04baa2ea851f9074da56696f196d89ba0aebcd4f661a82267fe86df050d48d91

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Size

622KB
MD5

ad0681927f323d678ebaafa28aebd5e0
SHA1

04cb20173fedd9e9e6c7d41c21febd2652b6b09b
SHA256

04baa2ea851f9074da56696f196d89ba0aebcd4f661a82267fe86df050d48d91
SHA512

0b2f938910cb2748fbc522f475e8109caf2fe4040a7b93eec5c6e1fa900eaaa7e90cabc187bb427b4bbc3d4f3e587a755e0091feed01bff49e0feac929a9d78c
SSDEEP

12288:/ukOFjHjVOfSCuBn+1V4mlzEFQyYVgwvPNaMvwaQDR6q79LRgRljjX:/uk0Djsf9nz4mloFQnpXUMPQDR6q79d

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3328	alg.exe
1348	DiagnosticsHub.StandardCollector.Service.exe
4332	fxssvc.exe
3928	elevation_service.exe
3092	elevation_service.exe
4408	maintenanceservice.exe
3356	msdtc.exe
4456	OSE.EXE
3056	PerceptionSimulationService.exe
2196	perfhost.exe
2528	locator.exe
768	SensorDataService.exe
3172	snmptrap.exe
1600	spectrum.exe
2732	ssh-agent.exe
732	TieringEngineService.exe
2592	AgentService.exe
4884	vds.exe
4408	vssvc.exe
1816	wbengine.exe
2472	WmiApSrv.exe
3636	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\alg.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a4cea8fbad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\vds.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008604e5db85a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044d6fdc85a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8b7d6db85a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001afc9edc85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eec0fdda85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da6c6bdb85a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024da3adc85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e00988db85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011e804db85a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f55d4db85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8aa47db85a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeAuditPrivilege	4332	fxssvc.exe
Token: SeRestorePrivilege	732	TieringEngineService.exe
Token: SeManageVolumePrivilege	732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2592	AgentService.exe
Token: SeBackupPrivilege	4408	vssvc.exe
Token: SeRestorePrivilege	4408	vssvc.exe
Token: SeAuditPrivilege	4408	vssvc.exe
Token: SeBackupPrivilege	1816	wbengine.exe
Token: SeRestorePrivilege	1816	wbengine.exe
Token: SeSecurityPrivilege	1816	wbengine.exe
Token: 33	3636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3636	SearchIndexer.exe
Token: SeDebugPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeDebugPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeDebugPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeDebugPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeDebugPrivilege	1808	ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
Token: SeDebugPrivilege	3328	alg.exe
Token: SeDebugPrivilege	3328	alg.exe
Token: SeDebugPrivilege	3328	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 396	3636	SearchIndexer.exe	113
PID 3636 wrote to memory of 396	3636	SearchIndexer.exe	113
PID 3636 wrote to memory of 2424	3636	SearchIndexer.exe	114
PID 3636 wrote to memory of 2424	3636	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ad0681927f323d678ebaafa28aebd5e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ad0681927f323d678ebaafa28aebd5e0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
848KB

MD5
c969e19ad169f2f40dda6a91f0e3e6a4

SHA1
fcaf60d91fcec3cd9aaef8a0b8b016a832fdee4d

SHA256
df5d68d423cce1c7270b0a3e8737af9bf6ff4b3e179e54a4c7c86d0815ac359b

SHA512
214dd0be3bff79d3464713798078ad1c2f22321a8d89b6517151e8e699f6dea0f0c5301756346d27a43ede87322e18d8f1c4eb0a3f427bdb142d482101c5a573

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Filesize
25.4MB

MD5
58e5c34e6c6b7ec0c189f0ae247bbfcb

SHA1
d5aea4fd7ac365c4ca95a5522406bc4ef1418a1d

SHA256
a3dcf032041fa2397ff32b7e67cb6dce9ce642b0c7b103506e5284f16545d339

SHA512
580b350b2e72cc8625467327fe00d97fb7ac02ca9da9444790d6db8a80c172fd9d308e0ec33b289d5b9f4ecca1126f1a77cea72b3cc8bd04a4b8ad4aada2f029

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

Filesize
611KB

MD5
a40eb17e279a1a9baaba6131f133a021

SHA1
58c4cc08954f1c2017badec57bc5ca6f11e08079

SHA256
7d677314b2911a1447302d926de41b91a72b9af6cc5ba389bc6615587c08b869

SHA512
87467c0ffe19cf186b8d3a0ae3b31254f3dc89c47dc39448b9da95380d11c801e602684c2f9df77fb3004a0d9b5f26927c4c41c5ec22670b8a89284804bb517b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
666KB

MD5
ed474fd4e78103ae1c04981f0bf140da

SHA1
f10ad99a5c244d12d82a7405e2a0ad6d7f7ded6d

SHA256
8cb8b4160b5cebadf0a9f0da06385f935fbd9c967c857c0917fabf78bb48abdf

SHA512
bbf605e0a013a4706c1f85f2bf7857bba28add6dece217261b9b779519fe416527b632b0224434b75d80bd37db55716363d38b551aef58e5b6b46a8474afbf87

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
973KB

MD5
1d77b14edd5530e4f32fb4ca11f6c307

SHA1
99ee20a6a40596ea544dc6bd26bd268d91171f1a

SHA256
7df26fc4d6d60631fbd0e8949dd9ed9e0aea6d6b0fca49f3240aaec66dea21c9

SHA512
b4a2eebc81190381f4aeabc0e59a17aef8a0446d80965700f82373c0c4a79bcbd1688a854a4830632cc8df38a6d5f7baed89e22a2bb544e55a744cdebd863f5b

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Filesize
1.7MB

MD5
11469846a132784fcd11fb9224ed3f60

SHA1
901f515bc728158dcfa46c6df2cf6ea490ca22b9

SHA256
49da34e7cc68592b2031d58e4e64b813d04b33514af5ab115c02274aedd60936

SHA512
34edb4d85e482e75dfc4e8ac40221035a4d85caeff2d08136590896e052220402907f81ced627135752c0481d31d5fbe9e0bf6dddd4d2b2bb4c85d102ac61f77

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

Filesize
841KB

MD5
cd04c781f8c9ff87c7c3edfec9dd93e0

SHA1
8acf5a454d1897db281a0b08c7a59ccfc1592521

SHA256
51eb183473f6e06cd3532d5ec93ff37aa191dca56ca368b4c70ae1230d7e4d55

SHA512
be2f7be46b08597c7b529effb04c62fdb66d4d0fc13f311433f898dcc330f1eef3be92a653ea7493d72d454686d9d58532128d3e902602ea8380e41399a66196

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe

Filesize
1020KB

MD5
1d2357ba91066dba3829ab3fea1e4d17

SHA1
a25098e40edf52d1001b79df8ad221dc166cc6a3

SHA256
d5aba9882ecad9110689929bd005ce33ac06c7fc9047abe91db078b8d93a2943

SHA512
1184e58aa94ddf407fc234a9cf13ee2e754f38c12c084f182c0827e5b95310093ec1b265d3be2b0aff1bcc304a765d1ab6b7e90dd4d9cc8f03ae6c60de200d59

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe

Filesize
950KB

MD5
7253c65c6865470d319ec8465b56fea7

SHA1
31056e11125ee55b7a0ce3c33132168fccf5b550

SHA256
ca6a3cf5ae52f774b422c7f6f34712a89d6c17518acb70417f2335cad72f9c9b

SHA512
845c53aa548afd2e28f21dda992adc7f8f3bb1338edc7ba49f32ffc14adaa2a46acd1062a43fbab97b21553b6dc177e78ffab09e7f13473fe5418468bf3fc069

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe

Filesize
716KB

MD5
06503aec2ec7510a3b65629b6bc81bf7

SHA1
8a67c23b4794bdca6248c768b812e9ff4dd6f72e

SHA256
89e124d8d8fc90544d53072649807b09dbe1306acf803761cec3297661eb598c

SHA512
8cfdf96541b39575a436cc2da4150be3ce4ccdc7eb8a0f6c29e5ddbbc03eeed876f2d6a65833752769c37097a3beba975e3cff06b82409af60cfad8520ab0199

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe

Filesize
663KB

MD5
e79a5a5bce742b06c73d95084876d74b

SHA1
8dd46e503346adf7ed7efcb084646511c565ed89

SHA256
22e193e23ece6f6fe66f0c4613868891e4e8f2770010efac0b4ae9663d78346c

SHA512
4c44fe7acb04483e2d2cec96416ca653df1784d007c876d8f069c0ce8833ba01fc07bce6a70aaef071ecda8f04d252d4bf490569866c4c1cd3b81ab2c772612c

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

Filesize
663KB

MD5
99e066c4bc44f22486be5c482e960bf8

SHA1
ef081310fe91154ee7d01ca2caa7edcff3fcc8a1

SHA256
ffdc4a46c60751e46b7ae89b3dfc518b495ff80bd31be16d9f94b56f79362686

SHA512
e8a0ed01d7ce60605e65bf8135fbc56b26c0ff59d7be8d96e3d06001478fda4bc53b0cb26903de6b2fb0b9fda476be063ca0a5a6960faef1fb941370373125e6

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2bc53a5e6607cd3969bb4088e5a5452b

SHA1
a1c981301e5f43827b16e422a06a7988c4330d61

SHA256
8d8c73dccda7892b9e6af3ac8193893385ef67ad311b6687d5809c123e3eca36

SHA512
a88a93754bdbd39c4120451846c541ffda54020819f8af224d66d3997a3d3eb3ba5881886148a5282c7223791e5ca29f17239db4da297e8b3c7538dfd8044dad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
4bd3d03ee61f96a2b71c94127a8c39e9

SHA1
94670b4df987198e85bfdba6b0bb2f44b8fbda8a

SHA256
75c708ee64f3ca4bdf171599ecff06b73123fcab557b16e28eef3cb02e386b32

SHA512
12b547e4e0110f717e14199ba8a4f601afcc458f82ddf2678f540ff41cf822fc75bba2857db30045d17f69d50190da96dd645cf516167f876a67602faa8bd2c6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2cdad1259bbe283611299fc03728efc2

SHA1
e06c98a3aaa9d950741abbbb6ab92eaadf6fdbf0

SHA256
922d7aaeafa4482c7b45a2605d8b397fb1858768036ec9c612b59a1d6124ef9d

SHA512
8ebbe43f2bcc3ce7bc3c7052dd824ce0cfd35316e99ebf3cef8328075202a7c0290a5a309b48d36617cb8abeb6ab01b83c6380ffc9a1dc7a0d2c70730252df3e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
fd3c817654b4b2d940627997becce2c0

SHA1
6ecb5352ec677047a804b1b55358f62ba8130f45

SHA256
a34ebc642a1e6f66c4cf052c577d47bff4681f1ddb4b7d6c9a01cd165b438d3b

SHA512
04da8a6b3b60407bc59e2070ee7e28ab09a018ade9e4070ecbefb9fc3eccdc397d32055ac2c77fe5a1ab963471641603ebf887dc6780758986c24e7b44b2ba28

Download Submit
C:\Program Files\Java\jre-1.8\bin\jjs.exe

Filesize
581KB

MD5
5f010cef0f1a615b9743cee0e8526c75

SHA1
bd16b3edf38357d31adfb8c553011d638f00b728

SHA256
760164d96979b242d41d4dccd99a90d8914e37e9f90b1b78663e67b191f934eb

SHA512
6c7427a7a1f836400eb58ba050817fca8284618f8c2c419939cc2233f713ef265c81447ecb7acd2ac4d56de1147f82f2c02329ed83b74276ac4bdd979cc504d7

Download Submit
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe

Filesize
706KB

MD5
0d5038ce9e23b030755f9eed50d85463

SHA1
9247296c66cade1aa1d8d1cbba1114843dda9125

SHA256
1bf04df81e1215d7067b296ebb4187372e4f729465d723d58e5a7422f18ef26e

SHA512
db6a36735a729db9d7066d5ef84b3cf1b452f9efa30cde3f92e1846d18de27b324b390407dffbc9cc6f9b391f2e687acd5aa6a02f1eb925663b55b275c488655

Download Submit
C:\Program Files\Java\jre-1.8\bin\klist.exe

Filesize
581KB

MD5
7c2f9577def63bb810e7c5d4173dde42

SHA1
9d5e98d0869be2f92dcc15a3d47bb8744b87732f

SHA256
5d4d2daab063414975d4d23fbb9553c80b3a25720a34bec75a9ecbc078eba472

SHA512
8e20f4c08b0172ba33849f505c985b06ddff45bfe4a7976a6d56583addc0d47f1b57716e4211429b9b8e43fc5cc4233869b1942f974edcaa751a1175fb240504

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmid.exe

Filesize
581KB

MD5
1855158d2a42f8759ab547409729d627

SHA1
ca290040d91d55deabb51285d7b08ac6eb04f20c

SHA256
16c3e82b7caaec3270d5389602d66a07224221c20674e9dd68518de1e91e434e

SHA512
3f3f0784f4f4ad3f22aa9fa751b0ea982dcf4784c463e0315a1883b1b43c81b6e7530a223fc71ad803f3da33ad87791d7f159adccfc47cbd7b43d7dc0f872c70

Download Submit
C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

Filesize
655KB

MD5
5eabf8f00e6d5dd31760a383635aa7b8

SHA1
45a83c66af1f6e76487b7c3db849bde16bcdb318

SHA256
79320e5579c17af773cf769f72f66a241c6b55573dc0f6efe4a54403c30f4170

SHA512
b91f63ec14a58a64c4099ce2b1bfe5183e0b51d4a3d9e274a9e932d8f71c9452130d8bb6fc8547ee441ae10db1f01e25e675c848114728359d6865413b957378

Download Submit
C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Filesize
591KB

MD5
332e32b5d714a16cd61d7972766ec661

SHA1
4560ebad2d592c77e1dea8d5942b5959354bef34

SHA256
4dc8e805f432b2d50bfb6d851f7fe9a4b656f9d55963e819cbfe97f587bb2f25

SHA512
3c5006347cf7af288c965b236f563c3ad0b5f3bb44ac8640876d3bbd107df31a582dd0069ba841e738e769a86f280d7e2f4045fd41bab4c481547a1ecf9af74b

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
c9a568716cf43fb6d266f8300481ca1d

SHA1
7cfaf7396d00a2d1e66e68279712fb5152dd358c

SHA256
80ba09019116318321f9ec050fd0b2ca21cc318ad90933a6abe25f17c143db84

SHA512
1cd33de26fef3556f077590263ac8f8d9658dec44789026f84ba55071ca0007c69b1273e09f22c2393bc846c69972534c7d167a7c2c7fe18ed22208d22f034fb

Download Submit
C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Filesize
789KB

MD5
18528dc0e1dc480a8cd30e199f5c9f13

SHA1
cbdd2b1e697709f7c46059224f267c9ab0942113

SHA256
19620c3cfbdb1bdc2130a0b2cc0741d8301ad2a1b9253437b98dd377236c6843

SHA512
7e2a0b4aed2bb386bb0b754e11cfdf63eeaf5e68bcab8777f8c6ac5f5ba8d3336ea924fd21654ee54f03fa34c80200a6639fb1af2a4a3611617e68744ec604f7

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Filesize
1.3MB

MD5
d874358ad9e91c1402004b12ad6b14f4

SHA1
0cf625e7c641db0598f4b3108b83d122f480a7a9

SHA256
fd245bf5177e4c0b61db09ea612b6a5c3d4a895be06c78a81807f13d97d05a72

SHA512
6f037725ca18cbe4c767a240804ddee9d30023f44e0998c93d36c1e17ebc2f7054cd988ed2a1c51079e52b20d12b6071db696007208c5594beeeea56a8b64424

Download Submit
C:\Program Files\Mozilla Firefox\pingsender.exe

Filesize
636KB

MD5
cd0fecd78bd0d2e8569cc39866a9a245

SHA1
e1033bf90089b765b7914c36e09e81161b112fc5

SHA256
3a4d4f54aeba165f0b27183f74ed3b85ad3326f8362e4428e460b6d11592abdc

SHA512
83cf224ebcb30987efbbc1f81a8266ee821fcb5403695f3773675a6fd97ebe7bcace4a32e1299b8a65930af535b53c1597b6541ea7203377461cb8bf88cd45d6

Download Submit
C:\Program Files\Mozilla Firefox\plugin-container.exe

Filesize
836KB

MD5
6e173d02bb7cc3f7d2e2121b51fe23ea

SHA1
214c9521f7ebaa02fe4b65b908b409d0574f8f0c

SHA256
0bf4f235f9b7ef4c523f89ac943d169a81f8da48bce5fa0881f125be2bc0bba2

SHA512
2ba8f385a53668075ab3600193bcd554b41da9300cef828d6078e13ecc753bed6dd6ff0c1796f62c69cbb4008939d9d95b8aefb48267bb8a2ba18a6b899051f7

Download Submit
C:\Program Files\Mozilla Firefox\private_browsing.exe

Filesize
621KB

MD5
93b6795de5f2e0b930ed7ac20b893a8c

SHA1
1d1cd079264dd67693b88890ee91bbf4d60c3383

SHA256
77fe39ca35af63beb7543400bb31c9bf4e50623bbafe8f3a5e8781bb992096ef

SHA512
9371416f730fd121000c30216351cfd4ce97b9d313dc1cb9bb216c77ccff1ff428ae172e100f5d5ebc7e35711c689bbcf2fa8718de508fe90ea4061ad39dc7ce

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
115862d8cf00c6ae6095d429830313e8

SHA1
5e723d9c99599c107af4d57137d5402aed5ab684

SHA256
be074543753c2948cc6769a08b8dea6ef6e4475f2a09b11c9a11006facd18e87

SHA512
8cdc26b067d7a5e4193a94868b2e7292e862867b098478c0e771b5e52549ec2dbe59db6f92c0a3cf82adcadc56ba7eb1481904dffcd38b8b70631fe6466d9ec9

Download Submit
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
1013KB

MD5
90fcaf00d099e8269a4e30161d264102

SHA1
d048cd9ec8c19a058f5fd60d79e0befc95c495a8

SHA256
db64bb0db5c8ba97823c823f405e9c7167b55b6de61037b95dcf50d6b10dbe30

SHA512
242252f24cc2a55986d3933be8df6c71dc00868c19f62cf38a0a1574c3663137e652bb6c73ef493f3db1df197bc7063b50be583cf42fe9a2563da1448077acbd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
14ff767a941b5d87d0e695782c083999

SHA1
6be8c78034f7a60a1c6de3964a8d19eef7c6958c

SHA256
d9b1ff6f4b2998b5a434cc5c8e018bca4c2afc378636c79e4561bd8aed0afcb9

SHA512
59bc9da3fa139a3b8dff5777bf4e19acc7bec0d6c6b9abcbfd325bb27956db656bb4e168c360400250ac10da7af0cf02e0785771aa7b5dcadbde6329732bc6ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
16803da602aa4a03f16db84b0704988f

SHA1
0d197f8d1249f43ff63c2b43770b5ec0e61c7a97

SHA256
8338f6ba0a23f506676c372d5b5d360bd2e0ee45ed515dcfa3fe04d54c6bf68b

SHA512
d9d37f3313dbb16086df6e1d8c813f772c3e1dbf1de77da0ed5ae6334c39e1741385c6d845cc75dfef9e5b195b0e0929459f742f533bbe5cf7468d52da14db12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
40b4d737779c8fcd91886a51b6facb52

SHA1
596f55ffeb6851ed5e9171fcee409629331dc8bc

SHA256
3bf3405aa7a173e8093d802dfbf05b13c80cfe69c17690f8594365c62bd3784f

SHA512
db66d0b23f9f94e81cf58b9f14b8d39d26652d7e628a14c80b7d2df2d9939f4fc529f477da93d455de334c874517c6b45a717332ec0866791027a791d0dbe6ac

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3b5e7958fd73adda078c13ece6b34c7c

SHA1
d25e57c8e2d0613796edab3e4d24426838a3cb69

SHA256
92db0cd124fdd3667e509f9faee84b13644ca4b80253767c08e2dd7de35b6f2b

SHA512
7647d02d81d75056e7b7940e91fabf895d35ddb8cbef7ef34dc147ff36bf6ce294dfca5f09f700d238c58fe099e601c25fdbdd087678eebcfb40ca657662df02

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
61d914befe0fff3df3f1da4c0221c80a

SHA1
18644de05c563fd58b2f71ebfffc66bf08241dd9

SHA256
6625c76e9ab8c4fbc8dba939d85f818c9063a7eb340a34fc18823bab07bbc08a

SHA512
859e9ef8c74939f2d7ac2211ac910752c9dd72913d851b076eba5d5571be2b98353f1538ee57811e109a1b914091bc1f3bdd3d3ce751459ec9c44ecbff4f36c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3dfd0d4c972fc33ad412a3fe99a5c98c

SHA1
ff4f966e970e4908694dee65bef25e4814ba2cf7

SHA256
f2b2804dc305cded327d0b8d6588bb79192c272812f4fd90fc34206dbbfa9c3b

SHA512
0d3273bfebd8b1496488df082ee4ee2f4152ab571d4effdfa270d5b5b2ea100d463180f4dba9af27f7243dfaf2a40b6c29c3b1034cc0075e9d04413321c9b029

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
00a98f6d2a9534bfbc6038442360f333

SHA1
9742b876e9ddb1f632d7ea09617ed2083223c628

SHA256
a580244749a7bdf3ee4dd905f0c205162ab3863cc8ae2ba6df2fed0d286aba30

SHA512
aa047365d6a90f82b696c0111f83f1a806c231de962604ef8bbdb228b2be4c2ee46a527b73b2cbf117bd045faa1528923cbbba47bfa8d501e4032959f9cd47db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
afb0f395d5323bb353aadc28854e4770

SHA1
4c525d70dfcdadde6984f1e8d625f86a62394fb0

SHA256
a6fd2d2859b8bc29597540bc7dcebfa3f5e5bb964b234f022f5bd9c1802f7f34

SHA512
e0ee26b6d06439c9a4c53b3c5950a0be485db4bb6992ad11a6956605a6c5133a4d39732b1602afeba2637f97ba199b31b0eaba922e03981b72adbc894eaa6a93

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
51bd7ff6790dad2a2fc94fd92b7c5822

SHA1
0683372cd035ae81ad4d6361f1411a645e7210b4

SHA256
ada7cf7027786c14b2f28407c77d9dc45bbe52ee59ca5f8a0331c5602a275772

SHA512
5bef145ad3f6f0b0f87205284aa57210f723ef73096df2a238303293462bf51851716e7cd37083acf5886802966d3e5ea4f4aaf778c9d38c83939266cfdc15e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d75f088b53de062dc1100fe8de1ab33

SHA1
03e45fd0b884596084076273934787674dce2495

SHA256
db814877aa938ab3989db1f44c90a3eecee3d99e8b3e99e44faf11909e13f239

SHA512
93ea4956ec5a7e7fb4cd02a3ed0d1aca055c00c4edee95573a888d1729efe9db0a06a3f86a263a774686b644298a96826cb27d3dd2cb65bdb06f9c5cf27100f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2515cd5ebbe48e481d0f4896207be364

SHA1
737cb50fd9a038e8ee0ad3ae2c8c5275833b7472

SHA256
f68bdf2ef684db2699ce239d4e7b693d22b5ef259e6abf0e1c1051b0b876f2e5

SHA512
782fced53a356d9521acaafc90a027874b9dc555347c1fc1d2a4789cd1e302771ea6632e017cc74f74587a07b49dc876c9e108bf18a14b3b330abce2efe8fc01

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3485e3677b5718a65a9434119747ee08

SHA1
d346e09da6435e19e03180dd7d1bfe9797a23099

SHA256
acface03010d8dc0ba5f6ca108cce7e002cfdbca85dbfb517d1465ff3a7f08c0

SHA512
7a98827d2cd006b586e08d61a9ba61bb4c7ebdfaff480e824f408fe2037329ea2833a0317288ed3e82839d1f92d3f55e2ebf138cf1838429747cc0c41a02e783

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cbc7230894da9fa4c95bbbe1881455c2

SHA1
af72fa442081172c9d69b0936c4780ac78513650

SHA256
71424ebf8590d940a5414a88c01a52ce653b499f58ddc38fcd4d7337791e44ef

SHA512
d660ff9e2144801fa1211cd7f6200f0d18914738c71783106099eca1893d423aea06647ce10dea77353630f083d3351a715d20f0135cdef4234bd0aaeb00e1ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d32af329d31861ae037d0f7b4ad79a0d

SHA1
18b8ddbf8a942359f96f532101e6eb7bab4e0b8f

SHA256
d6977b9d6b17d2a28c23cfed180f50b4599466d228411995d9aa1446612a83b1

SHA512
854428911242acc48e996dd77875ad9447d76b5fe0344518d5633ab62e54ab2e5a3eafd5efd01cfe15afd61866ee409c708f18131df4c10350d4ce1af9d79e21

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2de6e826c7d61b55c9c8fa9d084ac7ce

SHA1
37dacafe908007c364ec8956216c46c309ee35fa

SHA256
ab9871b7d1600063c7935c7cf93507c82eaf8fff7522f6504d971c9afb25fbe6

SHA512
c2785969c62246ab65033c9d3fd871bc4bb2cce7027ebb296eb8469e0971c4031acca65c19e040d433085ba554a9a75dfec58d429e836e23bdf435c8814585e3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d93e01d3eb857e286a84ade10a19602f

SHA1
8c3d0b4da1a87f324cf3d08129eebf1fd8986051

SHA256
e9a42d2d90388a861f41d2a9c3ea539254a5dda7873a321551efd9589bffe8bd

SHA512
46d7f570718b02a1c57bf6364f5b86fc20da60cc41087b6dfc70cbbc3b2483c37ff074ae11e5c11f14e27cbb2b3ed8b364a3d58b472df63abc1a00d9492ef765

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
513fea935001109666ab23580dbb3312

SHA1
a859e67faae21dd87618065c345e257f4e8bdcb4

SHA256
a6fd8228ab51179e51cd0abb5cca4994ff26b77df35021e03986ae1bfc6d5676

SHA512
b4a2d154d7c30b5592dead5c13a1802be495be2944fd4c10dbffae86efb89fa6ef2dd37dc5ed927faebe3f3f9de36e83f56a4a2f96ff699d345ec700e80545cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e87df3567c2075dcde51fc4d4f6f19d6

SHA1
7fa150b7c68a3265270e6cd987b23bf775d48491

SHA256
276e4161d5ad9213bcdc1fb21e16eeb9df3c6e8c9137fdc70b2616be28a74ad7

SHA512
5493a20af50e6fa0508def4d19893cf747693911fc2eba6b4838b64a9a46caa578625712db705952ccedd538f8e14b8f2a8c21ec1ab13743e27a412419fbd055

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d60e34f35f2345f0b6534134bbf1aea3

SHA1
d7711839b6fb5c21739b5b06cf3efe9d84e8bb00

SHA256
2d6e3738fb6316e77701f3a9e697d883ff411cd044ba85f7c39ac88933b5cd24

SHA512
7f23fea666718dc3fcf867866b47b411b36bdffaec052e358d5d7e2ea472364b6f464e440438f063391fc223f76530fbd4bc948c2ed8f184cff5709616e29b23

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a199ca60efae0b67b4b8cd0f01c5dd37

SHA1
c493a64923687c9d338a7e3ad5a51f6179bd91f3

SHA256
362721d9297e9d83bc460780103bbe9ea8ee0e6d8b54d9984bf6e7f5e645ce86

SHA512
82fa620e5f4c63ee199b2d336d0770db7c8f43fe643be7803abfdec3c16cafe1efb182349786948d1335f4f30411ad02ebb5463800c47cd4b7d8a63f21887bdb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2299a9e43c642fac3a5745381657a669

SHA1
cc0c9ce5111196615ac21e16a37740d3bda99038

SHA256
9c0751cc1ada64c6cede7ad3c58f1109d40c7c4a0ed0e4e46124e4d7ecd89814

SHA512
2830b663580740a8233e805219b4c780243d2e724071ae4f67c2fb05f33fceaddda51a8fa150a7c11157197dfb9d07668f263f82207a45e018963419bb8fabd2

Download Submit
memory/732-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/732-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/768-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/768-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1348-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1348-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1348-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1348-193-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1600-194-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1808-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1808-8-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1808-1-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/1808-83-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1816-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1816-489-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2196-163-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2472-247-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2472-490-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2528-164-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2592-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2592-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2732-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3056-168-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3092-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3092-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3092-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3092-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3172-414-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3172-166-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3328-167-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3328-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3328-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3328-19-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3356-109-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3356-89-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3636-492-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3636-260-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3928-246-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3928-57-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3928-51-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3928-48-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4332-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4332-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4332-49-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4332-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4332-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4408-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4408-488-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4408-79-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4408-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4408-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4408-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4408-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4884-487-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4884-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download