a0d24464efd266f0cd76e2f0fa53bae591e3ea808f0d957ac830aaa5aed16b29

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
Size

625KB
MD5

263ede1ab873c93fcc5dd15cf2ea28b0
SHA1

65b07f488cbc488ef1d96a62dbd7c2bb054455ce
SHA256

a0d24464efd266f0cd76e2f0fa53bae591e3ea808f0d957ac830aaa5aed16b29
SHA512

b143eeaaf0b9b72c12c0a716cf48c214f592713a5fa4b61b1413a03b4dd4b07021b34708bceb014790c226d27e956ec871a773d59b21be4c4568b4321495d30c
SSDEEP

12288:F2t3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhI:8tHofe3y1sInB2COzRq8DvFqt

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1000	alg.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1348	fxssvc.exe
3456	elevation_service.exe
428	elevation_service.exe
4280	maintenanceservice.exe
2484	msdtc.exe
1832	OSE.EXE
3328	PerceptionSimulationService.exe
2736	perfhost.exe
3940	locator.exe
2628	SensorDataService.exe
2924	snmptrap.exe
3436	spectrum.exe
4360	ssh-agent.exe
4748	TieringEngineService.exe
4592	AgentService.exe
1688	vds.exe
4100	vssvc.exe
4048	wbengine.exe
1356	WmiApSrv.exe
4008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\locator.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60ba38b4e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\System32\vds.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\spectrum.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3c0834f61a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e5ba04f61a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000674a335161a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ce9f25061a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f95c465161a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
1892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4116	263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
Token: SeAuditPrivilege	1348	fxssvc.exe
Token: SeRestorePrivilege	4748	TieringEngineService.exe
Token: SeManageVolumePrivilege	4748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4592	AgentService.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: 33	4008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	1892	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 5084	4008	SearchIndexer.exe	112
PID 4008 wrote to memory of 5084	4008	SearchIndexer.exe	112
PID 4008 wrote to memory of 1712	4008	SearchIndexer.exe	113
PID 4008 wrote to memory of 1712	4008	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\263ede1ab873c93fcc5dd15cf2ea28b0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2484

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1048

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9f13f7c9146c6c5c6861bb39f05260bf

SHA1
68e5be08df67ebf6e045d0698be3059d755d1506

SHA256
f2440f09563e3adc497ec8142d47461cdcb4595a83200e51c8605a0a05f17cd5

SHA512
d8abbc4e94ed7a2b31a6e074f01eee42bb214393f8e54907d26f0c0a09142d669cf7f6ae7f780c613eef7e6517a8ba2e79280bc14672ab82cc2177de03fc2523

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
31b1ea0144bedfa67993591810b7074f

SHA1
e7ad97172d274f08159adccb77ccd1f25b893b26

SHA256
92ddd9611fca8b22f9d92bb2f4356791093911d318629b357bbc7b2acbeb55b7

SHA512
31b6a71db97453a52cd7eeebe400cff2a7b922ae2759621d49e2650e0a9b37958eb3f5842d85a1297317232b0bca68f1aa7bfb0efc211927a41f5407fd5f1216

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1bfda180ab1fc680deb25124133614a8

SHA1
bb1d20da2ee584f0153df34f8a550666810f70cd

SHA256
06742e7e3b3dc0f937a9239445245d761bbc10726667545446a57e8ecac0e887

SHA512
6c0ec51d986e5b85f324beaaf6de6e00aaa5ddf97e3229be30acb33070ea94ea04b89e59ef993067a93d83ffe288917304d489b59579d1734018b8d811bdd39e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
34897d24f9a54aaeb5f757a8faa56693

SHA1
da34cba9b6bfec662f93a3487f9ea606c86c6182

SHA256
a643bc6f74f03f5dceb5656c314c90610812718219cab31d42a920ababb50fb5

SHA512
f8bb48bd59519033d69fcd3e060ed87f84974e2e23f3186e5ab9a4f9ae293411e3488f6c80809bd01664835014adaaf056b3d197a3fdbfc9b35f0c18ba64c07b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c89a9f9bcb85e4cb6be314a6da439644

SHA1
4037f080dac1297ebc68f92a355d7a7e33add000

SHA256
d09990173cdf87c0b9e4ea9a5fd705a156e1aa71959ca4cde3ba880abcc5543b

SHA512
59d9a59487d32ff336a890df4222964e26759e31dec74539b6bf5cb7d3caa9e1221695a29b343a208025c9b769e599042d3d742003bdd14b59fce1edc952441f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b009d1a9da8b58e28df11c1ba9759a22

SHA1
56a6f4c7e4258fcec967703fd57c0b96ab2b506c

SHA256
d286309f8ac087819f5678b25ccbe138022d46b382f5cb4e45cf1af182a200d0

SHA512
bffd9570373a3052b4c44d85d958eefba777e78086a02b8473c72ab2de258a4608463cdce791ae22d700616209f17e8025f5cb9a813a1d838d9e39182121811d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e89c5ad9041228101747913953ae275d

SHA1
6f91efe23c1b0bec27aae558fb18d518d23ffac4

SHA256
8b7ee0e3a4090eb87514e612dc2961f9a1442922a25f7b0e329aa7fd91d5563c

SHA512
aa4f49ffdc9187ad895fd8ff150c7e920ed7218d24ec662ed764194c093d0f098dc325019ab377629a2081ea266939b6b5d5e6ccaa6eb6641bdf701a48a392d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9c63816ca3cc2025412ce13d0152e6bc

SHA1
81f3203f343d7bda520bcba2453835943185becc

SHA256
0d2246744c1e12cc8e76eac9727a73ddd248ddf749d7784cbb2c49fb8a37620c

SHA512
876479e7b7ba637c6a67006af6926292a416b43aa22159da8bd114840e42016db9d1e3a169f72b8fc5323cfffda9325aefd1eb69ac9d4cb014cf3ae95de12b5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d0523cb3c49ce1e8393f15c5ed9380a1

SHA1
34b734ad0223fcad2b82316d0d82667326d4abe8

SHA256
0ea5e6769775ad3118c8f012dc97d2bc19a62301fbd2535f2f0c03c47316be10

SHA512
869c3e0a2f01e724c64335e13fb0c68d2e5bc17a021ae89bbc8323c05cc29f47bafb734b205a3ab043c670e5c86f23edf762d4eec2302d1509a25ca88bc65ee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
757ef4d9a9e76897670b89847b8b1b29

SHA1
73bf3a74e54532f5b2439944ecd41ad5eb071367

SHA256
7a055f026a78e49a8d7bdb44a737c5ec2fd6bd0e4cc3368a50f64580025dbbc9

SHA512
f03c64af825ab75db358db804c40a62e0b9bcbfc6866f18fcfba97c177a32066ff0b59695bb2e3e0ffc8ec1dfe0741029c0fb565c40760e04f4f1477b28c8f78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1a17dbc59159cef340e86efc5db7c920

SHA1
33972428f850a47888fb918c057509b1f56136bd

SHA256
42fa11a2bc024ac752911b1de5323280af5f9543f624b3e258220208f3c912ec

SHA512
0854b7a3a798db0f1b476c6a0a15fbe4dfee19f21c1922ff2e062a97ddd01466134dc14e93d7c66807bae0ebf9ade63099cdb7df68ba657eed1a63ec4263cad6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bd3233f3fbf448cc0ac20ae70508fcbf

SHA1
3af71cda02a3b759a153cbe5e19af7c7d58f9dfa

SHA256
6d96e8b89718b6ef478607a73a6daf0d89d039e6d947601ee84d75f285549c19

SHA512
c729aabadfde9409f2224a99e6e183018370815275846a59aa0275d4c67b1e957c2d79bce8db9bd7c25c1c5a56857a5c77a9a2920536d3a6cc74d70712beda7d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
407edf174eb5c9ff66e49cdcff45d541

SHA1
3091b86090b5b1e0ec2ecb375a0a46d457464bbf

SHA256
fef4e10d192416f1c4c3f688160d9fe9c1d963c5a809efb4246f0f8ffbccc81b

SHA512
8d2cd5a0c0618a0cdea669694eff98c90d06b0459fa2106124508b831722a6941e36cd658d7f6f31fb74ddf4cc2ae8077f33586304e42c598bb43ff8e5f4eae3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
291e5a9477b9eff9d32f7b8ed96c86a7

SHA1
30dc2fe5299daac31346ff15860d795ba11dd638

SHA256
dd70f812d9cab511a2500f5cd659e1f8386f633af85d4faa59e173a3ffade9f3

SHA512
ca831481eefe6069028dfe8bd81431440b4029f8c7938bb53f466e23be414b896b01545bee87e3b47f7f8a31eea3774a6afbeff8ba0726b805fb7416c20205d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a1a5adb6779a12a5196b42a021d455a0

SHA1
d712b6375452023a2e2f7645fc658284bfe2c3f3

SHA256
07c11da8bc79e7e26e6a644cf4a5302e564ad1ffe1891b788f02ff2692e516e3

SHA512
705a53005d05402f00e9c065238641f58a832922ba6d51cc1b50827728153f012e022e8687867797efb889ec9049ba5e9203a946ebba893501a5788be4f55b21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d012bab5abae235eeb8f690ac26395fc

SHA1
ebefb250776e6a96625341312e68ae1f21cac7d3

SHA256
3c001459e5bffeed0235b05719a2043918ec0f3d4f125601980365d2a3e45988

SHA512
b7ae336b63a406ee3f1e25469d99cceb82c5993ba102673a7ee49593ce2fa7ce747740c1686ce586539967cde9d20265c09e4719945bbdba48a65e817eebc50d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
717796d923991c94dcb9992ab76bc416

SHA1
fa3a04bfcdf4faf1a9ea31913f8e6f01e47763ea

SHA256
39f000203e797dca931f991b9bde21d3b4a2b1afe3f22cd4d5f693a7bcd15f6d

SHA512
559028ead897f9453e3cfd5e7310c59a27d61e1376a019a1a7c26d7008364488d846b47f8d9f6a9707848105f6815f867428470e36fb443b75cab4de190c9aad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ed3de7997f34a10aee843e5201c7433e

SHA1
fa3812028309dd2ea6309b5e2c983deac582d2d7

SHA256
57dbf1b1f80da0673a0661d59c0fce313b77d5bd965c8747cc40f8e9b0ed22b3

SHA512
d5fef6695721f25e6f5854694a54e51db81e1bce53186a758cd515310f65ec457c1415497217141ccfb61aafa906fdd30ba766819d9f1b84a5997c9e256f03c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d0d836506117a9fb206fc3d1e3c64ef7

SHA1
9f43fd9a6912abe79f24c798a332c8f60178e0fd

SHA256
3eebad6466f57363c873043f8218940354fb48005a9051a73f00d7ddc84a45d9

SHA512
e2ce9a14ed349c569a9d1723b607a98008f645047c20cdf21354b1bc1fd1d91568a2e2e94ffc803a082d0bb1444ea381500fe2301a620053d811d7c2089b39db

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c6da57ede192e2c4124e28d804da9af4

SHA1
5ca1e4d1033ba251c70971454b82d35898c1a297

SHA256
e2470e5f6785903b8e946f15f963377c64cfcc77b2504fff081622f36738958b

SHA512
ac1ea7e867cb3e757d0ad498c6181efc7b32a34d109157face4b74b59cddd993e1ec57dbb4f389ae3ff2acc2772573b36965f8d986ffefbeb9b0c4149d5c8277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8787b132a23c0683e40f766c942393b2

SHA1
9eaa8a87bc2bd9e7539082cf1f2182a964e58a86

SHA256
dc081efef9de004203d72f0b0412236d69a74365cb22052b596d4bf65dd488b5

SHA512
1fd8acaa1f28662b9b2a73dd04a924d0bcb8cccda6e5b9531b92228f5aa9e2cc0d15e34358905ad34737994f1145a3c108c3a0966ae0defd9f9998a672888a59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4c2356a46190d4dde6ec8794a8cdf98a

SHA1
48df552ff6bbc365ef269a90184bdc9d6acb8891

SHA256
3a780e210f82e56de0a304dfa6ff82fdf8a5226157421334672af949cf8643b6

SHA512
31f5ba46b09c070fa30477e22c1031b171be70581b1dd29110e70b69aa089bc1a3124a6ad765cb72bd3665f2e95716a52b0783e0ecbee4fdf39edba3edbd9411

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
50782907ae0a5b91c54e5c746948a310

SHA1
3b624483a69ca541bdbf8ff38583f684844cc323

SHA256
d3acda73f9cf5f3f78cbb17c984304f99213f301b3b388907b162f051dcf1bbd

SHA512
8e556554320705020644933fe6181fe2d7934ab3f4694df1e244b77ee35698b89bf01985e5f01708e847196a9037e5f95ce61204e1fcd5d407f27128d91d54a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c5880d8d2359c63a97fa18874ec7fc2b

SHA1
d4d50a781c44d644902bf0f900d29929fc3d73c3

SHA256
7461833e367050bbd24b833c489c4e941446b91636f5f961c414a4955153da20

SHA512
cb8a1fe51af66e3c948014538b6538cdc4fd160ff7a83446a9c7664dff5d440bed7eea3095d15087eeff5495f5539e35914dd4c9cc4857f886f8a35226cfacf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
861452909928b3c21da580af16b960a1

SHA1
f68f7f027bd063054670819be9d824327b7a2fcf

SHA256
99abc7663fb4ff51caf544e32ce2d157628e0bf686b55b529284a5f14f88123c

SHA512
8dc8beae07eb6f543de4a43336d430df65372dc510215d7e317fe385c9ce4ef9496631ef42ae9f5291e68cf79147a43d4c835be1fbe827ecef5df94dc4060bb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3d740255e24760b47647bc7c2c94abb6

SHA1
9a48772827f2104668d586aa39dd580116b42451

SHA256
2a1d10d859d05723a83b9fefba29525b4e820f9670badacc60ca75849ed541d5

SHA512
56219a8446e1db0273fc83a4da3dd411af9a483bfc4aa62810fc152cc046a5ce4794e7fc887e9b0e9f28fce1e8988860999df955d3c438d1e243e90720b3784f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6cad22abdde1f63075e9d6236324560c

SHA1
201963868355adf68cb30739e7126d333295dcf0

SHA256
f64e825f6ff53e9f37a719a42d4c85536dd4a5afa665e405a57c34cea8453d96

SHA512
a5c433c7285d7feb3289ca335cefca222a4f2b02cd7eeef49bf81a902855bb04a646924035c2377761f68467b548303cdb527938576eea868d6cda02c8e47137

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
94bb0ec2b28fccd6234a266926fe6a4b

SHA1
e446cd084947f82ca17851fe267c094f9a8baf9a

SHA256
0604f4e5764cd3527ff4b13e098b9d1ba25f93f4775d500eb91c9ac61e9a513f

SHA512
fc5d81880e1e4f5886e9be1e8ae093fe6a03a2bf9d49581519a574d3ad45151cfa0454722e81409327ede2d276133b05df0085629b9f5601d2a92068be9beea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a9cc45c24bc4845f2b5f33d7ead567fe

SHA1
7790577832a104722eb52306520c7eb80942928c

SHA256
1ca9325338cec1c07914717629c5fab8b50dd3ed8eaac6a3bc48a4dc384a41b9

SHA512
6b36d75617d431802bb5fe2dbbffead78360dcd6757238186ef11f290a047689dfe5d9e2899db752bf8377754d924996f01476696cee82fcf784e1859c591e34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f9d9c0b0c8ad8399010539fe93385e7d

SHA1
5546387b55c4341e6e2fe4889ed317a16ec8d14d

SHA256
4e0ff7136a197fd1e78b84b54331dc7702b931c7e3bd27ad6c429ec471adf271

SHA512
745b93ab5db1f4b374434b9826e74cb43ed905de05743f905872927f160c4cc47128c572e3aecaf23bb62eb631425b6ea96f3317a2f6dc2735ae0ccf498c8df1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
78a909116e281eead273e9c81a1d2fd6

SHA1
26b017cbb2f9e03c12baa2fe9ecc4db9ca2bcdc1

SHA256
0a48bb9445209060a718a81f8bebb26ecdb1df7f1ee81841ec14f9c0f419d24f

SHA512
4d163b5fe33da7f4ca7aac22f427305c3c4a91876c4165b3b2be09ad0f91de24a4cf5761cfe5c0763c0eb8026258aa119ce531a6440e18a03e46b330fe021151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4183faa78bf9d41527de0aa29bac37cf

SHA1
f84aa03de678a134c9ed04a2dbaf38e895987be8

SHA256
aca94cd57a28f095d03427bb2d996f58079540c7eec6d5c760426b5f556b4cc5

SHA512
25e5c23e860120fff82e50e05b7b9288ddfe86352007655d0db245f4cff6a4218059b58c6dfd9943ec38c6a53e781b5cc9d64953dd53569e24a1d6ee3527fc02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
335a6e3e4667030857eeff6ff349acad

SHA1
7671664cea036998f5ea793bc39ded10d6c1bc55

SHA256
a6552922ef58d210291eea6e5b438e26ef553fa708f5dd18b3cf08456f22bab3

SHA512
1026bf0aacbed4952a558716f4c9c8b0ff9f7c71cd2f3aef5f538b3fd2ba136528600f75c8781c95748963cdc2c49fbe6660122fd6755a1398d0ed474ad1e58e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
52bd2aeee5012c47f7eb5f1f0c22c3cc

SHA1
0e4488be812de44f0bf2dc7f586547704838a703

SHA256
da0ba69aa5aee2de402c59dac8145ace39b0e1fe95307b459f45540df4b37ee3

SHA512
1437833a2bdf2fd18b96122287767e4e062b5496d230d6bc9aa34c996a04e72d80d0af9551a26a1963b8e2512442263b70ca2d28ffb6f0c261d65491e73d43a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a0a28c25900957097d142f180667f81f

SHA1
f25c218de1be29033044159ecdf3621bc643a87a

SHA256
d6c6ca80d9eb80266ffa8567a1d8d88de3bcb8668f2c6505e4ee87645d61b8ae

SHA512
9376484515ca6e15f18e237ccaa014edb04621b7419c046d3fce65a00d21e833d0ba3676444982357f65e91519b3784731c5a80dc31baade6d4fbebfcd8e441d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d93aae584c79cf764df7b6da2ffb73ec

SHA1
f0337702fb00d18443d448298a8960279aa07e1a

SHA256
8726f5cd3b4f4e7fbf40c5927911976e12c9d61c148930acb4943e383005d99b

SHA512
e0fff5b90ff4948a43d25fb5da9de4a87dccad0955a4174244de0e241f1f051671a0021b304b20bfa1fdff739d579c8ffda4aca423a6b335aa77de966b1f5ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9157dc47fa91c5b919c53c51056604fb

SHA1
7c08e6fffc155f9e1e277fc46e0d16986317fd5b

SHA256
4a86d3e6f3a77a2b5683c92344750ba24b38778bd9422c2b5c0de83fd0f62bac

SHA512
750ce9a208a034f71de17f6fd28fdf882394597de2ed5efcd8b75f43ea27831274a6cd3d1aca115d5494968fe258cff9ee86c3591482b1ba0162a6137a1ed8dd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1e1f4405497436a4ee4f3f954b3e19ac

SHA1
8ee939efdbb39f50f43e4567754cd921659e63e6

SHA256
fee7fb5f7f739cc8fa34e8db5d74be6a6771257a01bd3d37650e0483fdb24de3

SHA512
e33ea1a5c3fbfbdc247b67ac48934e1e3a17a2dba49599d2a54aa7f71e1cd9e344e0ee7aa2c83118f0379d2720db5aef8187dcded4b4a39bae14be6abf71e648

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
89f279781bdce640244607619433865f

SHA1
da581e52f202d16d7011ed29c5a071982ef60a0a

SHA256
6c21d4aba4859438d39770549759b279236b46d2e34ad49b2c91a0ff28fcc305

SHA512
bc5d053c1ffabe97e49654943ce7db2dd4404b1a45741c1a383d0846f9b74225363d738054194670fc1ce906a3012b7aa67f555ba08aeb812acbee8e1b5c6af5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
148e673584fdc8f7313aad12bbe669bc

SHA1
d5bd930e3b280bf0066ffd3fc7bddee28f11771c

SHA256
b1d38e0ab46d90bb7cab18faf37c5b42ff9e0b50ac06477133f617284380ccd0

SHA512
d0b508585848550d091148118674675434d7b0be90928fe0078898b3d529884b052e7ea1ef56648a252adb4ac64d574294e1bc66882026fcb788c2916a6b8e91

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
991e3828e182d943a6a0a28eeedad393

SHA1
259603426a8901bf02e7f066fb77f6f8da1acb2d

SHA256
4c4779592fbb573714cf2a189bc9f7566c4a4499f86ea23082180e0446e03c29

SHA512
ef33082501efee9776339411a3b420f9306a68b13115a1f2de5c1f8b1b331ea78c512dd889d3e1275c6d507a4377b4bf8f7630f0b8ee8ca3746c5bf640e891fe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8249fef051ccfd3732a88682d3406ac5

SHA1
fe1f95fb073cf4647aeba9b3c7735219d31ea155

SHA256
00bdce4b8e304b489ed0c68091faaddb046c79b095b3d3c036a03fa5382fe2e3

SHA512
ea6964b8e21e6968f2b13b60ee77aad5809de1b1c32ffcc352b6d8f82ae770c2d1a9feeb4abc38b59f58eced3913dc472dd6396d82a46d8265c1e3fe2b38b75a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a972a219860fc7369864c323f5cfe76b

SHA1
76c8453c3e790305b4acebc5bfe4719d4366bc15

SHA256
6a17dd93e2be559a11faee8211d8f4dbf5ffdaf7d8b7df6a24dcff2ce961e331

SHA512
1e003faf4e9cb6fd94c44c904ee2cb0fe530a6073e6632c435175ff30d979f6ee34cec09ee32272c6adee9b1689f7d8d8c1e54a47cfbaf2a839fb59052ff2063

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
988bd57dd4c355b3dcca236d66449984

SHA1
6e8bff6043ba6cfa79705603003f37e031ec79fa

SHA256
5459d3aef9a6431eee87b72acdb80641c140ad5a069bc5c8cb27bc0d1f7a4670

SHA512
62b33c3ba695d6a8c0976ae33e9a569507743cd656434dd6b5e540e54ed7203a888131aac184a931c60acba8d3d4cbb6fb75f51050cc03681fa94b03224a2958

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b010f724922a59229119315773197b25

SHA1
dace60ae23c94cc03282c057c219f8e193baf3fd

SHA256
f28d01fb0e234706c1a8cae90e22a2977df172034e3a30a282c0afcf16ba0a08

SHA512
6a68df739234cf94758d9affee41be78425630cf2bfdac4e8d0f48e13dd510c670bf434329b46f7b0d4f5c432984a25c951ca99cbb9e37cdc414fcac272cc68d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d14df014485e369e05789a171c7b0fdd

SHA1
b9765ad38111700344f8bad27e8a3b6d94673978

SHA256
2ea27ed6862c09fb561d495196f7eee999bc713ee095c36619ed1854bc50a11e

SHA512
e37e813158c619c34ff688f03863c43ed5ae260be903420aa882b726791e1b6ce632167096276aa754afe1f1d9b5ec55c794e5c5b59fc01832c275b029a4c329

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b54a7f781c908cfd98cf31fa305911b2

SHA1
24237bf879ff151d7290826659570d9b21c88d16

SHA256
41670054c6a1b284b9c08347c362cda5fc7921c8872d8bc09ab49774a42fd689

SHA512
3b4a3f69e13d68c96778138f1aa20b571371f04d92b4fdf814a559ae86c52831098e63e0b49b2f947b45adb2dc75ef84981f53c917d3154a5bad09b15820252f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d056c853434d8217f6fab04c2e18096

SHA1
b2b391b34c2696130b242cbc4727c4bc70fead85

SHA256
37edaf2819ec54ed33e96c8c988e1344ee957a0dd3b01f3a0e699888d19ae984

SHA512
0cc49abae43d00aa6e0a44391d38b5804d550cf639dd85bc8992c4cf6953a5dd95655f8a2496ebd2f5b981ce683c7ca1d666a7a44b74bc34dd243fd9a83fe856

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7355c876f59b685b4f0101a28e97720d

SHA1
3f0a1dd04a9b6fcfc50faa5d3768af865953e274

SHA256
d23def0b633cfaf56e98241d282b36b75501809e5a6fe186987ac3c2f0bd87c7

SHA512
dc5e95058cee984158ad52ee4dd1cbd4a159b096e032942b31606f1228e19a20cc35098c7d83f3af4bbdbb44155344151f9171fbefee112372b53e95cc7b8b4f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
21c43173437dc4c83ec8d08e300e797b

SHA1
85858013a59d0e0671dca89e8f6f3ab9ac205fdc

SHA256
f96435d3e4f583015a88bb3811e28ac4c80dae283040848b87be09500b635df9

SHA512
53929f6a76f367f7d8efbce509ecee0e60a37693b48e5933d86384e2da1ac9e28ca66fed37a0b78fb79dcecbac616ce301094645ad8e17f1ab4b02aff8decd9a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
35c9f5245c370d6b672f4639044ecdaa

SHA1
c3971e1277458d2c6f1043c777e8c57e030e0999

SHA256
dd9950913bef18254e31cbbb91c989e3a54406539f55cf2c27e26b554b148972

SHA512
4333a17d787cc89124f808cfb74d876447d962b53354ab8b1a58a0860bb7231229e918611ae9007a81de04b70d82df403c7a8f161b03d3e90afee00b9b9a6964

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5c7e247d259eb4859b336b3f8591ae40

SHA1
65ce03d59ca12162ebfb50f7cb4b11d2b759eae8

SHA256
c4b8d310c7a8384b260cbff1881a1bab6242ef34c915eaf91ad1103a2f63fcfa

SHA512
d9b79089eaa0c7f8b8bad2452de13cf03bdb0c39389f1ba3fa661468594fcc0620cad4892f09a7c76dabc24b33af3f9b3760ef75bdac03ff6f3596c7b8735aa1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
736358509b6634a5ba16b03c8323c1d0

SHA1
2d867143e143353a54c23bb98695d245e320d545

SHA256
9f6f75be965a520cedd1a2d1512705b2d46a6e9391c910cfda0a24694bfab197

SHA512
32a92bfd501293e3443bc1b0577ae37cda995140bc6e20a67a0293246a91126901de27898c59675b50265da66b7e65004eac0a019539f35e9170243f3cbb0038

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7fead1ce24e84dbd535dbc689360acd5

SHA1
409b2ce5fddd26c238fe99e2c687ed784900dfbe

SHA256
925f965f4323974570217b6961325ad00d45d02c7496f002c59596aa65824fa6

SHA512
045fa7565255b45fc5a128f0d7398584558269ebc8048088e6200dd5ed0ea55981a2dafe09636017e8fdffbafda53740facbb5378ebb0f611fcce903f3434279

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
219492aa548fe8721c200e1c1ab296a3

SHA1
97ca5d77df7190cfd421451bfdd20284205370bb

SHA256
37fd4d67c7413f401d24cea13d8f8e58833eb55004ee041018ab2ab751c5713a

SHA512
e04540934a18d1e1f6be8c08ba492bc0a011653524bf92958ea8bbfe71c2c46ac23cd8619ba3b08303f2e3ec20f2289c7441c600bde6647736d64c6c787cf0f3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
91b4d2a3f6aacb5d8ef44262e3c88ce9

SHA1
150c54f1a757be23c5a6e62ca8fcd337dc6d2986

SHA256
413f1d0d1bdeb3f8fbd6e046b94a16e5d171d3cf56805198dbf635e6964d6fb2

SHA512
11eaa577e920314fa312de03d76cfa12247a73a328e8efbcd6f948d4820972007862b5bfbd4d5fa9e6e327effa2b7bb1b5073dacc4fd54209c8e6e94fa2aea14

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc24b9e4f1a77e8dfbb066c5d841a306

SHA1
4ec580713c9f7c60ec2c9ff39db32afaa2010ea4

SHA256
205609cda3785c60f45eb4360db3499899b56329b95d09b1c4a8ab5b29ccfa0f

SHA512
3e57e2c7772aa1a48575f8f839291e61f54683a7e9961223f0541a04d205b89fa9c6439584893dfbec2079c80ae504b45bcbf0bba59dada1e9aff295b9b3b096

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f30639dfb52b0feab018f8d29fd49305

SHA1
072683289d1103235f3f80b92c61fa31b8c9dcf3

SHA256
9ec49c3788f1df6c8c2faf35254b07d4980e11e5e31eedf9ddbc47e326f9c78c

SHA512
38dec0ee9a26fc624632e21a94ed3e775584ca735019c46fa583236625190b744f841bdb1d1bf7aad3e59785ff858be8c3069fa6a318d0c7c5f687f0228164da

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7de07c1095b52b2315c0c004b6575197

SHA1
2cfd96c10a4199e8c68c715cd650c6593cb6fd34

SHA256
b7207bdbc7a06bc60fa32fff38206c73a1989bcdd318f325520aec1a967e6d51

SHA512
ee42c73d9ba25dff765bd04fe79b134e25d2a9efdc0078c895ba65bd16d193667083167dde4258cce3509a624b7a375cd53b467e00523a717463d53508741ff5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5f6fa3d4d43a70b28bdf6ec9fb26ee92

SHA1
3e8e937773cb9f19ca8a1033b5295b360e779ba3

SHA256
e9ca3c6213c7cb3513d8e447fb20846ace0ac94336568e173a6a233ffdcc893e

SHA512
0f70b169fc251d085dc321dc6d129fcd033ddcf021b76c40c08ded4e5d4195962a49257ea983c6a16c04a00f57a9442e9ad5b3023efcc4927343d1ac3acb423a

Download Submit
memory/428-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/428-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/428-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/428-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1000-89-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1000-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1348-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1348-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1348-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1348-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1348-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1348-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1356-248-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1356-635-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1688-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1688-610-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1832-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1892-151-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1892-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1892-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1892-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2484-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2484-260-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2484-91-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2628-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2628-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2736-138-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2924-194-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3328-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3436-608-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3436-195-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3456-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3456-50-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3456-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3456-224-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3940-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4008-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4008-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4048-634-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4048-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4100-629-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4100-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4116-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4116-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4116-445-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4116-6-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/4116-2-0x00000000009C0000-0x0000000000A27000-memory.dmp

Filesize
412KB

Download
memory/4280-75-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4280-85-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4280-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4280-81-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4280-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4360-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4592-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4592-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4748-609-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4748-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download