136dffe5b76e21a6b6f18ff04bb31ac24ba9355e3a8960824d895e71f0401487

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
Size

625KB
MD5

4f1d8a628ac8682fdf0c2e9500d1a2d0
SHA1

99e1fe9fb55de0b61be2bc1b9fafaeebacb87a60
SHA256

136dffe5b76e21a6b6f18ff04bb31ac24ba9355e3a8960824d895e71f0401487
SHA512

6f8df29892aed6ca4e2b7d5c06f58a6c0f4ba4b526de6e07879029ce31a425158af7e920ea7e8b375474d0547d4946ae98e4069e873b793b392b93598db2e502
SSDEEP

12288:b2CGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhS:KFt/sBlDqgZQd6XKtiMJYiPUS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4184	alg.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
452	fxssvc.exe
2828	elevation_service.exe
3208	elevation_service.exe
664	maintenanceservice.exe
1980	msdtc.exe
716	OSE.EXE
3284	PerceptionSimulationService.exe
1560	perfhost.exe
2520	locator.exe
4116	SensorDataService.exe
1336	snmptrap.exe
4216	spectrum.exe
540	ssh-agent.exe
4976	TieringEngineService.exe
4024	AgentService.exe
2252	vds.exe
4872	vssvc.exe
4140	wbengine.exe
3204	WmiApSrv.exe
1456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\System32\vds.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\locator.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d645fe6d92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000531f01c524a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f97d8c424a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000204265c524a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469073c524a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64e6dc424a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f96ef0c424a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cc0c0c424a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000564c8cc424a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e203a8c524a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c5a1bc524a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f97d8c424a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe
2964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1196	4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
Token: SeAuditPrivilege	452	fxssvc.exe
Token: SeRestorePrivilege	4976	TieringEngineService.exe
Token: SeManageVolumePrivilege	4976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4024	AgentService.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeBackupPrivilege	4140	wbengine.exe
Token: SeRestorePrivilege	4140	wbengine.exe
Token: SeSecurityPrivilege	4140	wbengine.exe
Token: 33	1456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1456	SearchIndexer.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	2964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1468	1456	SearchIndexer.exe	111
PID 1456 wrote to memory of 1468	1456	SearchIndexer.exe	111
PID 1456 wrote to memory of 3696	1456	SearchIndexer.exe	112
PID 1456 wrote to memory of 3696	1456	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4f1d8a628ac8682fdf0c2e9500d1a2d0_NEAS.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:716

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1468
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d91433ea2144538b2c2577a24f0a88b3

SHA1
b57aeddcfcf30b443f9dac8b3000a85b47d4d4fb

SHA256
8bd79a049d211b378ba1b946e3d63bc71ef124dcd949dddd13a99f6d20521702

SHA512
e3b6d6952f51f2bb16742afada1f2d449597f37a0599502a88b4ca310eadff7994c7d16c67a77cc516f8a031d5295831e11ff3e7be6d2319c17d38738d7f7884

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
80d635042eb040e5c3b83b6d03c44950

SHA1
6c8c06ac8307907b11f16cae0d6f073077aadb2b

SHA256
f116844e3f674647345210e8ffdc8d687b7f3a070cfb132b5dfa759e9f94ab50

SHA512
10a47e51774e01694b23fb143f92c90ac47fa357e874dbe8a7e8ca15ad8d42b707ccc2fc3b05f39bd38dfd44b87ab973db7f01ee1628e9a6792536ad6f56232d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
df87e519f380168f1ad6d0743e5cd9ab

SHA1
68138207b1c0e0601826d4df7ef6b1192ec5538f

SHA256
cfc6cd141a3ce265a2e8f5da5a43eeb44dd1d6d12d1a65f399e1ee8957ae121d

SHA512
2a657d21d2c2e9ed613849e33ee768654b01d03a5cd3554d8c710b30813ce423e7a80903d127ce54b0d9f31812ec51f5c203c3b1ef3470fd031f60ae8dd9254f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ed875cd8743f8d322c2df1db723e7a0

SHA1
d2ef2927e2261449767bcd301e902f2040b33623

SHA256
2a11c2ff51b9f67edf6101e1248a8ea49d0dd55fb27770e8ba65bf73e216ae7a

SHA512
56303ea3c9e4d0620cda0b6f0fdca5f605b8285b3d93e70d85d87ad98bcb2bc6233bdb0ff1e4ecd7017019fccab32499f81778e0c7fc7b75038273cf5204903e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1a173079693a878e6c03ea1a891a41e3

SHA1
05309d91c72dace19d7f95144bab6e64603a3e4f

SHA256
39b9f6b26da83cdb20da39897bdf4f6ce50c7a299ffe6a5be1fb1847b2cc5fcf

SHA512
6194c1b946298d0ef3005862ed546553766fac4568910f60772a01174c1cd596eeb4dbda62a300321102c9e44fe03fc518d936fa0ca79cc42f3525fa32ad9db5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bb9fd8de865772988da447580e0e2fe0

SHA1
3fc9f441408df4d7649a13633fb319f265885f75

SHA256
b6adeb980beb8ba8c4f706441eb646d92a6fae8b9a5a29a367f96aeb5d2290bb

SHA512
d238d32cdf15be82ec692c49d56dad9e058e9ea9815f64b97ed385affd4901c0f42896d3117eb42b35c50c4b3e029201bc16ff7835d53fba48500e39937b303d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
55367ef3bfa99096f8965053c558ba00

SHA1
938140adab3366c9dab141ac98df97a4c8c099b8

SHA256
53a007af546bd323c00db774f7340811925d2743ac59fa1b808dbb6c117170b5

SHA512
f63c6d9b8fa188ffc225147ed251abc35194695f35b0559d3229fccbb9a7de04a7c287eea024871519e6c816e611440ed9ec9c2e34727e13e23f985355762308

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
34df10adc99c19bcd54b4554d412d405

SHA1
84504b8bf32408a357e1543ef4d7b42196ade729

SHA256
307592544a3a09990b64b616b0d100c8d2204ff4ede5ace22950bf500e6ee2e7

SHA512
efa6be2c6027958c986a44810a0f7c41dcfa1f260be23bd486fa38748a31b5514570d95e065ecca5df89db3e250ff791cd8017e07d2799291be65e6e1c4d5894

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
46dfbb5af8241d13cf0361a0adc1d57b

SHA1
803967d8392a2ec93548975cf7580606ab8ee757

SHA256
489e62707585c58145e1886f68eea1f4d0ffe4d5f553363671be941febe83822

SHA512
44e8cc5a06b29ff011c89e2a1a1113d9784d904489c1509db46472ff0f867314889765a56fd1a8ed34e8d86e82d819f07679decc310712ad505d5ed9215b8666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a53c9b63db1e7ebb869c263c0387ec03

SHA1
cb7f6ca0c88548cc703c7f0cf86f470a526f371b

SHA256
3b23b78ac144f9f811a87107efade9ce52644e67ee79ec452103bc5011322f30

SHA512
82064d8d0691a83b9d7a0f926e3308d2e697094cf3f0efca26179caf98b54d2c54caee80eff02cf629be788c43e12548ece1c8382515e2726d2bd1a0ec69a7d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a6c0a334fc6ff74e6f4a93b4d614789c

SHA1
08592a2394450a55580d11e6a8969300130ad592

SHA256
fdb4c5a16552ffe9239efb8ccd97726e4fc186b3dce22d8d12b543a268648d98

SHA512
7c3e37f3fe48d598af35adb1cb9063f8908ead4eb0973b7d24d6f3f10c66a3ddbe6d5bd85977b676ebf16e6e9e50096b9783bdf8659d3b6c3f2d182e0647db79

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
104dbbefe77268760eb06ff7a5dbc040

SHA1
107a3d546c4d0655934e201a780175fa7da5db70

SHA256
11702b00adf289e9df6f7735e3c5be0b15f49df209384bc12970e5232ee59eb4

SHA512
246bb338e0ddcf595d2b90b269a33299847b2f80a1b5a7bcde7f4150b674d3b429b7896d7729d26f4e1af6a7f66e4430d54a5792d0dfe590aefda66386992327

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
307becfdf1a6a9774951b6f5d0b02de2

SHA1
35d8469219eef34af640f37b9def62d2d11d9393

SHA256
7d61cb26a3dfc7819e5bcece523306564803988d4c8d1643efaf2acc855dbe55

SHA512
66834edf6402cb4000fa4ada2f7c6611601095a17e559c9046464dbd188abcdbf9ffd1d122340c1feaa24f3650ff6325e55d1b2bca3c7713ed9e7fc02b9dccf1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fc942d74dfcedc72275acdc7b8774d58

SHA1
a24b290b02c2a27714392d5d633aef4ef007a85d

SHA256
0cf9f5c02adb682ab374e32b740da352451bd22d2055034453fda35e413182fd

SHA512
c9fed8a38b6082c7007372a1477a340fb373f85c8f74213c8c4f4c920eef2b34e3b7b321796ccaf8695641549bb8885be03c4198ad8bac21d89f2ebcc408fb8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a79bcad3682d8fa123a4a74124a62557

SHA1
ee09fde97cc6e4f579494bc3352f2470bc8287ea

SHA256
2477ac2f861cd77fcee58904a4136c4aa880f20b9e6f67932c0c687b4149e445

SHA512
ce17cd78d40c90479083cba0ec18856d0a015d057e63a93754291b20ff123c6e006da65c002195fd4fc2b97287567f43b045e783b9411ae0b054a0502df3e500

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f6a641724921d165c8c366faf612dc66

SHA1
62560689bcb03a0547d88c05eace2993b4911a8d

SHA256
07bb8da51a52750d3986e8823d866712da1b132a200c729c38c52207b03c3920

SHA512
5d1b85ebd7b614256cd0f265d12d3ba7dc313260f126339262cbb9fdabd184681a04bcce40384dca13c5b752822c0db12a9a9fda67d5d8647d9c88cfd3a6d055

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b932ef604cbf1a20f72b5f73b87f9704

SHA1
dd778bbbced064b9b537912b22b7c8889e23e9a3

SHA256
55bf893f57b08b19a12198d2e9472b9ad929fc3c7c48191cbd8e9de18ec96635

SHA512
cdc37d8349db65bf1ad7547a83810d27d3f3ad849ed73dba9c2fa3302a839cdf9c28933c25e98cee36fad3115d13e7a2944f5c5662de1a172dc3d5dbab73c788

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d069e41fc2c91f4aec37a4f9f498c591

SHA1
e4c70bd293488ec88f01830f4f1f08bd7c92d06c

SHA256
602a9a07310f38ee25a1f4f4b6d7d90f8c26462f3319d4bade15c46296d17135

SHA512
999019bdc22f314c4d4e0b7125752756e4597ed29a4fc2e3d1819b8d4363fd2731702d4efd25b03e39e4935a35a4d1182f552ec07060c08a5fe6dd9369f10c01

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3048f75c5d871e4f8ce81fd4f7864517

SHA1
9a1f66845769986bca6eb66dcf3018b42237247f

SHA256
d6a3a322465364cd6c37a28054777b35c7a279373eb8fcbf2e30d9703795522b

SHA512
3839a5717c7f379cc465d36af91d5225f63a093eee0e4baa71b821d3051a7e689a2fddb97a1d30de879828315c0cc5801edec3f7ae8f9aae2b6de4dfc1d7a810

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
25cf0f968c64950c816642c98ab43210

SHA1
24b9b5ab6d3e215500d9da5e9526f34102766f9f

SHA256
ddfa9122cd32537fa1ba843de252a588d87a91b6a55ea537e3e8d1ada1e362ec

SHA512
064a071b4f39ddad816478d753503266894581f2b2a1a9cf50c4aa8df572043f99e7743337eadc4573e2e86b0f3655bdb041b30c6ed71b25c69a605d780c28e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9986c0028686995e57a7a2785c415329

SHA1
6d2681e176015fd6c0e2d2a3ef1f3f7d41d7c848

SHA256
e44076af32bddd69c850534a4a1a141e4b350a821b35febd64b5794af0f36da6

SHA512
b731f4d97b27b2d34c39330eeee1eb5f7ced3201ecf838a0df2817299929d743a72444f0f75a2f6b0372404d56e70890da6a41fdd1eca7a1e84acf8fe1f216c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8d9cefdc8520a810be3cd867df0c980d

SHA1
01ef2f53f9f46b249469ed7fd75392c47ad6b602

SHA256
fe53d5def2feb7660b904033aebcd087a3a2452f3cccb3eb57ae9e04de1370bf

SHA512
09a922c602dafd85475d78cb81bf6237c7a921cfe0b1c4b0753cb2b867fc9f4c1368e7c7ca564799b2729ea2fcac87f6f60b26fbac0bda87cdbace4cbb8f5c02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0f1331b29537165215815953298c44c5

SHA1
391399cd2cf3105809b909b7081a3bebbffd645a

SHA256
3f496fa4f5af5ffb06955e0339907859a417d9c9213b5379717357554601e1f4

SHA512
541cd63e62d4c3794b403133aa7ba8cd68754feb6bd39ace7023c0da680efdeca8f6811ac367777c3dfb296f07624acfba1ff51569eec1757130fc93a9d03b2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
46657b7d869f1d4e3a1e04c862cbda70

SHA1
7f6d25409dd2510b4c65de7b43651be151179e09

SHA256
e051a183a91b88bb2209fa351ad4e71819b59516115c2efc23cc3b89ae554ac3

SHA512
bcb78c75dd715f340d1bbedf3a1c6275aa1462fdfae272d31d6f3575e39276cd1c77ba9e9bfeb37995db465c0300b99beef926be22f42703ff6230556bbae084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3bb2ff4349f29b81e7c0a471960d0436

SHA1
19f57ad654affd1dc3dbd14a0e1ecd4366b38dbd

SHA256
8d5b6b09329393dd5361a9d657b2a681f675764f6356179bccec364f15956ba6

SHA512
08b387080ac15a47c6968fdfae8a0b653c587d71f5299e90ea25f7420b071488fed6efff3442db3f8c0642f2a46ad9a4deab92ceb2693b92cee49385556fc800

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cc51c5ed58278f454e7b989fce3667a6

SHA1
de8e4185497d2c82221ef29f5d2b49b37355ff1c

SHA256
cfde595e5686043ad7d9f9b5f26fa672f4e1b6c11640c239c643fe187ea324b3

SHA512
dc13491be70c4afa6862c731397d5ff5fe7d9df27f06d7224bb2586d95c40c1596b4c2a60983ab735bc3ff1591b74f7e760334fa894c195d2d7ce6174c923586

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
37b01034e017a5e399949c65014036e3

SHA1
c591d86c9dfe923fb4815aea0ff5b5127b780403

SHA256
6283472768100cbf9e94d0ef9abebaa8e3cb29cbdfae6e05678afba6657ac2c8

SHA512
d7593938ec26c5bd7f9f9ef242e4edca28e91464a5697ff6a1ae3ea8b5ad13275ffd70af3d1401a973c2cf354220114c59518eef926374c869ae4c1c34a9b8c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bd9557754fea4df13915f85174969b36

SHA1
310b518748f4e93811b017acfea71a498a920102

SHA256
958a535cb7facf54229331f1a80b185cb7342a2b89e5185c839e67accafa6536

SHA512
6059b7a39228e4f56d8453f82e84f917f37aa8a4acbabed2fa4995726eab43f4eaee7e2a96f6088d9792059aca57004d100d6b2d4521caffd205e43f1ae9dd2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ddbdb076876a8d5ff1a8bd0e8ebe8e30

SHA1
8087d1868792d41541c7cbf0ec18c6b6592a0555

SHA256
4d9bd7bf51d21b774908a70dec474196f5ff655093bb4bdcd32c74e756b8ce8d

SHA512
4a65fe1aa98c18e3422364210ad376edde699a0c72af745fb0370b1b7d1b4196721ce53acb94a554e06b447cc9e543d5fcbfa85d25cdf8bfc7a61852a8c53088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9db1c6f4e39b11d5fd60b435405a1fb0

SHA1
65785c8c9fb1c655c6fe4493d69c1cae2fe32a25

SHA256
6859d6f08957cdced7727434fa7565ac4104e4c310b4837bdfd07ac4e88b527b

SHA512
931036e2d453290a7f75d0f12c9cf5856fa43adb3b18325486054276fb2beb081635a8dfa26010be690027fc1822f40293ad87b3c7fc58b47738f562d8f3d157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9706b7d4a84e9a1be37939b589add223

SHA1
013ace2bf55cf98a1573f7b2a2b54aee2b0c42a5

SHA256
9cfb17806521b08c048f9fb2eb42ddb4cd7730a5cf267fdf624582d6948aebad

SHA512
4b5c5c2387c8714305b68085879c040b5261e5504a81b3ecc7e995da76ad9ce8eacf9f315346f698dcb7b6d4e1c8ee1f12140b0801ced863f75009b2285ef41a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b347f7d3d169e461df0d256c69548655

SHA1
67a75f25e5b4ece19d34ac61a0ad9674d6867941

SHA256
4a347fdb9d19c3b37ad1877fadde647c9dfea29a887ee13ffa37773f6cf7c85d

SHA512
e49a91772e943f6d2aecdf59483c3cf71f5a17189fd8b4cc76e70da3290bdfcdfc8dbcb698f6da692083f55947ea217b1a517df3f647533ef5eed16ba45a8ad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7f3da62cc2984f3bdebb8b3983c7e792

SHA1
b547cdea9c065bde8da8daea1d2b5d601befa83c

SHA256
29981936a78aac77bdb538bf9677b1c35d9d8a6b00aa62c1ecaed2b28daa0010

SHA512
4b46a69bfbf6835a8999cf7cf7cbfa6e2e6e6dd40159fd2ba488559971b2862422ad6844179dacfcc9eca9e5f5d241ee29c4aedfc8983a1d866317c3df244795

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
40a61535eb07e8d8aa6bd87713099b83

SHA1
856b24d46cf4c9fda92688e7e8c8b2e1de07c910

SHA256
f0c32b4b2c95d45915cd0bd0733e293b9ae1396b6592ad4e5f2c8727de152823

SHA512
b32f6abd6fbaa1cbdf5a0a46b5b78be0349c7242c575f635401e1c64861914d450334a001f7ec2dfa1cc9b74e10d23a41db4f44a62cfb44ec26c8813c6559b49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
92a733d362c8c19f58287f8962ae7f98

SHA1
edfafe111ee471cda52887c32dc4566eec3d375c

SHA256
b4d20ff17f6587be2f2cc7f2f2ce0a926b08995df9430c6ad4b3583ac042b9f3

SHA512
260d89ea7575ed5a01e967d45152004a632d282b74e43004670296cdb5978cc0b0b1243147385dcad631a7874b11ed8346c9869e453d54f5e2970c119ebcedae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
55e63bfec2a6a27693abc263ae6520f3

SHA1
afffbe472a8aff41ee84f68a84785cb2b8aa42c9

SHA256
18d7e01460f6d06ac0922e30e027edebcbf8e6a5864a7348561a5ac140bf0574

SHA512
e6370b1ac0ca32decca54f20cb4c48c92646d48d4eaf31171af538bf2e13b4bf5d98864c801551baedef22ced5b24ee03df428930f3efba7f62379fddc199d6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d830d738c3c23598b859f938db0b34de

SHA1
448652aa799896554351a26626309c525b318200

SHA256
cfdbd3df013fac8edf8b533d9ce398f01e65d7ccba0e3699cdd29e0e4f6d51b3

SHA512
cc7150176f1b1bd5f96305924f27ca390ee442825a06fad8c20777d286b4107d859ef7a5011c8330ab6e361d7f029139b5c4ee3f3385459789a78157beb2c578

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
28b05d1c73525e554ca4145da8244030

SHA1
bee23c5d07011e064b09b966de4f8fec1fc924ca

SHA256
7d68d178062440a8b347084c07e8c99b761f0fe268bc8ec5214dc1676441c76a

SHA512
f297994c174c3201c4d34699b8d4b3fb3ee369d7264f63bf30fb9346b9e605520bd3851184dc538dc08addd144c6bc1151d2be9bb2dcfb79da444444b5ad7161

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
09d733dc9745dd01c6bfdad3c930cf5b

SHA1
e882b764a06f12ed74c9be48268f494fe3858459

SHA256
30e67c3bbcedd99f53b3334243f1f6c91fa8fce5b649f7c54cbab3f9a939916c

SHA512
517a1b02ae69e175c494c1ef9d02f59b467bd100eca31e4a34ff7860778ffb959f9e490b6b5c69b3faaf845f9ad53863b49614467cfa9c14a1693366a0652125

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f37c82c081345db9de70c8d2e2146652

SHA1
d5922b14e4384b8492099f732eb809a7fc89cc86

SHA256
4e9a94f022c2182da5bfa606caa69abea3400c5a40c0632be0fb80080696c2ca

SHA512
29fe1463f5bab7aa1d324c8ec602ef71366cda6766608b22ee07484a0465500109787cc4e56180f1d8b6703e6f345a594d47a700e3963514751bf434608d38d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56a1b198f0c47ddaaaba871893d2cae5

SHA1
659e08be414045bc0e32d901a1eda9785121a995

SHA256
9ca46f9126d0e7a53e91cc34eb3ec370153bfe1ba8d9e58fcc8f2be745c82c66

SHA512
8449aa0c3f70e166108e6e82e93eeab63fd417a1f7b7320dca8d5a69ec8216516b287cefcc1616bb6f51c45e63de2b234e9da55b6474e99ca403dffe401c8d12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
30411178a5388231064e1170bce77a62

SHA1
7828b481c3cd0c4ced32b3da9557990332747672

SHA256
d2e5387190274e35ba1810e45fbd833e7fff0433675814c380ff282da0e59630

SHA512
ce645194de2c02a44788ffcdede512e50bcf0dca50b38c8d0b293c294ebaf3d05190f4351b3dfc423d06b9c5bb959010666fe2350535e50034c5a20968634564

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c3e1a95850b30d2b44b13bf8cd2563ae

SHA1
a3270acd89679cd935e500f0e333995eb56a3ca0

SHA256
029640baa49619329ab48450ab2b867b4fa86b1df4df8d2ff453175bc0e8b29a

SHA512
2bbbff95fb9dce03be5fe09f9176351fb15414cdae21069f3077aa6f3de1624b6bcc87c2e661a298069967484f1448b1f99f0c8d09d163ba408b092346808c6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
90db11c8e20e1c98500ef0997ac03457

SHA1
cba79853eb1962c55b4e5e0b6a1cb88ff7e2a708

SHA256
c6d2f53d4a4f375e5807df1edfc83c4f0920376d31f3f65d80f65738a3c08a72

SHA512
b4d3a0b111ade67caf732af8646140577b6fa536103458b8fba177d61c5e0c81e6f4647203d6d69756472e0353060ab32e33853fe46dd151c4ef152c0ca144b8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
60e14dc676ebc9b078fc5f89cd16fbc1

SHA1
c1d16a8f42273d9f783d7ef084b2b0e0b2953e14

SHA256
8a108c8cdb1d6d072d8fabf057aa6134e9e4a33f9cad3edd4697068d305db753

SHA512
32a7844e588da315ad9c6bf6c89e0ba8b8f212bb590971d42f92dcf33edaffdc9c37b79a5284198408094f2401d70a6aa947138d8167e3d83b201e55ee204999

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9d9c082df293eafcf7f1fbe1d1b0f063

SHA1
f9729bc90138d9a3f97d3672081694611fca4e32

SHA256
e5f41ab7c2afe3bb830b935f1064804d402da78bd5d640242ef115f23525142e

SHA512
765770fa3385d18f78f7cf4cb5726ab6cf345568095e170744156786dce7a1d51390f278a77f8455cce8a067802e2a8fff98c9f10a8e3805309e86ef3c90b976

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
10f40db01865f9cb32b10e531243c5fd

SHA1
ec351bcc1abfa895d5a9e8e281372726ec5681b7

SHA256
ee29cd72ae1e867beebe92f3ec7294cbcd99d1fc02097928ea88ac01359d88e4

SHA512
d92a720f22f9f650b1ce8e6ee2b5ab23ea08976fece0b1ac8bd7588e43eda5d65b3f8eeab3880833d622b8dda295159dbcaf5bcf59ef2f2bfaf3825d7570fb05

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1e041f9b820ada906ec123119a9e60aa

SHA1
f0c88d2b5fd4f79a8b69394fc64a4ac9beeeb484

SHA256
7923fb9a0c8144d5a21a7b8d26b585403cdb70b7f7b5c5e01c723202242077ca

SHA512
33d298a74d7b4ee35f23aa5fae7810d30efc9ee5c126908a47bfff207807f63347da668c5a16f40ffbc692431048a1c7d4d2b7c402a979704e97a0590b912c14

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
af593b090995f3eb93bc88443a879a55

SHA1
448ed4061f63b2b5c35202802d1cbf8d07aac347

SHA256
fefca41b5a62341e41746ce3ba5b509937efe3dde9c326f1bce1c216d7d592fb

SHA512
bd8fa1cb203a3b1da154bc0caab587f62c4b41f65784804f27d7a09b5d791cf7c627e60adc837b7809a03d20d3027842c8ab38d3d37ac43573469277ac44ba71

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1d79a11e99a50fca7c7bc20026583031

SHA1
479ba884aa7814db30a9d350fcfdf9eee181b032

SHA256
e4c6b2f5d1b0ccaa3aefb952ca3dc9a5c8380add5a6ec8da00b541d61037e609

SHA512
fe4c12aa5a0bc03cebe2c32d6c07f4a21eb77330499cfd31c4aaff2abdd8e681f2c8a185fe737f9340d537894e25b322392e6277443960f16802f2a93c3fc913

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cad37f0dc5385550c7ce33366489146a

SHA1
0cc4284725441ab5e5a7649f7fda8a37a105e905

SHA256
4b08cc9fa3697e63562841d1401c57905a33625432856f6316d7f3aefdd284d7

SHA512
047dd01797341bd21bc0d0f598789c814f08cb65c2fd73925bade376293bdf48f4dfa8217a6d6fecbe80d9a429d52f078a64b12ddc34fe8c0aa22da836ad24a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
73c21ba897b9de891d577f645dd70d2c

SHA1
fe8cecb6ec5ef17c523f74a1fa9b0fd22126897b

SHA256
65e8c1deb048a09bfd30f59a7dbb53138c28996e4c89e0ad6ba35159a86ecee0

SHA512
3be055c2c13f5b58ec4c3b0cbc0127e82b2d682d172c5d95e6af006aa49945a893734fb6d361f7922b4bec7f1f952a85afa9324709831dd5876b9711d0a96203

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
49c7af08d7350349ec37e3abe102d469

SHA1
b11fb17ad654677da80aca5ef98c0b397f20623d

SHA256
8feb6b26f162b93cff955477e77e43fc3b1cc28491ce121565a87ec78e34d4ea

SHA512
e6800ae0f6d8026887a0eeea255d61134c10393b85bd70b51456eb648f7863e18937d230c86ce1e8c9ee2f8cc9b478fdeb119447e9d64bece4fa8f60874b6b71

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a740389d5f983c85db1c807fc89fe7fb

SHA1
6b3e012aa14bed998d26130396082d8d0ba3832a

SHA256
05974359f51596e64daca4a697a2967dc766d6985efdd58601ffc76e48b89eab

SHA512
d97182bae2b85f5629b3b1e2246042ccdc18ca0bf0a2e987f39d1b47617998c30b3a74a19490c89e9c1d6c04cf5cfd35036b35e3a3a3dc11b7b7c5a6fbcc2b68

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
23df6366fb56a25f9c5ae5cf6dae2230

SHA1
002bebb7f5b6979802d5ba9c47a1e33aa5ffa859

SHA256
9cc77e6c76975444f3b407ceb3ec1cf5bc521e160cfd50c15265adf00941e033

SHA512
e83004b0b89eb6cc0e6de16c9f8a3b93ebc77cfb4ce1430bc1ba11eaf31698cf63ddbdbadb5dca45f89e60b8410919c981e6edfd094a08aba5c1f0a208e50083

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
484b23e42c3ba94f1aac3bfb37dd19e3

SHA1
38320723c669e7e6ad305824b98a168d3e58ac55

SHA256
eb0a1a9d49bbb54b4a5419bad9542c35f94082e962d4da740e60c449e4d4ea47

SHA512
c751f0d5974217e3cc5afa1b7b31452c447a4507bfff2f9ac1a81d43faf594f047030c32f964974bc086e3d6741ec1ca547dbd92cf06a7e262844f49cb3dbecc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
80c3e190acb6e2b5a08e2fcc2a5cff16

SHA1
bd18a5dab531c6225cdf0a00b1016c4af80fe062

SHA256
a4bb5b18ca44c4c967ffcd63d5e3db097fad83352382368247af28b64dca0ebb

SHA512
9cc9ea0707698378d0cf9c1d9e6461d25316dc1e589844cf7faa870d1f455dcdaf762f7c1b216a9ce7718135384867a3b5469db406e370604460a89061de4ed9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
de8bd51d627b41a98d78593bfb1dd9f6

SHA1
e8c5963eac84c415dab20e1fd1995278594e0be6

SHA256
1ff103a73774e808c6409280d014a05a2f27183e0667f51092cc8535c84ea040

SHA512
eead7ffb746a4ca01e76501e8d147a5d14c7cdb71ad6d0e8962df73cb912ba002f4c524b7bfcb8cd7a2facc1738910bc9b733cc27f092531d3c518e924aa716d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4c34ad2f22f8617e4a3e08ac83f3eeab

SHA1
b97c3ac23daade9ad74aaece6d69f300df0699df

SHA256
e78387fd87929455e0cf27d844fa56f975f2dcc900f04e1051428a2019c68fc3

SHA512
ac446fd1c1758a251cba85f8477c92f26c44a48bcd01be7803da0fc8d98969dd37fa0bb27c0cbb8fd3709c564a6a92d2525d12eda2c99a1754b9c7b9a65e706d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
61d5b7be060d30b4bd9e1dfed22d8b9a

SHA1
d857e51e59ea97c45ec0f9a866a65cfefa5fb360

SHA256
ec75dd989daaaad998f3e81b6d7aa6285253a4eb23eab988d794f5966bb10c43

SHA512
e14bb79c20a37d1acfa0f4b4246439f3955fe2b9289be92acd21e686283f42f32cfc4efe6d29877a1d7c3fe569cd3225afb4a229dcd92feea70d775192ea5dd0

Download Submit
memory/452-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/452-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/452-38-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/452-46-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/452-59-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/540-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/540-554-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/664-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/664-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/664-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/716-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/716-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1196-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1196-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1196-2-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1196-80-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1196-480-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1336-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1336-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1456-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1456-567-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1560-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1560-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1980-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1980-90-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2252-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2252-561-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2520-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2520-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2828-181-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2828-56-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2828-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2828-50-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2964-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2964-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2964-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2964-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2964-32-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3204-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3204-566-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3208-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3208-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3208-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3208-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3284-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3284-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4024-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4024-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4116-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4116-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4116-557-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4140-565-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4140-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4184-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4184-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4184-19-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4184-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4184-98-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4216-551-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4216-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4872-562-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4872-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4976-560-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4976-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download