ac0d23c19ecf436ef17e9cfb86f3aede51cfa18803a2bae370708517ae6f1c1d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87b4aef07d64f07687f6fb3ad3674b80_NEAS.exe
Size

654KB
MD5

87b4aef07d64f07687f6fb3ad3674b80
SHA1

ae76b31b98bcebbb434024e8686a710c145d101c
SHA256

ac0d23c19ecf436ef17e9cfb86f3aede51cfa18803a2bae370708517ae6f1c1d
SHA512

3fa63fe446fb6e7eaa09f35f312457da746221231c8039b2093124ba65233da08b8bebbdf5459b6f39eaea9ec58ae264d45af678565ec124a21ad09756f09595
SSDEEP

12288:wZtYnYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:0tYyc+pFB5z+//ufNRoZW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3488	alg.exe
712	elevation_service.exe
4476	elevation_service.exe
3624	maintenanceservice.exe
4696	OSE.EXE
1836	DiagnosticsHub.StandardCollector.Service.exe
3620	fxssvc.exe
1832	msdtc.exe
1656	PerceptionSimulationService.exe
1404	perfhost.exe
2860	locator.exe
2040	SensorDataService.exe
628	snmptrap.exe
2200	spectrum.exe
2604	ssh-agent.exe
2256	TieringEngineService.exe
3876	AgentService.exe
4848	vds.exe
2276	vssvc.exe
2080	wbengine.exe
636	WmiApSrv.exe
3932	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	87b4aef07d64f07687f6fb3ad3674b80_NEAS.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\789bde7385ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b0220184ba0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa71b1184ba0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad6422184ba0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073ae8d184ba0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d0a2b194ba0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb0301184ba0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091b411184ba0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b67916184ba0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f8f8184ba0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c77654184ba0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe
712	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4868	87b4aef07d64f07687f6fb3ad3674b80_NEAS.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeDebugPrivilege	3488	alg.exe
Token: SeTakeOwnershipPrivilege	712	elevation_service.exe
Token: SeAuditPrivilege	3620	fxssvc.exe
Token: SeRestorePrivilege	2256	TieringEngineService.exe
Token: SeManageVolumePrivilege	2256	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3876	AgentService.exe
Token: SeBackupPrivilege	2276	vssvc.exe
Token: SeRestorePrivilege	2276	vssvc.exe
Token: SeAuditPrivilege	2276	vssvc.exe
Token: SeBackupPrivilege	2080	wbengine.exe
Token: SeRestorePrivilege	2080	wbengine.exe
Token: SeSecurityPrivilege	2080	wbengine.exe
Token: 33	3932	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3932	SearchIndexer.exe
Token: SeDebugPrivilege	712	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3860	3932	SearchIndexer.exe	130
PID 3932 wrote to memory of 3860	3932	SearchIndexer.exe	130
PID 3932 wrote to memory of 2328	3932	SearchIndexer.exe	131
PID 3932 wrote to memory of 2328	3932	SearchIndexer.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\87b4aef07d64f07687f6fb3ad3674b80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\87b4aef07d64f07687f6fb3ad3674b80_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2040

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
96bbd3523e25bd44dfb1d99e1fa0e150

SHA1
197ae23106700a4a89ecff7581b72704f9b3f742

SHA256
ba00895fd8d11716d7b50e2bfd73c53a76038a26b6d366d2203b4e30385786ad

SHA512
56ec1d870314821f06186e6f7a0204bad51156bc212c1bbdc76519e1a081abc5a02c62f095b3d63ce979f038d5fce02d1f1ed848e7ca37c37f5178409e982f4b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
96d613c0eaa64e0e52c5ae3339295619

SHA1
aa3cd4c8002a778908a61986c7d0173f760b277c

SHA256
ad01f3cb652e6534c28dc339d367c20cfc6d6df4abb389500131e4e8ca81046c

SHA512
27c85bdc1f0ef8b50e04b5ad977260c1809b42b632789327515c3feee5e3cfb8a09eec2e611036330b90f02e4a3dd2762fbef35e79e836c783140c9d81c7cc09

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
78780134ae96348ff8a38fe915506718

SHA1
2ed3885d2c8d16052525f6f3d6cec329c5693a07

SHA256
fb7a1eee3c25013cfd233eab3baafb08a6e265a57301bd5dbeb618f29a8aa9e8

SHA512
95b4c490703f135ae52f2a2c7db5c4b8150f5b7c4a472b077540159ef40b517a6015486c393f8af77540cc9dfa2f417c3fa0814f6b48654a88dee335196f096b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cd405a0b4ea15cd1193ef4aa51c6ca06

SHA1
277c3988ac24ec57510a5b3661eb949e2d60a465

SHA256
d7da896089889d31258ac34b02ffdc6428c18e8641faa79a38230671bad16c26

SHA512
c982503e224e21cbc15f3f89cabcf358eaf963b3849d6a507cd7c93326e51a1c5dec600576d3357733a8f41df33eb65a022b674df1b629a30d3a3b0f49b2d267

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c556e8c930c9a01a42ba884ca0652b60

SHA1
130b87b2d9f210069804a3076784f837de09c0c7

SHA256
a48b28b53333943fcf505aedda02486c513885046dcdf2df37a2061d335c883f

SHA512
2cff342c09e2896f2d72c2c5c53752c29d468ba42ce74fc7f2983f80d8d9ae5b8e59e2242d8c9024f9c83c0c3c1e924513876e5ce689f2e53b12560920cb70c7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
aa4695629d9dda8db825b4def9250831

SHA1
d175f76dc20ae9407a6525e05d8167f077c9daa9

SHA256
12d14dcc5be01890aed7d65594602183ea33a4fb740b88b9a51301c76bf132df

SHA512
7e681ede53e5d3dcfc381eafc3722d150247caa6d66a829971ee9f5bbabdd78d74ae762f2d68a9f64d4ef0721a1bfea9ef16b2766200857889190ab08e601b37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
22147d3834fd3a95d447beb7b61cba0c

SHA1
f3f774854efac47d11029842f6b518a8ccbe8ac4

SHA256
d4f3597cdf7040da5d5352a3c9fd0a53b8b45fe96f8d4238e7b4ff80adef46f8

SHA512
3c0affed5b935484a5d68181a349d289fe3a5e5fca24fa74a94450307386e7d03c57cef8c0894ea184c4df8f7ca85345265c089bc0e3d0cbc9ea94ca76ab0c29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
543b2087ba94a58769458efdec671fb0

SHA1
6daffd8ef336c2968f4ec9c742a5293e5653f6c7

SHA256
755a3642398e72d2f2277329bb81fc43db152583001f3fee8470574d57131f42

SHA512
21936399f06c2ef53a9cb43ebf8128fd8d67db9cabcd8114c115fcacbcca27f06ae44dfaa269d782bf0052c84eb6b5f0f6a5df099bb8d9181214fc5515997e0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
13501c0b1df1ae0acd72946bfd35e7e3

SHA1
2b09a00ef1857e9f870d1d3d1d07c4ad83f6cab1

SHA256
8b86b19523af110a5e6831d44c1a472cf5fcfe63d9ee0a0f90774738a6394c88

SHA512
bf89a35a946bdd389d4482473eb4c4b0f749b13951cb87797859f54705500d4f283f1cfda9d3ac662895bace87611b79db2c2a8cfa99476935dce33d34cfea82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e28144777f86ccb2d3e06634f1aabeb

SHA1
4a3cb4146cf62693614a792451705957434485e7

SHA256
7318d9ee8d9ec0dcca0671a022ed2684b51be68607e0dd149b4938f158a79054

SHA512
15d6140d57588f8f655a79a4f916809b213b713ecd41c62ea83720688ce766225e6c02d156d24883784c9169f2327f8298441e7282fce2b0c2a09f7f3a6da409

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
38b0a4f0dd742af11b53afe5546f8ce4

SHA1
4a60f88a5b18dbaa17c9ff11699b02e2b6d019c7

SHA256
7e79996645c30fe655a744f4f2b7c608c1b79399f0e76e397cacd3fc9b08751b

SHA512
3da19ce5e141592ce288da9efa10dd7fa69758d0ebfe6f5b48d899c1f001167c5a67a99c18989e4452aeefaaf1eb540366da36646f6aae55e70d9ad699a7171c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
00b669d9865a00962588b300dc5098db

SHA1
09cf642a1b804d4ff49ef05096724ac83c2d5c19

SHA256
5dd04f692b81f5d7c25d69e8da9a0158a0babcedeb6d3e6168ced97996708bf1

SHA512
a6f0a2f24478f1d359d2318c5044358d18b06d88c1dd7d79a07864fb0aba4b7b643e7fe44f5fdac5105f71b165036355177df7a02e79ab6e31caa4bae67b0fcd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c70930cb3045e58c0f1dabb410e9ff3a

SHA1
740380f0ddf6254f7f98f75db8ef75676d23115d

SHA256
936f340ba3078a9354cf928d989b4e3324066d1ae75873471c59b3ac73189ccb

SHA512
c7a3d03966b785830c0ea0422ce025707808e5fd684ceaf952d52462b6573f8c3be012bc1cd5926183947bf8ee9d07bdb6cfd6caff0e0e4589918a94c81da465

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a671799fec68c9b7245fae126683d349

SHA1
4b3f90da9e6cd3dbd853d5c630175617c6c9a8ab

SHA256
5678d0c578392a9f9f7ce09717a0805f1ebdf66ce598e2fba376afd75d52ec73

SHA512
611f071e1152d7f298b203acf4c6c514f5dc44ad09701fd91e5c5e6a84ec6d7ed4b4ba3f3c0560693878a4b9635bba470bb740472446491d8093de4723061fe3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2aee55ca8c3783b594e9152750444d86

SHA1
eba25be6d2702e9ffc2a2510ee1286870719af6b

SHA256
f22c2d350f7d95e6ac3038920d0d58834783337354658cd8529708a45374bd46

SHA512
9fc80911373494bc267263525cce5cfb3ce0e1b33fc3740ad7ddab52c6ecad0b815c1c9f37a5165ddc7854f2b6a49b34c09d1ca64476d5ca088cd3002401e382

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
3515cf1f7db7f8f5674b0a00ed8ae924

SHA1
734e2c1793f2215ebd6dd70f0c518292247f8d3a

SHA256
58590cdd48258ff508c0d15a38ddd1b1208feb093ab11f9d9267f1d858bc93bd

SHA512
eac2c533dc833b368030ede53a95f3c5be477dda8b091116b96eb0a693536577e02c04ddbf5da09bca3c6296e11accd280f6ae15c2c53270c827197911a3b2e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
547bb7e4eaff95cbc34bb6ddbc20b98a

SHA1
8c9f7aa0fbaab37df56493dfe2fc192e8b9e759a

SHA256
8a89943ff1e5adc94dbe97fd5c3c3085659b2a14be9a1e3290e4927ba8136a87

SHA512
9db4de8cd44e41a67c475cc06645a8bc9a581ca2e5d5b3d008cf5d37d1d00e883afddbbd4d779e12872f043bc2169eece97b09be86e7085253577eb3ea8399bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
4a3794ed9558913205be36047808658d

SHA1
2eebde22f066e9ea21c8db79ab208a4453d89571

SHA256
99bdfbfa7f1728d41211bbcb0412884d44c42307287a809989e78a1def23b17e

SHA512
74a810736d5c3997a16f232a1fff804acbef795b6b8f90290e20f168b0f2bb4e5050b8dc0f4b04e432158701a7d0189b44edc8bfe87b395f4be22fa6e87e0d7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
f8795b0d654c5aa2205bc28770f26d8b

SHA1
a281ead31207000cb6d093610ea4c85cc9d0963e

SHA256
64435d7f971a362e437b54df34665ccf3fe48804951de736a8d1c29dbccabecb

SHA512
76f62afb8e175dcb0dddea1a8613378f74b14edd0624d51715ef6fc20a44ceb77bd114206511761ccf3a36f12202429c99722be036a4795148ffb3b67383b826

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
5afd7ab2a908e4350c7d323374734a14

SHA1
e47a983075411a99352d91aa284d0674fe65b9c8

SHA256
1487afca4310c8bd9d3b34bd5f344bee7bbb539382387daa7f760111e99dfae2

SHA512
9a799467d8352f70c82371ea6d86c93895fd33b476301525788fc63a00c0f9a65e3501080c6e2d0348f7187b3c414891c5b99b980480423e47eadcefa1951fc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d4f1655ce5dc5dfacf43e8fbda6104cc

SHA1
8638fe5e82f7e2d9adb523c719d30c6e4e34be90

SHA256
1d75182df5eaa5c2f491071c4d5d0fdc1f05fe3438798438d6f760a7c7088f26

SHA512
44a962c9d5703f33731563202fdebe75b941378a9c208332d26107e1c3312158a060fe95b50e61c12b0bec42b52bff96481548498da12f77364062f1d3744d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7d21458641ebd5d7df3eb77be6a5c397

SHA1
b26dd93ad444bb3f456c760023d8c4e6f70eef8c

SHA256
ae24280cbe4f394a824abe86315b33275749a7d897d6549278db80d3b1dc8798

SHA512
cf6c66fcffc87871cb5c1b76962aad4a7c63d92055b0b62d8862fb2a9955589a0350f43a45c499e49e62808ed39cff8dcb931cf562ba9bbf45a2f8514992e3aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
658ba1e9abce54a09ff7025cbed3f338

SHA1
57e8cc6bf13e6b7b1200a6ccd323184d30ad686b

SHA256
828c4689e56a44ad9ac934810c2146b6e7dd34ddd60d8c415d20762bca843a7c

SHA512
b2999b89fa31efc0c1a6671a27125d0236bfac63c2d68d6c4400c22de38ace2d010c236481b620f73fceaadc17b88e22c34785e2f87de420cba61e309ae515f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3dca4a896390d89963a3fc43445c8639

SHA1
f9eee4bedb8f4de1eafe37fee29538119408393a

SHA256
72a7d59f145ff94736728ebdd197d416523a08d40beea3295ee50ff70200d582

SHA512
ce83f898da7599dc37093e8c710bd1723adf062719fd8c138ce9110da6ad675ce3f6837768d95eee21be27ebc2787c76c86e6c38f205a631a98bf362ac5fda8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
937c25f178c5e9bea6bfc3f6538a6ac4

SHA1
331e9bb75aef6630eeed64532a9584df4c6a3b84

SHA256
f31afc03fd6d4c65ae191791135de69272f02940a82bde880ad4db431ec6af8f

SHA512
9e7f9253ac77171a634fbf37f61f37d1e7eecc5bcf835ea7a937f49a5153a5ed80f01c35833411d54790e52e170c8fd4ed24593b42e9dcde3548f4aeffa31af0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
06f5343d1fcb98c94293022f5b3b8d6f

SHA1
b575a2b11ab3eac1be1310cd9dbba28b782cae75

SHA256
83a02f8310bd448dc3df0a5a7709925377b8ed4b864757483c1efc48eecf9c84

SHA512
25082132a9147c9ef70db51f1dfd6e47ebeb1caff53def558df4b8aea0c9f2a2e0b9aaaad2be53cabafb329aaa77a420ca114fc93bde31097b589029462fcc64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e14526157c50e9a0958174393866ada8

SHA1
ae512f1fff70315f32f05537a782506fa1a5fdc0

SHA256
f6f06edcbfdbf2dd5e8bcc7250493f0858e0834f014194eab15b3381794431b9

SHA512
2943e9551bc8e46495df2eb31c036ce54bdc932aee4e41b0a6c3c9538a1a9dceb4c1af4923c466bba8d516c2e4cd2c23662c3900635a3a8d0ee06c7f39798b57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
75e344c309d915f19c8c098c4ff73738

SHA1
0f6204ec8a8000196adb21f4b860e3a209110a23

SHA256
5925e4c12cf046184e57884010424fe1655245e36c603ea7c0077b2d89e791ea

SHA512
6d297f8ed79528571914d15f3aa2b577bc337056b1c990517859e805edbcd2096eaab7d4dae5a42f3c165de8cc39d0dfa3f55ca52a314cea4c36cdf2ab924b5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ed1113be2c4da02f9e7c20c821e0fde8

SHA1
d2c167d99ce6d7c7b3b77a888806085cbe94645a

SHA256
bbeb72e1436e3de5ae1ee9f837ecc715ef6df043a7b112af3c09d506e96d923f

SHA512
ec95cdafd034af7f4d3b52612a4bd3371c688397de2636141b95cf3a073f008d9fc8a0cfcbd4ca771c459c39c45e1ed1f4d04f6674beed1c1a402d51d1984ae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b1a0721db9062a1562bcc70b84281352

SHA1
13d6b8ed918843509005bb21c1f1e0153e878ea1

SHA256
0dc194c2562013c017a8b6cfd2168d8617d85c3108c052e2fbb3d89cbc1c1cd3

SHA512
426e8cb6d5f91abf1b075ca7fb7af0cd80eadced494978c07b9f8965b734768fa91daaba69b5602d1c82b112255fc897e410c147fad77597b702751a88889ec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6c0f17fe5b65beb1657d849fa5491b36

SHA1
7adff51900f76be9857648442d04a0bbe8655d30

SHA256
db8d40a00d81c869b1e30478388b5c7af026bface1b4eb447d8ac9003d2eec48

SHA512
b0334931dc59d28cf1cb8989d75fe4e3f1ac535edf0d37548b30c663c732028d4a385b0f0d4e51ad98f64463aaacb081c5d7365bc274df482d867770c7b1718e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
465d8b46c5f517fa9076281786548621

SHA1
69285517689a0a48f8b19666b35ea556d5016057

SHA256
0523cba7ee886ecc2d324acde69254d57fe7aef4e8c8e381747695d658454908

SHA512
edfca12d74a38826842968f4432132ff69a8b014ea15ccd39ce0c75d24d894c5d28d2d962a8ea74d5e5e012583bb05c406827620b208659b29a53e64aaccb037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
d39bd80ffdfb692c49d56a2add1107bb

SHA1
aa9f2ccaf1b7307553acf96d0c6c32170bd9d4a7

SHA256
79c60ac8f59a747a9e28e19a642c67325ab0e41a40067278a69d60bcbc96c046

SHA512
16c4f521072532b7a41b94a6fb62d7cafd88af3a7bdaac2b1f17a3a9c84f5ffa49dc46c85e474449d981fe4f5feeb1cd53596b995b438906f649c5a211b23d1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dc143bf93533fa77ebb9ffd91d6927b7

SHA1
c62ef9bcb12eb46a259d0922b07eb9776bd33e1c

SHA256
6d0f3232b899de69f3637b6e0b618fcb623f23c135d341370689743047b34b8c

SHA512
086c73ef570afcb7a832de70da8fe2dc0ff54216c6569578ccabba116a40bbbde1b94150c14c3885fe9a8c87da8f710c3bb2835925c321eeb0fa33dfbb65c1e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a112165af7605ec39b916ad8fad18ada

SHA1
615a41987035f7fa5666293fbe361593ef440d93

SHA256
b57180b75d8c04e57569573f1a50d6304f425c647844fa7b26c6c77d5864e5a1

SHA512
372b87f8dc01abfbfdc2d3023d961fd1a49499755b21092e17075fb3318a71c25fb57c2221b4a72c2fa099ab1da8c9e0565b0012d5448a3e9f52cbf7a4348d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d0bf413eca5abb042486887e097b5dc3

SHA1
f1673045a382b62e53c665da5233dedcfb122362

SHA256
af5d16b5f8eaa0a78249b59bd6a9ad9e9663a588b588d9013c4dfefe5ba85afe

SHA512
475d0ae5680157bafed12b7d47e21b56e2fca6b47d402839f375d9333e3b9d69fba8e2a617c00692069339b806c99c71f1a22b3be5bebe0757f0355663b37034

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b92292a09a4b15e80051d4f030247320

SHA1
706fab40ffff399406a484a6d7cb6684064b2145

SHA256
6375a1d8406825b13115684d770fa69b0e070ccd68cae7790f779eb3beb8b5a5

SHA512
532958642172c28ee14fc2c7e25018b29f23b7dbebe77ca1ae032d643b6bed3b49ab65463a6650802612ec1d434bc398c1b62239d0cc6420a34c7efd9a1c264a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
33af4a8128e235fdb1dcc3c0820cf920

SHA1
d8e5906357725c4ef1178007eb9806bbb75e64a7

SHA256
551c81231e774702ce87b78e2946c6b49d29c4cf934f82b381cd0d0b26949ed3

SHA512
9755b5bad98382fb76fd5d41e475dc151de513eb3648b9153bb70abc75f986b99dc8836430ef413d3ba10c6f005a4c5aa689062e0f376ffbefd0ae9c8e426483

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
dcaf50989d6e6d72387c945035a7c399

SHA1
ebd4b231ebd7f01519bd2f4eed924298fb81acf1

SHA256
08a95a80faaad7d41400d2b01acbb5c886782bf53d3b66a194185b4b9abbfa05

SHA512
cf1c4345321f5ed0144171b688ec7574cacd2a05828b68221c6e9c9669c4304d1c82c9a59af8ac1c2365f36ebd88a09e1ea5710ce3afd64a6aa7856d65ff7064

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
20dbf9d2397024f2ec2062b39366cd50

SHA1
e7542921c748968b999a029c39d7affa457ccbf9

SHA256
553b197fbd9234432b2d33d00f25e30c9c833fd5d8a24e0bb5dfecab3c7b9cc1

SHA512
e05ec39881dc628f7f3cd0daf0ee50150c9eb5e649d22c79764b7102a0621ac83631b2df6516a414b65f9d17c68268c3312a49a8035d714a5422e572da1de8a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
3647c21d33421586a5719d95b348c231

SHA1
b5808b69483a9b98cf166b0074b1f3c3c9629aaa

SHA256
e069dbc828923c6e597c7a52cac22d2129ff47e9f1e99c1d07eb34fa38c43765

SHA512
7c3c95b0f73dc67a2571c43e5a44ab9090a8adadf7427eb64888567c1191a0429fe8d69ab4c53cc0b4b0da43185e74cdf0144fbc7210ee17318fdeaa971f63c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
d0b3b9f5d8ff514b837adef8a5e2d888

SHA1
7b0a65e1fb8fa229e879e3839ec3701e979813cc

SHA256
f007240d4572fb74c72bd782229982509d0d3c1581c2afd4de2fca2f5a62b28e

SHA512
f3d57a7a88b1a15a754240eeeec40e3a2a2cb33ff30f00724fccd02097fd2e6765d6130108d5ae8d1635ae063818a7ae6ad031d81135f42d3b0751e287ecd480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
8b53168250c205fca8048868bc6a38b0

SHA1
d6f8cddb8de8a760e435d2e9b7db6c4d9cf7c155

SHA256
090821056dcfb9df39aa25a2c7d3e104bf0fbc78d5f8295d6c5561416b208ed0

SHA512
12f6e06fa816daea1bef35ff6029223f12c1ee43f4576438d3ffe367e391e1afa2edb9b6179627b8e7dc6eb3972a58b7a40d8aae97f252ac68d92874ad8ec51c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
cb094f960d31c11bf3c38c68d2360373

SHA1
920a11629fb602a32b759f9f00b8f9f1efcdea3a

SHA256
30039577e74d8c78934c54888a7af0286b02d1957b5fa376c2bdc59034a891a4

SHA512
f3ec701fd16e417c73ad030d6b8f05c941cfbca94dc90d0721390774a5898164dd4bf6094d42b17473419044a91f3a7482c8dfdfa84fc6a3a08fa8c32c08a736

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
62d2a9a7285b407a39211f9ce30a33ba

SHA1
2ff02377497b62bee1c3c2513e5ba4eb3d8b96d2

SHA256
86a3c10b5342400d2ebe3420df931250eca974051ba3e91414180ea7e3970cc7

SHA512
5f27b8793432d4b098dce0ee1af62a8264f6ae7d9bf81ab072201de70da933440accb04c6c69ad74eee481937788d51c98ba4212ebec594b6ddbb455476f4d26

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dc7dfa78a0ac365ffe67aba76bdd942e

SHA1
21e438434a9d3ba6691b48747a832735ed4556d0

SHA256
90621c114c358ae919a4292499c1aca1ef8d3c0cc4dc58ad5d533367ef952eba

SHA512
0565df34656a50a2d5962a1ae9104051224785096921986319682c0aa202e678da9206595cf1a22d088a75c1edc5fc8912043c243b93c29ec389a1e1f287abb9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5c58bb88fcba6691cb17266bce361a2b

SHA1
78b741e587ea33986841f25c77110dd2ecacb29e

SHA256
679cb33a85818844a03a59975339625a80b6a2878da3cbfc1e1635aa0e90f6c8

SHA512
19ed13c21ae105829a3c7a408cee4f4caf02c297074f3f549ba7f23c36e7a3854fc703ba3a2c677de16a505eb177d228b8f5bb990d4dead0b9f1140cde88d691

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac527a3623d72c1de4b29567d2832777

SHA1
b8ef0e896b3482d515882160b78139dd47f78380

SHA256
8ff1b2ae173afc8d0d4cfdc21ab5a487e619950dd33b6e8115da67c945e02b6f

SHA512
14324989692c719be5e94cfece72ccc386abb67ad055789a74d75d49d89b4f90e407fda47f8f9d1c40ab42c8d448fdb7f562985587dd8f08e59f363c625454f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f427f9addd037648b8faf457671f2cc4

SHA1
c5073492d5327463d7f5216f2d82a7516b112420

SHA256
fde7fe105e17d0955bdb8b74ae48f59d63a413708fca34e2dd67aa613289787a

SHA512
f9a6a73a2a511850d2e505b615708a51b114fcd18120d67f9c4a6be627fb70dd019df4da485ed91b43fa438d374809e1b218e26cc89b96a2adc49417db8e2754

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fb18294b193e0dddccdfbe61bdacd589

SHA1
9ab66db6d8551d417c6905ff317348edfb55c695

SHA256
3c49c53da8e4816293010ce6e0373e296fdcc7a9d31692668c49460f76953c23

SHA512
e90ef283480313dd4daae797f66fe3d51e5c2465b9b67dafd3c3d7adc1eef8e7076878a5454a10c1ea10cd9338df33a3462003a671e23c1f0ced396d34819a09

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6fd31204c113813c8ab0ef8e0bd05de4

SHA1
8201b8cb7fa512f48b1cd1e378e35ebc5be30d15

SHA256
deaf7b06a94653b5a15a0694e729fefd77409b02f91db68263dd51ea74a26c26

SHA512
15d3dabe2f3e12294bbc018309cf5b4ab07b69dc90dbc0fe07e91fba71ee0be58d9bca89f621d84234d282239f06dcf932bcc698bd745e03f19dc6a81189de4b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1caaf847b9517ac181fbefde5437b959

SHA1
5f6f561d2fbaddc45999f1440ccb8d193aecc80a

SHA256
c0c646f50d9864c48be34ea0ba97c3bcb5c59cd680f36e9f66cc47515780de10

SHA512
11c3b73c228a59e9fb9fe9835a1aba551d93d6f713fd6701dece9693f7df23498426c4292977ad9d78db813bc7ef93b7f33566fbdb0c8b16e12b2590cb78e471

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57d3b46f9f941d434465c024b448b0c9

SHA1
a10cb9879ed7562994e0cb26c484ef9d142f4bf2

SHA256
5384b806c0f9ac85e9a0a32889030733e62b95617a37d36a885401728af40455

SHA512
3b197c856d09dba701e722ef08760117e6457cf924a162def2c2edc62a9e0b6f2f768298a59f003ba81040dcfea14de0a2f3b80a230783b143f48219753d495c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
da6acd9378c6765f911756ca5e6f7262

SHA1
67dc84268a04390632d660c8719fc427c605b4ac

SHA256
655b7e4a59e4088f551a64ceb4f8036317cef562a418f2e5ee4f5c9f55d8cb80

SHA512
a159f42fb4b1f8d3b3368e08687a2fd84547d9179bdde7d520c3508e509152707a76041fe7b425553bc0913e787967c33ac0df0540f3e42551542e60c54436e7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
846a8944cba2ff1eba1452484177f5e2

SHA1
1efecc138626511691477bcedcfb8cc1696a9ffe

SHA256
67443d265493596bf8218432c66b4cb0f242079367fd1fbff19e87b3f78ab57b

SHA512
626549df9a0bfa3baaea021b80709cc0b98c8af0fcaf544c5343b400357f3fca879791c6e3b89ec8193e69ac6fb411542cbc113dedc5ef49f4b84cc9569a3c74

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
832355252a39248394ff88d08b709821

SHA1
951ca5099fcf419ae4e13d64c6c69d5cf6006289

SHA256
556999654fb5d87e9976d23dd4f1cc1a83a70c4f0ca611d0377862cbd79bc91b

SHA512
fef31f19f285aff406b43d7bb002dc35a531b58dab060131d98d2fd692292f79f95c901079087b3e326cbe6288da7ed38830196583a4601925a727d85377140d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
37ea1c9c646604153c96734cdc4c3419

SHA1
60861e22fdf6d228590cee5cd3440059c35c2612

SHA256
227a074030e0c28d9bf719b1b20ce2c60b44a0ecaa7379c594a232dba968ca59

SHA512
c0fd1cc2c5bb26c2298e4abee48b214eb5eb2324f3287dd5aa315929b52bb0fbe9bfa1d28199c5111d3b4e3f3592131700329029f1efaa5e9010e347509ea8f0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
03fc3cb543171272ee8d77e50e790c0c

SHA1
4dd36b8a692c67a96512c12b0e832417cde93138

SHA256
f136e5ccc2a1ebbfa9f891e7b745e3a80224e787eea0614d9eacefc5f6c266af

SHA512
87a6bb5ed19f4a1b31e25fbb6c226633c1027018e54491f27ef1a9d9b4d7fff5ece9a8aacd7863263f8622e9a1215f93cca38e83425e3fb64d622b8bff76fa99

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d7b9396d7a4e3d2922d124572e494d9e

SHA1
36da55ae4bd64e46edbcc0c38635e2d31e04f883

SHA256
80ea64a100a820b960bf4ca7ea764345c9a177f1b7539bcbe80a003c73bc5ce7

SHA512
a1bb41013a8f9db37ce2a63b5c1531b6c651877255c9bedf7f3ca77748ee35a64dd2889e18d813a4f62c8a23f04298682e4e69902e4e2b377e931c0a8e6f3089

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
92cf31aaa0e227470d6b9aa4bff6014a

SHA1
c07691823e0a080e36c0977d8b1bd723e54f676e

SHA256
502439a5bf73bad333c0f61136cf9eec95a1630d8f2a54242a58e15d0e1692bd

SHA512
0c36d14becfd198d992c79d6f207bb0b0ebc524524438513ae2be2ad2f1f51f6d994f172300e122360fab324948ad987226ffe273bdd2e736d0648762be082f7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9dbc579b9e74c9b7079e03e528fcef89

SHA1
3e9cd2cba36d9361f0202cc5f44515b08f0cd82f

SHA256
b9d0ea5a931505d5294d87a635223fa33e3f2ad9911074956e48bae90a65bfe7

SHA512
8256075921977f292b8639f0a30d3508152129e7138653cb62354a0fce87c1821f9ef7dcabf0a2f481edfa8160150efb320e1db91b4ba5e63c4c3b2e90e8b079

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f31377069619ccc96153ba730cf02a5e

SHA1
61881f31fb5c592e0602026230abfef79836d2b7

SHA256
8dfded48ef3cacd3e8618aa9dc72c754ac57d58d110fef32fee0f253f38d8a8e

SHA512
5bb668e226cfb158bffa166355582add41a83e4134a9bbac23d15ed9f9881402dd617a5635968f741541d5cc2d015029eae88147a0ff65d7e886cd04157213fd

Download Submit
memory/628-517-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/628-324-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/636-627-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/636-417-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/712-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/712-33-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/712-35-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/712-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/712-26-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1404-404-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1404-294-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1656-392-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1656-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1832-380-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1832-267-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1836-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1836-354-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1836-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1836-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2040-617-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2040-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2040-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2080-625-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2200-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-614-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2256-355-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2256-619-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2276-624-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2276-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-343-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2604-618-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2860-297-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2860-416-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3488-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3488-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3488-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3488-232-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3620-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3620-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3624-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3624-73-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3624-50-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3624-58-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3624-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3876-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3876-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3932-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3932-628-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4476-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4696-64-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4696-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4696-70-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4696-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-623-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4868-6-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/4868-14-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4868-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4868-2-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download