0add41f89afaa37384f304df6cc2fb496c0a58476df2fadb3d85a16f03d6cef7451b2f8cc848ac69709a50401811bdd32cf0b362576ffbc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
db251c09b129d7945aae388cf266f523

SHA1
c8606cff8897a4291f7a28f5d858f8e745392ac9

SHA256
7f1ea3783ea2a29ef4113cef84d4fec489a53410b31faca7df1932a10ec808f6

SHA512
fa0a6c48e286cce44d6e6d4128dd656a272699c3491cf8acd42f40a4fb0d12bd5e110364c9000b4a003840609ca1b294b5ef9e93f612c41c1cd4a01ee4c60d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
53cc19f34c4bacb7af549e1d47ae3a14

SHA1
b7c56eae2551bf680ba702e66df902091559333c

SHA256
1a1013d7ee44ffbcc7c45d4cf85788b3d7ee973d52867cd542ac6103dda3b074

SHA512
1bbed0e862bd28b9491d28a77f63e77cc01a089ea12f7b55428989d388d285489d286858421c810b375ee022bcf033078f4c10c8decdfa0fa155ca234b80a05e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a1217d1007b1729ea87cae1a92ca5fe0

SHA1
5fb20f473ef309641f7b99c5ec4f5dba342bbfef

SHA256
ff7a9b7abd31fbbd33dd035ec6eeb0b028e7439a87fe20a5444c9420de2dbf98

SHA512
08100e1de05b9001cb1af7640ce865282aae1787fcb4533eb321b4395113efacd3e9ffd6dd2e1ec5d7d9306431a5aecb9aab8a453322176fed476cfdd9b8a742

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
621bd183a2551a71417b7452037660ba

SHA1
267bc101d31900a1d3761514411ae9c94882b605

SHA256
1e16f08f6d3d237bc8f4dad65af9b75022319265af7decd1351598dad07eba79

SHA512
e7d7a7c982a11487cd461d35daf1be7aef0a31aa2ec1a5b59ca16a06fae9571f5b3652bc960b8c246d09a85862d72f3702583504214ab31516acf70a6b25e9a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
901dfd4c499681587e986e7bf3a2a1e3

SHA1
a0fb07b3a7992890e852d82db78d136af8fd8050

SHA256
5a9c54af10e154dd9816d20f94dad3e0ab112b85bc05a41704060d741e34cd51

SHA512
5e74fc3c31fb023a7d633502e6698a40f0a203ad7f66e2308866fac2ced47f11bf41f960d451c44b29531177b5d800903cf6729f96011747213d03d07c16873d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ab0e564bbc0cb8cf923825d5186c753a

SHA1
8c0d05b5deb32f4de432fed7d912c7bff0a774d1

SHA256
9b147cc3d4f996e50565f27a9d6194a02118f593bfbadf97322a124b1a187992

SHA512
c43208afd8e432d9ef2a7e3a1aa1eedfd03ca2cde739ad62666ee1971129e53b6c7e627b70cf38f145af75d9b5108119919d3c3069ed7c2316dba10eab873305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f3768d35d54ab3fe0ce3e55c2d7fd9f4

SHA1
397eecb192ce13b2cd835788b68b43527154fef1

SHA256
369f80b1005fa90ac62bf95d72cb9f2f8a1b0e66ce343374ad525993e367e838

SHA512
100f5098bb2ed9d1ea2e86218227264ce65d4e27bfb9e613c62263e3b6086fb6b0d6d39b1ad431d7c82466436d1539578e83da8383823049446fc66340d3da89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0e4bfc9070a3d6cb022f9fd80180e53d

SHA1
27d78cff8bbec5204815e4d12be18e8e582ea0dd

SHA256
111ba9ee9b4bf0c4a876cac7cf47bf1784316fad596b85162fe4ecd532dfe7d1

SHA512
71657bf86c848e8fe3d77bfab1991dc617d4d523fada44e7583406d4affe17231aad5e1ad0232a943597e845650bab737967b2ddc3fa8f6a84361d18e924a15c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0f5fb01a24ab5556b4c7b4e9847ea43b

SHA1
a13642d85ce1fb819185bff27268d53ac807a375

SHA256
7ecfb26d82d11bfc3ce1c2b8f30fa358f77de8bd7063fce2867954bf935700a1

SHA512
f01645c41a193e2b2a4dcfb38b94660e168757c39676b5f34b26400a99ce37f79b02e6b6a97b60c8e0ffb10c599835bc3212d0af4f630d1d41275159d9936de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1b427f2bf3669b1b1437888294a5a24c

SHA1
123baebe6e1f5bf69cbbc4e61c98635a04b80255

SHA256
de6bc3a311a7461706bdec291dab1ffdcb72697027af3aaf78cf3b6679115a52

SHA512
8f493b1ebf09e46b92cd479bb2da646664824a4181151cc9add87a006a91c2f5b89e764d01aba5078aac7068528df5b21d32448bc2e1db88a6d92e09412201bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3227a6a539362ae1811789e31d5492bc

SHA1
12258a1a8c74a8d02fdb4eb866e6881084d957bd

SHA256
f7f81571a5b02dca7edc00f64381a19c8ff4edb6c92301f505edd56fbc920ef0

SHA512
c3e141abeea6a6435a4ef74d030d48a3dfdea8c26c6e3103818ab61560dd4debe56c48d405cf3f816a2570602b0c5d20d87c3c5df6a26a8f0d7d2c3e6af8a3f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c77e1e781dbc4bbde44b5a1fafe47a8b

SHA1
772a1f3a5fc1aba3599002a74ee008da554dcdce

SHA256
0e5a2f3592da88defdf0aa0b3aa445dab93c8593f926cd20d82451bcf39d091a

SHA512
cd6d634a5695c511ca15cd719d3b1334e3e6c59a38901c2c259f8aad4349fb47f65c5d5f144df3c447fd57141f03932ab7bd18fa01be1b06de8dd4d1de58658a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6a6f610468817aebcbde3b255a1f5a09

SHA1
bc9396bc28398fd672156aa925c4fb2b7ace825a

SHA256
82ffa1f6661a4b12505eb4eba4da88cdc890c1ea98911789ceaa9e9247d346fd

SHA512
5ee51d861c3f8221d80de29648b95717c7849453137312a481a511aa9fe947180a918add86287bed8ada12dcac96ea3384e825efec70d89feb5ae22dcfd115a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
20d90180f4f70ab97aeb66a9a6acb0a1

SHA1
78c179cc5e5fa9340e23237d9d995147572c55a7

SHA256
94aaf793dfe05efeff33780ad1c6412334aae39c38ede33f936662cabd181e7a

SHA512
69a6796f0357726c07f8d4debaf787059bab5307487051463cdaee066b520a5805e6d759014adfcc8e97b1912e9923e0970a69f6880f5b4c0feb2b395c638d54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f99b11a68d49908ad6d47140a2551656

SHA1
0563d132514ab27cc52ed55d32d251ed04eda375

SHA256
14b837da1ed79ee392e0df0e6c5b0c32e2b30d9db62f0ca4ccd21fcb995a3547

SHA512
bdb0d360b806cd74b3dd24f1707b6c58fc76984ff383d8cdd0f39d128f916a3786ab13508925d48fc7b4a274807c6f43069f935bee6ff03c8dd13b89fed182c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f229b5b4d620d241f533beaac0d874e3

SHA1
a1a7bca26a68bc093b2252831791b74ec3ee5191

SHA256
26cf817117f9040424508ac31d1f8a3a6fa5181405c3983dab9eab4363c8e3e4

SHA512
47016d1f9992c53d673faf6acbf2f4671c84a6c80b4cd492ea17028fc68f21de5fb8f4e28eadff91c23d3bdf8b61a9f2736b98d09325c2af17b7cda3c321d69d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
d0f587a51a6e178edee5296147538041

SHA1
4dd2b8f5b4d1a0a7e91c235dddd011b84d1cd1a5

SHA256
fa8f95f4116551069a2a509af1d96fc7b194a70712cbfee522a5a561f4710804

SHA512
ae27639e9ef56a25ba54b1cb6b541d1c8b6c856fa80a05b79060cb65268b375987633bef0b2385eabe4ebfccda93136acded5d9a4808a28e55543b7ed509bc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
40148f68948967f9cad2574acfbd8670

SHA1
16c3af9e9d28f92cbb772d6a4240fd6859283327

SHA256
e05bd5e349cc0250013db464877b467f9beafb1fba93464341fceac0781e033e

SHA512
fb87aed3fb31551ef6c7ff50f393c7704c5465e9890364fa48586c0525e85d8caf081d9d8205c38e58354a20a6abd60899cf05c0f4c1b5e5903ddd398068feab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
b4eba5f8092205b578687f74bdded9f1

SHA1
1babd846e0aaba72e18cc93abdc4c92a06a69d6d

SHA256
cc1b275f6eefd630f926d760663444272037f3233a260fdb4e6094a01db2bc3d

SHA512
3c7dba452f0f7478800f6193d39d11ada2d775686a33b238fd757c1d9a9d4710a53e4e514770eb8afb0f0586e320669b2b64e69cda4c38278ff26283849481cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
181ed6662d5061291fc30d9034d81784

SHA1
3c77a37553161054e54d9c1d7adf3e0e7c7a580a

SHA256
529f5cbecbf3ffb3157d250e541095ed1cacfdc8f199af0356eea68e38fc7d12

SHA512
a6074d1b88c3b3842d40addbac3173d6201115d85162e3f3f67086ddff8b270de619b207c52a45ae2fec2636ebfd825857959a3d3da60871f52ecbc8b911b157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
c668420b86e3576ee636186e777f6ab5

SHA1
9f5cbadcb1b120dae8e5ba2892e464aafe358f77

SHA256
187006fda05269d31a8e690253ebe089c533a046f09ecdef6b40fb9d09b72e91

SHA512
124d47a8fabcefcee7d79a7a35ac745c3d21c546f04f158cd44a7c8d219a719a5b41b2fef2f076cdc3005741e949dcc1baf5998b110d7df13c50ce3cc2b8cd09

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
29003573d20b9edd26485739220f2b6d

SHA1
ba87e7bda81562fb5d5043b47e5ac9a404997f4e

SHA256
c58c348c227e9641e2a0f661ee6cb35d9d1a82a8a5f6d191a83b80c90eaba07a

SHA512
ea60f4bc0c17c981e59f48536536bab58b7fa957f7719a49a1a3c1d761768bdb323cd0f7025577af47323708dc5a3d1e4e9ab62cdb978805e0645a9752f31cb1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b4f11ba9144b2a2357b823786984579d

SHA1
76bd7e32f6665b0e1e8e86cc36bbd0aa0adbf274

SHA256
4b8a8941e729ba276c5f2dac2bb50baad98614bf1a99bd87f8d29de9caf24586

SHA512
2ccf91ba855434dcab4995addc5ddac5bb66409c3f4e20a9610f417c3eed972adeec9a05d0262af77d675923679e32eb05bbab83e754e71ca3915a0527364f82

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f5d0435082ad0707237f8bafd7dc2b31

SHA1
3c351ecf0fb61beab05d4441c00e4095097c2f4a

SHA256
07880686c7c85b7f377b3490b5959f27e530b1167ba5f282c5ff5b41874c8b54

SHA512
1a36fad4779f492b02125bcb7bbe739accb0687b3825d3653940b0f905540625b77bda159bb7a5f90b6b6be3249604a3525d37d85551c61e80afec3e75732c8c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2556f8e0e8d298be47d1cead3014900b

SHA1
328d8485f622770c1a077270a56ab1906c5f8ab9

SHA256
57f63364ffd61983ee7ae4a9c724dd628706fdda309afd0b5293295e1689af10

SHA512
c15be2f5933d5c28a5eab8451e3ace8878f7166135b911c1a01c5a63c14958e7c39a60e207e1ea1a2eb0dc18023bedfce705bfd6ad99a2185c2a94ade5e54a66

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f8a4ed0562e5601e3522d38143c0f98

SHA1
9b399e8ab65697ece5f9ed1835a221408fc2cef4

SHA256
0bd0c3dc1395f550b41f19d61f693a5c1c7e5cdd117aa73dad225bb0200f37a7

SHA512
5b12cd60839101ebabb0b1fb39daab784316a744ac655b104df6670f2fb7f29d2dff80776fc7d3427f75f8fab0ebb24d51130a032a4e39bf3f68524253b37696

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
48f6fa06428db1863c45ae83c8e889c1

SHA1
953843e73683fd1052ffffaf387b4d5d25aaa661

SHA256
672d2dfffb09b8350bd03a041beee1a118abf8d3a9b5fc56b9f31a40cd3b1ae3

SHA512
1a874a349e2cd8c9081527e6230d1f057b1c06ed252c21c208b37c99ef3c5840089803a50d3fb654fd59cd091c5469c2f534a334d84371b868bfaa021f7200c1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
04f51e8c1092c16f5e02508dcf6a2b8f

SHA1
ed1b90876040fd889936dbd67e74fcdf6d4bc40e

SHA256
2088393769cd6e9e0f49bcfcc9af4dc265829394bb60a5520c89a80df27d9d7c

SHA512
ea5dcaf9f9525387f1c79d670dc196f2eae360632ea830cebfff697473295f21713bacc8ad37ffb0890411a65eab68a059d99764f7db485cc391530ebfed9021

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c42ec54625893e5fedd6c92d4618fc3f

SHA1
c945226a641923eacc148d128f0a77b6ff7e1d6f

SHA256
4dc259ff2bb71b375a20eee92100dad9ca15eda41aab9700086ae3f99e354d6e

SHA512
272c10121b8489953f8581bf2a31ee4b8c203a167b12d58c7593e07544266a648616c3cb781695cd473093dd9cb7dcf0d40e80c326bb10386601a75a03c2d2c4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c12c24249a5f03a83c37e3550140b2d3

SHA1
7356762852bad9df085ee77a601ea3827d8c73d4

SHA256
07e36746ede35a1ac13c04aa802f0e16253a0500fd1352fe84f888892d66d86a

SHA512
26fc450d02eeec2b73d9dd7ce27386f7c9feb3643ea4ddb65249c3dc8da50439f9a6f99733b6651186053b2c6f2b952b24901b89d29592eb08a67bd3fe82efd8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f91e692bd09ad3af8e81651ca8877893

SHA1
5ca0304fc69fc18579f9ceb7f39fd6d329b435cc

SHA256
a3f67d901387a88228de54c376b9fd41e381af81ab3bec32345c10c707a984e2

SHA512
9896e47acb9ce5a19889cdf1c43276e1f22c3732881fed15de40374732a20d3c9f5819c1b9c8182af1d0eb6ee7a304a9af43a72d704053b1a56968f8c253f907

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d2bf81e042f7107b9f6fd023fc0bb7c9

SHA1
373be1da7e3b35643cc56638a6d0545d0e682d1b

SHA256
2257d82dfab04f215bbd7610806af37c5756e346f1c94a5e0273bdeff9cbee95

SHA512
aebef24658a2dd4c22a03676bd19d904d28bb0091bf64dd567fb6aad2059e110fe032c4eadc2a05c97f944b3d4a8b955cb6c25a3b0f247fda8c37f18cc115c7e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
03ca989aca0f3f359efbbc60ac00cb23

SHA1
6c586bf6de6f0661dbaf6c3a69d47c1730d9803a

SHA256
59379e1dd11aac738ec83df868715ee35482fd86cc7e4af32664b3b8e5002eb1

SHA512
0c267090d7e1341c1b843d1e25692d411e2567c60601672379f05f61bcc3e71424e2c81f189c9f1d271fa22bff1c618c82c6d81317a424be6bd51a60566ddd14

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d59038327d8ccd7cb53f96b7f66d9b98

SHA1
e18900e22f364759953ff21af725e09d543646ca

SHA256
681cc57bde4ae3ebf9f1b5ccc4d1ec2631b910e4367e53568a7cbd7468dc8220

SHA512
c0ec272695ffd823db78500f4bf4006beacedbd8ae5dfe42475076a3479d5201aa7454c5c0e3ba45a01090881842d636f68273672a0e6e18b9f89bab2f05951d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a96df4ce441eb010f5f77f0bf70e4f06

SHA1
1c2e083ed840df6e190b034a295f3640d3146d01

SHA256
ef56a6c6816b9b11e783a74dce72f50448c5bb26e70f678f4cee72ce3ecfb42a

SHA512
c9bc18404accc9439d026f9a2105f2cf844a5607f5c5a05b3b536d5c8bef348f5500af7b84311c466df310bea3053a1474a1ce9718f11b703fe8889bd280dd3c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
41396e8110ae40c26aef63fd53a5133c

SHA1
4bf8c3a7df3876d7d58738ddac0a2602c420f64c

SHA256
e25443a31104bb52bb90678e17cf6920dfca48a668082ab608eab2f257861268

SHA512
a4f7e1f209a3b30537348af2fd0e08b59f3bbc1f38f86a5607995d67cd6840f30fe38f0b1f105f9d204e7fc2f5523f1ae24b3826a74d0bac307b66b0fa57bd4c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a41c7c5021b0b98ca7d7ff927fd02081

SHA1
379a7622c8cbda10aba0446b0a7fa0b09f26a2b5

SHA256
34d040e1c50de3604763c79bd3caf326335bff6ca86f989c298ec29c38c7ae59

SHA512
241425f588440b89ae64eec1be87cbd1021eb1e2749500d9388e34fddf06d35d34ea54a875a414c545b1a016d493eb159f0f36a34c9ab33b59ba3ec450e84af0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9b3a7d27bbdce06ca3a9ab1380afb81f

SHA1
2612db2f8c2aeddcfa08bdec305f95aaf590a692

SHA256
8a9f23ebbf0b48dcc07bdc8c1e3afbe12f2c531f789911465f4bd4ee6295d501

SHA512
abc030511d5f61157c80506d9fc6b807cb0c6f0f08b911ac76a317420a67ea31714035f494996571a611f856820df5a550fa9ccff2795d971ce6219ed68e8225

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ae8ec35cd7534cd5cf9c14716ea9bd7c

SHA1
eac6b4238a63f257b70716065afbe96f0a3732e1

SHA256
c0952ef216f4942ca95a113134c80df92637629ca5214b1dcc30c203abae0e0e

SHA512
325f363c2b1de464e8a79ac3810fec3ac96d9ccdb18a8b52847d5914471aa2f42cfa9c9bab13d97992aef95387b3038bc35a26c16469bd4744cdd3506fe11b74

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
711652d659b5986853f8c453ec51c9f5

SHA1
0a51d7ba0f846238b500a236fb15f24510335af7

SHA256
6c8c7e2b338169f536422c159da83df1b7e3edbc798e24d2880df5881a544b3d

SHA512
9375e47e518535e4f345e01dc11c23735c964d3427846c6d9cb24731b0cde8f40922023c6acd9c1e29073d9cc61e1bd51b244ceaa9ad38f4cbdf6a11084441c7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
121090867a83799dc5ba061198daa9a9

SHA1
db6c0716bb9a37c0a14c14cd09cecf515248baf8

SHA256
bfcbad13c251aff2c255addf5ae6973d60e48d273b7e6b2531323a73aa981fe1

SHA512
3b19691f277e53e0b09255dd9c97fea2c4adfc76daefa6bc3c00c1299cac073cfb14fd00685597e355a362d5a1b70bd5e5c579a4ae8edf8d260fbd4466717f48

Download Submit
memory/1612-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1612-405-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-236-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1628-37-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1628-31-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1628-30-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1676-633-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1676-356-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1928-299-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1928-417-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2068-628-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2068-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-640-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2364-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2420-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2420-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2420-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2420-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2760-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2760-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3104-381-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3104-270-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3168-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3168-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3168-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3168-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3168-65-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3200-244-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3200-252-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3200-250-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3400-0-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3400-27-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3400-24-0x00000000014F0000-0x0000000001550000-memory.dmp

Filesize
384KB

Download
memory/3400-7-0x00000000014F0000-0x0000000001550000-memory.dmp

Filesize
384KB

Download
memory/3400-1-0x00000000014F0000-0x0000000001550000-memory.dmp

Filesize
384KB

Download
memory/3828-639-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3828-418-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3868-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3868-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3900-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3900-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3900-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3900-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4224-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4224-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4364-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4364-636-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4488-393-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4488-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4492-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4492-256-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4492-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-631-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4548-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-531-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4616-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4748-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4748-69-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4748-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4748-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4840-632-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4840-345-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download