75eb2aa654ddf561db7f66177bc5f71e8a16d1cbe049035eb06885781b302fc6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Size

1.2MB
MD5

a4897b594470d99d3b8fd037ed806be0
SHA1

6bbdbc6020ccb2c497280da6435fcffee35eebfc
SHA256

75eb2aa654ddf561db7f66177bc5f71e8a16d1cbe049035eb06885781b302fc6
SHA512

2d8d2ea9db057300c1ac0dd347beff16f4ae7bf679c81ca137827080ae21efc0632af53cfc98640c77e9dcdfac9b599767b7fb16eb5b782ebf06d82b006f8566
SSDEEP

12288:juPxqTSgZG5GnWMBUKZGYaJ08vTZLfX+PdgdnW:juPxVirnlBUKZ408vTZrX+lgdW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5072	alg.exe
2116	DiagnosticsHub.StandardCollector.Service.exe
2004	fxssvc.exe
2524	elevation_service.exe
3944	elevation_service.exe
2248	maintenanceservice.exe
3252	msdtc.exe
4216	OSE.EXE
1384	PerceptionSimulationService.exe
1188	perfhost.exe
4472	locator.exe
1328	SensorDataService.exe
2280	snmptrap.exe
4008	spectrum.exe
4856	ssh-agent.exe
1044	TieringEngineService.exe
116	AgentService.exe
808	vds.exe
2496	vssvc.exe
2228	wbengine.exe
5036	WmiApSrv.exe
1556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\vds.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a2accd0d85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a4897b594470d99d3b8fd037ed806be0_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007df77f4c83a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059a8904c83a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a79244d83a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000043d484d83a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fbd654c83a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000756d764c83a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e36b954c83a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeAuditPrivilege	2004	fxssvc.exe
Token: SeRestorePrivilege	1044	TieringEngineService.exe
Token: SeManageVolumePrivilege	1044	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	116	AgentService.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeBackupPrivilege	2228	wbengine.exe
Token: SeRestorePrivilege	2228	wbengine.exe
Token: SeSecurityPrivilege	2228	wbengine.exe
Token: 33	1556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1556	SearchIndexer.exe
Token: SeDebugPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeDebugPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeDebugPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeDebugPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeDebugPrivilege	4268	a4897b594470d99d3b8fd037ed806be0_NEAS.exe
Token: SeDebugPrivilege	5072	alg.exe
Token: SeDebugPrivilege	5072	alg.exe
Token: SeDebugPrivilege	5072	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2640	1556	SearchIndexer.exe	114
PID 1556 wrote to memory of 2640	1556	SearchIndexer.exe	114
PID 1556 wrote to memory of 3724	1556	SearchIndexer.exe	115
PID 1556 wrote to memory of 3724	1556	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a4897b594470d99d3b8fd037ed806be0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\a4897b594470d99d3b8fd037ed806be0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2640
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b21d5a43aa2eff5370a3227e6fc2e7e7

SHA1
b7fce77b39b6529036b94b77d9a34feb5a1d31dc

SHA256
00155e130071abb657c12ec5475622793defb45f5f1bfb955644fa616a7b25a3

SHA512
2db70d12317a4574c77e195e776c147b9ba81b65e0e660a1cdfb78c498dad9570faf1a1fbca2ba14ef8cb4649c2285c2f8be4da09940807acadee03ef43b2bd6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
7f23571389717047cfa4c7b55fd0a556

SHA1
62fcec5351f3c59089f461a01d255c6659620774

SHA256
ade68292e04d3bc4db4db43b0b3fafb7df5686674575161523fb5f7850728da6

SHA512
c3ad4944a2afa97bc7f2c14e40cfc34db94c4249d14ddd0e9a5d5d345aecb3518373b392f2763deafb33039e1ffd80813e3b5723143e367787942de8036ed736

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
9feea904e31b7e11c0f084da8a2db41e

SHA1
6f1f8ade3301f1c6e9ed13d7561007af568ba93d

SHA256
914298cee9ca04bc285b8f92223a90c9640f6a27916745eee0121872f177b574

SHA512
96b82536304183a9d6c6f63d98176884a9f1573f7128df12b1306ca56ac3c4f1aa54d2cab3a2995ecb0dc8840770a64c57f43bbd78d5bf3cad18134bd2574da1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4525138fc4bd52f9e1149c1352c34206

SHA1
d76ee09b8248e15f8832c7491cf64ee5660f4362

SHA256
5b56a845f7dbd74c53cad0cc08cb9800ed8aa603db110febf22bf2f3bc1a323f

SHA512
6ce726a6022139d4a889a3ca58dceea8279ee51b61c482fa6090a2e99df67c817ebdb41ba5bb18973dfc991b3433cf1b6676d07eb27fce4b77f8d8674bc0c6dd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0914680b5ba7737aa2b8cd876b223bb1

SHA1
ab58b87eef00d7697bf326808d01390e1d80e38d

SHA256
71d9d9e3388f6e9e5a3c6a9ec6f7d583b51b15f216846f1b048fc9d2a6ec784a

SHA512
38974e0f46e9ab78f7340379d9fb65dbbb044fe1c13df65e53ec75eaa1e15a8fafe0bc9c8408bb0cd98d6e345bbc368c91a28171674fc55afb058157662c277e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
660ae9a46abf19933a19275858477dd5

SHA1
c9bdb221307120554daa563e9f733bc3948d8464

SHA256
b8429180e07cd0f306d17dd96a0910014ae59fa409935b9cf7cdd86f0eb580a9

SHA512
f3846889585675ebffb839712b047180f0210b377c3f8b489c7a4e87226606f4e9a69a205fb65eb445945c7b17bccdee931ee74ae60edc25bead89ab24fb3ecd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
218a70509e189b4fed247e33c17401ec

SHA1
177f18281ac6d64dbfe9486b5ae4769ea4d7ec4d

SHA256
f8c0abb726292719e6381d1c31c8a600f95d9a6bf960c6967ccc4feba5a78327

SHA512
75b39a45fe635fe69c0fcd8765d689c2a9cab4114e713f3fb75ff9dde802426326b932cbdcc17eac8e409208367fb364a6c29071bd36b5bff4bb3ebc224366b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dcc5bf3b15251f72f000809ce11f5875

SHA1
d69f7c9223d510eb28af9e19c9b9ea91f9e3eb24

SHA256
9eb7bbb5c70470cb8b558152073ddc673e7f58a82a22f1af72b2e4670b00f5ab

SHA512
aa28a17a0dbf196f5935c1c693d2450cc69c8ab79a02887f3898f18f5bbf806c547248b12041ec7d56ad53240e81fa9246e86ebcebb6074b3f67c05d6db34e0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
14374b7aae0f19acd4b7eca91590fdb8

SHA1
4473a448b8f605b406c2827c9e3e5fd3c4e118be

SHA256
d31c8fcc7f0ae9ea2cb79a717c28d00975a5e2867cede754990182e967ef2cc9

SHA512
1b2270475d4f65b4fc8805057dbcb9879fd0635776cf694166c450addcaf47967528e05334c291b069ba22f888b98bf0135437c9e0d1d49b052b97578ff59ed8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f88815d943798ded73661c56688dddc2

SHA1
29e95e242e85bc59fcbb845877e6023d07a1b9ed

SHA256
71477cb0910a7f084ee32e7f80181acc2795a88dfe85474f72f7a81f8decb26c

SHA512
b502ff752bf9ceda4b10b0ab39261683bf84a362f0d7ac2750f3728bb5185d99de3e7ddddee2d9679d2efaf86386f1b83e3f5a982261bcc36b60c193aa0d2691

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
57924f4c9c48ef190ab15659e62c5ddf

SHA1
597a7b625a05a5bfc794c5a9737862143914e1f1

SHA256
639da271be5f0a77801722a9241acb6c8cd5e8ff3d20de32b7852be8740c6d70

SHA512
be1c2b13c749c952c3247a8578af21f150e9bba0999bb16c150b60ac5f64598454de95fdec21238bfa47349c65a2ef178ac96e78de12e381f6f0aabc643cf424

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4d0761ef9c4967c98084f438436e1a93

SHA1
8430df24ddca97866d1f84d197df48f0ccddc82d

SHA256
98f1d2e08acd7487027548c7ea0fd3150c07b04d1ec0e3f853a39a34427eba24

SHA512
86b80a3f30dbf40a95eb805ab04c0dde813f51abc1a097fd27c13e88e8723d93938c55f89b6823ba392683874880e3ca6b02586c6e879bc5ee186169c5758275

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
164d02b6b260cddc05f5005883e4264b

SHA1
b856de8f810b8b6d8a99f0a23dd205f457116512

SHA256
4e0c3620259984bf335a142cb33b793a1870f2d780acb1c472b8d7085a63146e

SHA512
e573ee9a6dade77287ac8f0cb251394b9dc03d3727c72237b78dac3dfc71a25fb6f73615eb59d789daa62ce888e8b3942a924ee5ebf836c0512ff822f86ac706

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
53991fb90a6642d921e5c4ada479973e

SHA1
a67e1adfe858d386a9496ca2f5dd9d2011ceee4e

SHA256
5ea8ef56ea8f9aff0a0bde6ac756fac19d1b96af7aa17d4a1b9ac492ecaa2fbf

SHA512
2d4c6ba5dda073d1c9f0def76b23f38a8199971ee6348b284cde82867ab3e087c8378f3360b4f709cf3e48695f34fe1831d6e98076fd150ab5509ac0ad9e3c84

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b00c80b661954557c08ec4ef6877c21b

SHA1
cf0ad3b9012a9f0fcf3a33c333a838cff8931302

SHA256
e51d815ef28fbc5fe7b1f6b9257274c359884832188ad8279cb8e4bbd844649a

SHA512
b392d96ae48f409f7bcb5de27e7bca0ff46b97643d72e642f23e38e691b0317148f01e142309520078036354b96f44b53d4157eb43bea740389f67f11b5a6a33

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
cf9c51fb9292f28e494a5a41a2439bc5

SHA1
a99c304d2c647217c943bb9e364d6e7b99289474

SHA256
9373e607c9d082fce716d824d7c9806b05b0fc93cd57a04723d563ce19d8f8e5

SHA512
19554a9b45d51609e58a1807a858212c66ebeba26c4c22105725b84804e37e13b97136f7f3fc24e52671529ef39c1793e75c2b3262138a8974cdb1b60c128ab3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f3b372d876d58e28fa04be1e296c9168

SHA1
3127a1cb62c8fc26906667599a367e3da7a9d7df

SHA256
8a8af0049cb883358e487b914a676f84c5e2201370123a98c2a082a697787bf3

SHA512
f6dcef845e55d2cbbec42e731b8e89230d0a98b872923ced5a7fe03cfa3cb83f8633b71bd541fa29541abbee65224b38b136f49b90568cd7232d71db3aa3d9ca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
20884973ae98be6ccb065364102ee8da

SHA1
0a8f9848fd5844595945cee4205c95cc0f183e7d

SHA256
e934028aae4befba69b28b143a332bbd2bae66019aefde80352f1e05fa09d8a9

SHA512
a68d6b2060fbbc7545a5d601bf064a31b121b195e475e1e9fc08dc3bc6df697f66cb0f2f6f1151baee6fd15b199fe8f4abb07565036611f7fc0488d6ae7d70ea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
98b9554f58bab8d6f3a1a5c8f5e94b74

SHA1
d17bfc3bf9f73dae6c7a141f9f77730e97c3aa5e

SHA256
35a66417e9ec9d07c041d9611013801d2acada4174f4b6114d93542bbb512a26

SHA512
a0a9d780d7f2dc6bdfe22351a777c830b88c728aec4e991e040f97c5ca6af58fd9b984faf960302430cca5d0101bbadd3e74919383f03c3c2d8451577a5590cd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
eff1ce7d041e40d6f49e0f25c3b07937

SHA1
eba408bb9953ac2212553b6698a31de400e7a065

SHA256
a79e90468b534357d29ba03bbc6f61afe28ee9a8e6504b0cb8bde7a18e77fe2a

SHA512
700980442a15199f2a19afe07f94897d1063c2be1136d8f39dfec5309b9c2a6a2370e86d0a83a799c8f22d17f0d547fd623336f007d2f5269823de156bbf0f62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
c296815d88dd9e8f4f82a9a6ddb29030

SHA1
a598fed98cbf860b8fcd24a6f588a5c2db66a87f

SHA256
1903c8155924fb8fb12a1e93d5f50f701377acdd61e62de1b9c2f2da33f1f4a5

SHA512
0b18af132d4a47cb3786526d75693f64cb261c9efe4a864598d002fa2414bff18eeda15dd65e626afcdc347fd38bc98616a90eda6c15e5078b2c7abf9429ed8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
68d55abb21ce3dae7c143c117078fa81

SHA1
8eef638304b4bc2db8d77d10ddd9bc2b6959d1a9

SHA256
16f8f30952547288c9c5702f6ea85faa1e600d2e40937c3ef3924455078a4b39

SHA512
94317ee00000a1c48e9a35500f00100a64829b3b60d3165a342176b551b8a0efbb1787d83253ac31ecfea563feb87f6814b0a9044daf18702937533faa53f280

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
829aed5ce67d16680eddf8cb83476e77

SHA1
e30049cc7bc43059b24a3076f826cd56806b1a1b

SHA256
d68fff9bcadb282896b4988c783d2ffbbadf198f6fdcfde6347b5bc87d0624f0

SHA512
e6f7baad627028b4576b928e05eca599970da1b9ac5bce306a7f1d2bab9687fee4034830cd1a85097ea6c338a7a8c6abc685591275cd9d82a35c2b289e4b3e3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bca096a60976fb78ddb870169f9ee9d1

SHA1
61efdc2b697800c4c1b14ea501f07edc24781cf4

SHA256
f33f3910c35a792dce842868c60cb599b0598872714a96493daa55bb0f570de9

SHA512
340536ecac72cacba69df5cdcc9c7440343aae641cd744f00d361f51311d168bc9d9bd6f8b101a084e561423f6e1c1e275ef5929ac8714bc92b5c778d7779186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
be93d1b808245bdc03a8adaa77e6140f

SHA1
da1d051888bdd81608db1ab64ed7e08f680d18df

SHA256
fc07c1e84d25467fd019780b7de4cce3fab88cb623a1eee313449c0c21db3253

SHA512
f36b0e445b0c84685c566b11ae508a3484575681933f80edaee86ec0986dd2c61592d729302cf64e2e65ea89c4125bf19d92f82006342e3705397f03e7918d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
e5c3944f5835ae64de1baa01e4a0b772

SHA1
f508212e94d7207872129731dae31c01a723c7a2

SHA256
52fbd5b27afd8b0f1f59547ad8d585d8054c48c5ed4087b4825bab6d7843de8b

SHA512
764ef79203510646b3bfe51aa1ed22bed19c1673281326acf55ec33e8ed11566a5542d660580c2702d43e0725ec9a832fa77b5fbd7de567e1cc2c49b0bbc8961

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
85b39e278c31385403b0aa20f9095abf

SHA1
7c70952d0e667b0f1c0ba9e740de49d7a95fcfbb

SHA256
05cc7134da3f47e07bd72a803f26a138f86160b01f2ee185325613e1b2235c0c

SHA512
a0e84605735884c1ecd7298da5b3b254bfe97e53c527012dbf9ec498886c3d43acbdb11bc34e605708008249e1546ab0876a0b4d0a04e7a43ea87f5a1c14df98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7d15a78bb6d5183b9c97bee13f0b19b5

SHA1
36a94e92eef3b19f6a807f65b5523f3be3a9987a

SHA256
f67d7cb181c43cce82909838b6e32dc53f8f69d1ef21f26057ab371258f7f4a8

SHA512
215b4b840db4d6e3e5f5a528551936201e58ba3f9d5af1bf00107b30cddb0ec4792b95a26a9aa952be972a368075c4c8303200b8a2407c337737b8424accaead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
279d91803ebfeb6c9d06a8c23530d469

SHA1
eb1970bd6463a4480249e98a8988cd0b4486e70b

SHA256
f5e21bc059d1971b081606003f65393b5a936f35bba4fe5a5f70c57706f7a5bd

SHA512
74326237e59118a416561e8fc7db45ba00cab1ec5b48aac8272b607a2068d9583844c9f560341f9190e7db1b1bb01c880267628fc08369d154ae51b9631cf2aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
c102bb17cf71c79add054c23227f92ca

SHA1
1baef0a16d375203ec0a5a652d0cb01419fbb939

SHA256
49e9e9b7a59c554d63109fa8c4189acacbb5c02324786bd9ccad8f8f5ec37446

SHA512
e4cca8da4e77a1ee4636615165e37f0319d9b2af9efa81304f9903c21028a9eabee7de3f29fef97806663c7c2d0d9a40c467ecc97969a79c925945241d8474b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
97a8d6c12965e8a54780e5c902330814

SHA1
5d9bc120a276718c4dc888d092981601c096a706

SHA256
105d1ff5213905a868b9b33c5fa841317360827e5e4b3c3a24285ee7cf02936d

SHA512
8c56da220382b390a19b76834d34807dc15c63041089a801292bf69a594eddbac2951eea167ce5c954f15c1b5a5e13941fe2a81c8335fd06378b50edff9b602d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
843c0062ac56288071916a3d174fe8d8

SHA1
c9bf829aa8d415acf1fba6168f7da61452ac637b

SHA256
30d4bcd3a6f044473ad231a2c2ef4f1bcd857c7f4f52f7369c4ca34328456f7f

SHA512
b9e78b5fcae805b0f4f7e3128aaa7b8775db4359e8a1e22cf1903454e653861cc28d6fa78748cc57ed731b7231e53c3625172614641cffad5cf921cc01b911be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
363ef5f4f2c936171499f128e14656a2

SHA1
ad8cdeaf31dbd375d032ea555489540d0e0fdd32

SHA256
2fb16de6c336c0b32e907bf0176ab673836feccb28f68faf5504a96bd9abd08b

SHA512
87f3041673917db41f7c6b78b270bc2a21b823c3cfb26196cd952a0009ec7da460f8586c1750dd25325666ee405719ded38d3fc0e61c67b1bb8efdc9738906f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
eee47a423603499d047ea4cab4e694ac

SHA1
b4e0ae2e7516d743ff96f196f8c7c7495362e618

SHA256
67c82520d725e47bffabb259dbde50c01b1074c1259ab92812ac320bcd2d82e1

SHA512
e11b319341939765bc84f5b6a3ccac0eea8894174e9101397052051539f1e34f923937c11f79135ef322ba4a3f7f22f547158bb1de56027011843815b9d43f1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f56cda536524be45207c78fd91d22753

SHA1
e171516f42694f499f19657ea60266e5247a0627

SHA256
460ea636d9d32b6c4aebcf7b5a022cb1e997f2e1d5eb46ffbee37660f985e9c0

SHA512
4393a519dc70f9efbc893379a0259f54130a0e30950be6455265358a7281eb5986f9a3af1643fa4b2ee61e1b9b37cf9c4c85c4c00144150a502df8fa6b0c7317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ed90dc6ed368e11f16a973620e905389

SHA1
d0b8e265f09eef5ab2c938610a7a6eb447ec1208

SHA256
f544ef26339869ef0c55dfa2b35c54535108ddd5817625bc1c9652e0a806b32c

SHA512
824a1014487d81092d50dcd279263170c5b7c16ed4ab20b7f96e9180eafa72effde10710c5f17f9a614cd2edff24ea294c64d2bd87cb0414c59370f1fa551419

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9876e5c9a399dd1adf6b50b7f9b44e0d

SHA1
f4ca73c1ad963c1eca6b38ac080fd27987bdc229

SHA256
21a1a73ae448097ddc544af005c29617f133896661ebc15588410e37c685e506

SHA512
8abb8698b8f0431810381237c15a386718d81bd42b4d042f549ddec0b6bb64efc02e780860ce6bd2a68f97fc60e2ddccdcf1c59bfd7c9ed7c452412925bfcd42

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
0be32b4d9f0b6c5bbe9999c0f3b493ae

SHA1
298b2540102176548fbb0ff5a84d337f7ea09faf

SHA256
4cf392ff748e74a3da250ce9f6a1a554835dc5367cba19c1090972425b19baf4

SHA512
72ad618eaff576e747e2dd72ebe08d5ab4c9b16008d24c7c733f3be30e023fd27620fe15f72236dbafac4f402f5a8b122af1923fa6d3fdaa6b52ec1edd3b6360

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
369edbac90af71614b320360cc5946eb

SHA1
aa412689c0c3ad6e3544edb4daaf75a945f892e2

SHA256
6a15bbbc1a66331660adf2b83aaa77ea6975a8d909c46481a190c9a6ec8e56a5

SHA512
57ec5f73746db5a3336f27fde92b31d938b0ebd254d7cd2538beae38d31670a12df61b56946770e802a12eaaeee55527b95a2b4d1c86c0a90edffeb5b499a55c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
13084b03b52bbd0afbe7437845acd1b5

SHA1
d792660d786cf220c11b4e6d44f0149b453c9e79

SHA256
9a4b7eee052bb89d1842a07b99839c9e8b61aecc079446e4a9f8ae203bc8009b

SHA512
4c35d32ef25feb0ff6ee663e4346fa48fa84fe5b42515c37e5166cca12ae60f1a0b2fc3ecf98a4ff4a6499496a8b361dc291e8384766edcad440a76a26160036

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
607fd594d74da6d60707dbcaca48ac72

SHA1
bff825c78f2d524f30a9bd9c6aa52a02a085ab5c

SHA256
72f2a43d0711faab9d824482260c4804969c9ae22f67e35228c2993cce9015b2

SHA512
3557037b74c087916de827dee1ceda4c71908410713f5449ddf34fb2acfd21b2730c87787a9a8c379658952b3b0827e2507abdce7d441bb79b3fb609e30e0235

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dc29bdacb82108e4aa10d43f52bbc952

SHA1
4e9bdfa23218cb5f4c8cf1b2f786444d969ccf76

SHA256
3bdf1aac0de75d8d71dc5bf315959b5ff6781b823164377ecb71f6beedba8583

SHA512
eef2b61051a03dc5f5217ebb099ec04deeebfc594d16e8e37b6fce7d5482b452bb543aa7de0587ef2cbc9164c577e6f9daaa606c2034a09685997aa80324f9eb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
71b6fd6c36d64f3c03fbfaa90d18b134

SHA1
52db63b348f73590a8f141e0084c43fd90d8f711

SHA256
c551378b7dc716e72813fee014c9de6be5f0718d9d2b49ae0cfa5e6ef902774b

SHA512
24b26353bd4ec3272ef635a236eb4c1453c39286f9f2acc73f51b7438bf14728493e13830540080248d1f670a039e47997e620527e22c26d6a8253437b215de4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4b6f2e4b01b4703596c233b5c5ec4a60

SHA1
10172cd6a04d3148ac7d0eb871d17ca6dc614b48

SHA256
ccf0c7737dff7b91468fddcebcd362fff4ebb8f19448d9a98114c4ecbb29c204

SHA512
d7fd0733993c3c2d2b6b174a446b7050890f6e24c95647db313a814a364f0e3a455809d7a0a90115e1b45b139d0b8c76a1cf24353c93541dc8560f1872afb2fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c5534f11fc056e00b134b2ca6570e655

SHA1
0e4dd6073e6f0b4832f9897d7bf1b2a63ef4d06a

SHA256
f73300e7c833fc6878348eabdd1b5ffea31cd5d78d0bd1acea10e3b4c901f7b4

SHA512
e5910f01e6bb8a82a120fe4501a83148806ff672af22d77d578f5896a012d920ebf563f2c024c9660571f9156917c7abe1417c9d48f47666f3569c59f830e451

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
827d341d210969c305c8a5a1543c3d78

SHA1
9046ed8417b45a17e17235a1edc883989300c24b

SHA256
5398c1ac4e42b4a7d39ad33fd3641a5c133bbc6c1d3b34c31d0952f8eecbc4c7

SHA512
46566304f6c5e98c5c83ff928891c974d87a2e0b43d244ad49e276d59a674a04fd9fa160c985a6a0a939a98b088382d533a42fb16691a4fc3d28e72edea1bc01

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b62a6e8f0f392ca886a8c6ced2b57968

SHA1
8048bda995db3d1a53523a25071040cb9391d081

SHA256
b4c7530681bb3ffba4a5c5fba80f49fddc4e6836627523b0311c1f4a8f5534bb

SHA512
8683ffb1faf5ed7a44f7e5f93e030b6f29501db81df93bde80a3244783108ef9628257c8bd12f01c6ce83c81fef704bceed98110af6007111410cfe40b3b5ff9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3ee6df17f0893387f0c25f188f44035c

SHA1
b7f2df16add05c5bda6ece87075a33e61746de99

SHA256
c760c64416f2f648309f6e5a744a9ec304008889ec0ea694a013c30a936fda11

SHA512
af27fe2ac9f45a9f28cd4f69ff6c9f36a6651d4174bbaeddaa22e52c5825acce56ef93d595b465c4cdb9dbf3f95e81e08ae6f500cad94185b3ed8e4525e60634

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
0d7274cf2d5c5e5d54afdfbfd16e8a50

SHA1
ed0ac326308b13adcb413d9a1997670c3e77ceda

SHA256
e8d34f7500c8b98c5a67db161f427e8ff01a52d9cf581ecc89ec117639bf3cfc

SHA512
d444720766b8535f4a2754a4e1c8ff43b413ab511b8642cf1b3929eb504eb4315f74b9c5e209a09bd8fb12bfe8638d45806bff7bf01c04183e2691816a064e0c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
41fa8f6d756fed94cd2de71e24bc6ee1

SHA1
d0f34dfcdf4695153fbbf1811e155499d8c07135

SHA256
7a1d565450d623560a7c9db59ade50028ec9fe8de1492da34ce59de0976dda3d

SHA512
4c65ff322be13a05187d6270adac39eb26df7ff0952231f456e1bb6111ad28cf5c86b4a4e9010dffa5f1712e907b76f0549de17839c418b8cdce7db2bf248fa5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
07662a4d20817a71982ca3652d29d779

SHA1
02520aa1b5e3f3b89f001d2e23aee755f2f4d986

SHA256
ea415d47f25fd9990a76404ddf70012b122c799990013abde19d1e36504ff65c

SHA512
153cdd35c0a0aa23196732b586cb88640ef1b1600e9ec854e0ae33eb3fb1804a496680bd21d63a1e7f0dfc036ccb4c6a57591af6f9fd92455df5cfa809a14526

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d5a611f2988e4b6c61444b28ffdff0fc

SHA1
7d4988621a69244e035df6bb1f01131db0bbc70c

SHA256
536ba4f613a5fa4a3bdc121d25c84d54b7b2f29a552e4436dcf79786c6b75113

SHA512
ce93844e97762f13cc94d8fccd6b74af50391f08f9ae79c1b5af2ea3f0acf7f23fe32640f78e961bcabc7a24f0b8e2e075774b43b20241eeeef69a21192a3e82

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
22c7e618bb63dfd4794449f5a2b3522d

SHA1
710955506deb758ff96f15b8d94614b0fb55c060

SHA256
18866a3615957b633a5ac1c59c61452f7cf28be2ebebb9fbbf683bf1bdfffb17

SHA512
6a25b45f0d8fda5a5af61be2746189ebcee82940d2167b1d23ca8af1c09cf69ba95e3d2610958615eff7d955414c596896c9e965dbba87b9a4861c64782e9f22

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a0c55382851863ca04cefc352afaa1e

SHA1
5e4c4a194c638804ad7193fbdb227d353a6f54cc

SHA256
378b1d3c15c00a537829ba04f591e66402eb6c9009b215e083dc01a5f0c348b3

SHA512
25211507e34ee9ec2734ccaced5b233b7d23375bd05d64e2d2e5001048659d32000ceab2d693bc1f23570376d74da3890e73d23c25c3e9f28c1fe05bd156c8ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6c8230910307d7db13e2cf06a9d266d7

SHA1
6213bf069a5881eabd7de233fdc626ef23d7788f

SHA256
30d903bd5a1d0558658fe41f0aec9b923e3868056c2d967f63c23a53eafef025

SHA512
b8250e24de9a77a5c15bee380ae3a4f420256d17c468b882e31068aabb363d761ff347ca273d6941807cb88b60c67220320d95c5a80bc43e1823090aac9bc597

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fea592b9a648bf337285cfe4d975f646

SHA1
f6c621b19564af79ea459a777b82ea879ff5b945

SHA256
3f0da7ba1bcfa65f78520834f44c5f6e8fb20ff015e29ee14d1d2d2ed222e322

SHA512
e9fa379d86d6ec1d5f991d3414fd55ba13c2dafe63dae38fd3a58336f3a998940330f369b1dd824e009f3304809bb380b92797b85dce31e7124e68aaa6088c27

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f542629ed2e513e6006cf77efb0dac71

SHA1
70adce60961a401f34366e78352f5028af587112

SHA256
41b8a33f14aaf1c580dafeae2cdbe2375deebf734a42e02cd4883eaf2701aa4f

SHA512
58c7c45af9f605247dba406fcb63edacfdc2d3933c424c668a4543f3df7580978c99bcf7b720d77467be9d01e23079130bffbbf70c6d18824f8f5a483d6b5efd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
e228af10ff7fbb7b380dfea284c6ccfe

SHA1
e5f0fd65b104553207c8e4ac9241add9f3d84a7f

SHA256
237ff0ddd543b8559cbb05316d5074269272312c2063378d5ea9d9dc66ee55c0

SHA512
035fd57e26c1d2d210d1cd58bb85f37c7cc28beb70491fa7ce1af6642b3a74ce91be3f3f6880ac8cf2e1a906da190558c81cde167ce5f8a1a8d6f0f4f7fe257e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
23be9d250a4b328c4d8c7e8bc196c881

SHA1
fcff8f9ba9809b3fda4863700dfdbdfd2c847b23

SHA256
7284158e3283e6e083d0010e868e8813e08ecbf073a94c170f4fb9907c085c13

SHA512
fc6edc6098c08a8a2c3db512279df47f152ca8ac459cf06254c2c5a369b94d66386afe80ec28644eed484673404ae4744688fe4ea390b43c01592b22db1bd71f

Download Submit
memory/116-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/116-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/808-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/808-476-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1044-475-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1044-189-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1188-239-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1188-128-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1328-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1328-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1328-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1384-116-0x0000000140000000-0x00000001401CC000-memory.dmp

Filesize
1.8MB

Download
memory/1384-227-0x0000000140000000-0x00000001401CC000-memory.dmp

Filesize
1.8MB

Download
memory/1556-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1556-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2004-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2004-46-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2004-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2004-38-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2004-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2116-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2116-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2116-33-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2228-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2228-560-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2248-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2248-82-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/2248-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2248-86-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/2248-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2280-418-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2280-161-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2496-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2496-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2524-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2524-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2524-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2524-164-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3252-206-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/3252-89-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/3252-97-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/3944-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3944-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3944-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3944-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4008-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4008-466-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4216-215-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4216-113-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4268-88-0x0000000000400000-0x00000000005BF000-memory.dmp

Filesize
1.7MB

Download
memory/4268-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4268-0-0x0000000000400000-0x00000000005BF000-memory.dmp

Filesize
1.7MB

Download
memory/4268-1-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/4472-251-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4472-130-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4856-184-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/4856-474-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/5036-252-0x0000000140000000-0x00000001401E7000-memory.dmp

Filesize
1.9MB

Download
memory/5036-561-0x0000000140000000-0x00000001401E7000-memory.dmp

Filesize
1.9MB

Download
memory/5072-112-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/5072-20-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5072-19-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/5072-11-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download