7f6488357df5148ec824fe87757ffb4f6fb0cc5d88b547117e966c8ffc79a6a9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Size

1.9MB
MD5

70a9c3bcd5f26871fde0dc10af00eeb0
SHA1

fdce18b812fc7d5af3fa65242ed3ae368c48ed51
SHA256

7f6488357df5148ec824fe87757ffb4f6fb0cc5d88b547117e966c8ffc79a6a9
SHA512

be3e66d42b1f2d0cfc4a39b7d2e13849920854f1a5e6ece30310ec6f9d7abf60df337f2e1f2a69d7cc24304ac411e47f554a4e9be1fe27bc83ff3e1463bbe359
SSDEEP

49152:a4Pxw9+ApwXk1QE1RzsEQPaxHN+P4suIRbDv:aD93wXmoKGPHn3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2440	alg.exe
1044	DiagnosticsHub.StandardCollector.Service.exe
2904	fxssvc.exe
772	elevation_service.exe
2536	elevation_service.exe
2284	maintenanceservice.exe
2296	msdtc.exe
3240	OSE.EXE
1012	PerceptionSimulationService.exe
812	perfhost.exe
512	locator.exe
4596	SensorDataService.exe
232	snmptrap.exe
664	spectrum.exe
4904	ssh-agent.exe
532	TieringEngineService.exe
3856	AgentService.exe
4744	vds.exe
2904	vssvc.exe
3696	wbengine.exe
1764	WmiApSrv.exe
4496	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbengine.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\spectrum.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\msiexec.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8be1b6a7234f82a5.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\locator.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\System32\alg.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\vssvc.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8AF88020-77AD-4F36-932C-90EB553F7474}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\java.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfa247e6daa0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000055358e6daa0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000050e90e5daa0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e92c51e6daa0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef09ede5daa0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f600a7e6daa0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dc5abe6daa0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1f99be5daa0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeAuditPrivilege	2904	fxssvc.exe
Token: SeRestorePrivilege	532	TieringEngineService.exe
Token: SeManageVolumePrivilege	532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3856	AgentService.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeBackupPrivilege	3696	wbengine.exe
Token: SeRestorePrivilege	3696	wbengine.exe
Token: SeSecurityPrivilege	3696	wbengine.exe
Token: 33	4496	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeDebugPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeDebugPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeDebugPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeDebugPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeDebugPrivilege	4644	70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
Token: SeDebugPrivilege	2440	alg.exe
Token: SeDebugPrivilege	2440	alg.exe
Token: SeDebugPrivilege	2440	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2228	4496	SearchIndexer.exe	112
PID 4496 wrote to memory of 2228	4496	SearchIndexer.exe	112
PID 4496 wrote to memory of 992	4496	SearchIndexer.exe	113
PID 4496 wrote to memory of 992	4496	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\70a9c3bcd5f26871fde0dc10af00eeb0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1520

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2296

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1648

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ce85c79bb8ac96a922c274d698ffd4a3

SHA1
095b1d7c950e7fe563e6171ae1840e1c5c9c771f

SHA256
1a615395bf72a22487bf4d38e8a1dcae1da11c701b351418087afcf7ae7f38cf

SHA512
4cf181572832862a08fbe5cb5df64ecb168b74fbbcc56ef6b6bdc4eafef14bd97261c1ef9d30a294af5852d0125aa3b3525cf0df076d307552e168851e8316d3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
c54750f78fbf50dd241b2d2044a79dc0

SHA1
9db30a5520c8d785fce1615177831197f2545a68

SHA256
ef63b10659d5af0dbaf2faa65b20d744fa53d04e728e2f843a56f1665fadb57e

SHA512
309867e123c1d8c453af395e98f00b227419a6ab34c24f891dbe6c2016e60e348df51db65f6c074faa9c9eefc6b0cde344cb3536840bd9f60b08252399d28546

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
393e75eb32e020d6b2e69c76ef069b0d

SHA1
f4c4078d144585efc279dd63379c72cc34b617ce

SHA256
b51ca1be0aa3afc6a612dd0af136b017f92ad1dae6a003f0b8603e77477bf652

SHA512
c8d756f4c66f1c02add2ab1c07f0d1b1cd4395cc4071553bb453074e65757074275a612898c398273e7375ad88608005e8898af265cd4c31e2803194b1460f57

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cfa41b78a6a86a71654788f5e3299f58

SHA1
c934478d0fea929725629107f2a68679e62b7499

SHA256
cee08c7ee4a9cffecb63b6a08fe9a57e5fcdf34c401f2e2a042ef27064799aac

SHA512
c9b07f9c45232992d89e1a55d05a1e909a98f4e15a1838cd9501eb8e2223bce4c5c8627f9d9e2f7211a29472e6148a41bfa7678c5f0eeb1be8b15e61df81482b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
edb01a8b0cdf97aa1c75b6f1ae414640

SHA1
cce80d9838c06180649df0986ca945dee508808c

SHA256
bd0811c4fdcab73885c66f7c04fbdf8b2b0f4b70542c7ee7583167d3be19e0b1

SHA512
41f20cb625ae0ca72da45f9eeb95df28a2243553675e22abe9c2d1da64a3c72ab1aced2833a05a79ca6c1414292d46c2a9c1073700b3dd8a52e79d678074679d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d45be68f92e66e22a3dc003a5f4d2efe

SHA1
1cb9768b0459813154811e2eb91c5835d7db2b7c

SHA256
20106c724dae8f080099243845b5d6cf637e629a7260d25e07387dedc5b5f888

SHA512
c9380b0b3ab92e0d132b681c3bd704fe2b64e3ad36a6c76e630c4e2c7d15309804e6f6b6fb6757df58ad7ba9597642790e5b04700123ce65f3159740381ce4be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6bf02526e0ebeb12374f93c44ca2cd7f

SHA1
bf437dc8e9a135a734df4c2ff350591624e57980

SHA256
81f115b0d2edc4cae4414129e88f2e2f3c2db521e9814990fd38a2cc20e3599a

SHA512
4cca1976987c756385f1176a3d6f27e432edf971f2a74dcce0dcfebc58935f9d482771f2819703aad8e808f08885113e7588b1050990ccee688f7a4aaa769edc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
20b5b9b435055c1df32e4ea735dfa9ef

SHA1
d9e150cfc75c951d482f1f106d0d07f77e56a6a8

SHA256
24f5ec5b44afc1e45e40878191697574e27c1d164d2893e95699ade99995750d

SHA512
5f9dac03b9a5ff1b9cb75494d252e5e599dc9a9db1bf0675cf50f787b02730417342220cba2b3dc416f2f71d500ad308aaad360ac4777b415ffce15994bd6348

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c94d2fc200f2abd73336f483ba3d4a69

SHA1
0dc6f192572ac95924849a8bea0685d9e7cbbec6

SHA256
aeb33d4f62a19a03134fc9f331fd7f3d843f47ba59a61a22915a5f92953c3c34

SHA512
4b4c510280358d9cc4d8cf6dd5ce0482cc87150b364be9c9582d0b9ab73d19fae5091c55b9d2f72f51a574a50e06f6fc06c05ea3a1cf70753ba6bd0b9b6b0950

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
142f43371a3bdd00a4040974a2d2789c

SHA1
90a60254de35dcf4f1cc5951e4c5957a5d1d404d

SHA256
e736b1112f3242d9e64b00be9337bb4e536d36f025963222fab68c0771a71d89

SHA512
26f9059f705318981569f0b36fd79823d153d995c29514b0218348fef7e1e9c5b89ddf35744e126657877c33291f2dfdfc73971f720d9e55ed129ecc900889b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e48ad6e1e3721da95e19f19e0e81780a

SHA1
47f2833ca4b0a5860b0e5ab027edb84064dbc4ae

SHA256
eec1007e33ad055168de8316777c6ac4508f236d10aead9f7288b71f2a969a31

SHA512
dd018475479fdf9d72d7a4e2f15312be442a5b53286ae60900a0f53536aad0d465bc07adea770755e0961c818009352b9abe88a79fe00840a1f6b8b4ee56ec57

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8cc89298574163d982b7f2ff24de333c

SHA1
9d9440a7418617dc5820119f3b7f22bb20303970

SHA256
dd3392d37f550fb125d26faed588c156f7feb97d4b426ec0c70e5a71edc687f4

SHA512
4118b2315770e34e2ef444f58f71638f3f8dbb62a8526b3cee766a98b2d7727e2e0b89c4fbf63d8591be3c948d420182db435e3ed6548f0f57af741b5b29d2d4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9cca30dcf686444850a919c180c4b802

SHA1
92124f03d3e463ff814bbcb20f57e5b6b56988f6

SHA256
48a7afc1b57c39834fcf9ff22be9730a5d920dbd3b076cf8504faf8c4bd16e60

SHA512
bdedb622bb58d413526435efaa3f017b860787512bc7a711fde26ad6e23f1b77b9309044884389f9f3319bab051316b99f5c3c7ab94806c167f6ff68242cbf06

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
288faed3f587135bf75df214faabd434

SHA1
d0cdc8b0c1e52cc8f08f355ec895e94b4a1cea65

SHA256
f3f3d69a30be9d5ec02f0f0b4e662efce4ff8f10d35d400251327d5ddd898f01

SHA512
39af57d133d8b43e0c2341d7522c5e8649833c0a584b516b90d54b6c8421e91b48f852d2846b5872b9ddcc64274cf1dd01c6ee139d0bab10e5520d0d3a23ec0c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1eb325dacdf00b1866b1167752407c9a

SHA1
4823f8012b94d81b218734d98b2f939e56125cb7

SHA256
a1fb648c7b9f690a40f3278d83afe4770c682cb7aeca1cbaf39e7987fe0e5ed7

SHA512
8a49809b819fda45a078343e0a9ed4716696c8c34af6d3032e6b14bdd9ab3a5af1146087e4e36808debeb16990e9658cfa259a0d6e3cc2597d4c75a2a4e3787a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
a7358c1c193deadbaff94270785c11c1

SHA1
0309a4ea76f78356a3e479108ff95bc6d55f4946

SHA256
78124877b5a8c72d21776490d2c04dd0882da1af36e01daf0ef9380ce8c7c475

SHA512
4df18491f289912a4622827710e86f0516f934941f852813458cbab7f086fcd61ef40c227773ffd435e7bacccca8e72f2f8b59fde749feffb6454706c1f13a07

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5236b2866365712e56c71a9dee6410a8

SHA1
a906cc945c955a7ebf1cffe954bdd5f65c64e41c

SHA256
38b3c511abd77823083779670d8d6b15da85fb85dc0002bb4dafb3e06caef0f7

SHA512
6550a8d7f822c57adcab5a5dc120b3944be27988c137e4d61814a65aa870b6d0c91a4e737abab4a847efef75aaea6a4d5721836bd2cfa606a57b4970246f5b55

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f0fbac80ba4012110b1081a45e824b45

SHA1
3e485b975530ef824b03d8ae651163aaa7944e5d

SHA256
5a25db925b774ad61e8977da334725cd58ca70375a04a46e38751019930a4926

SHA512
49135fc73bcec024d1f1cb112142139e93f4cf8b4f6e803b9536ec03e1c7ec94dcefcd5b8bb34a0b921ba7b84f772681d37fe2c848c6d3557ecd219ef386dbc1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
2b16af3d8336d031db0b54e99cb1d688

SHA1
baa8cc788592b8d5bb45ed53dbac468ed2259fa1

SHA256
a13d2eb107068d68fdd3b123515a47eac559f462f26e5648ea891888330c9cea

SHA512
6c5ea9900ff11a2a9ca62ec50c0d00fcfee5bc128a84968eff94543c09cee375fc28f79f61fcd1f31907d88b3a9f9abbad4082d1aa86d18243ebf56bb5821ff1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
432737405aeaeeed6457a689f388d914

SHA1
764c0920807eb9fb6c1d2b1f9517efdec51a615a

SHA256
1e8fe077f7dd5fe0116559b1a83e533eb698b0ee8e37d6ae6a9c429f4779f0f0

SHA512
a8c319884eb1d2e65bffd8db643c2f1b790dc18175c8e483d334a8c3cdcc0bf68c64dc553ae6389a7aa30a0921032d786ae3926cb43f50dd30cc8b8dac2d1603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
462ec980fd02f47c7bb76d2dd5129414

SHA1
c8b9afc10b397d1d366feec8909566dd560d84a9

SHA256
3387a5f38d3d272dec7c7a9dfe74dd29b535df89e95234ba6c8bbd610c012877

SHA512
d1f8be9a3b6c3077ff517fff565e483091d598e46474be6048d3649b727de70d6db4329c7502b68ef5458ef0fb1182cb69e5c9f6960fcaf5deaf4f71f4df2e56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fed9971ce54d3c6cf51d9152ae8fa0bf

SHA1
e1839556306c778dbb0a8d416c4e17650c8df679

SHA256
9d79a1a7790af763c76c17014f1c74084a19f91eb1b40c30e89583e5241852fe

SHA512
f1d6c5344f597cdef32c797495c98ca32a1ea6c610f9af91a202a2e9fbc73761b8afab9805712bdd76eda5466ddfdd2a3979211bd1368e23df0933e26121e345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9d146a8eb6254e7e10475fd68dec1ae3

SHA1
dcc6326fb483f378b819d9347af116e9015ffd45

SHA256
65399a8c13dca30a55081f18e81e7421154810cd3692beac82c071cb429026ec

SHA512
dce789c1bc2aaa05f6c2feb10d55b2ab8692df290d6b609d47ae57a54848d6653cf86333b58a97bec44447b90b6456ddd8aa797b4957c44bce822604e01c8451

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9f8ed176403207b89f15bc2a7f69237f

SHA1
36506f00cb8e017dfc7476c5a3a4d277836f7ad9

SHA256
b5cf646e07f7b9d7b0bc948ff428c3d8700bd7c2b52ba112c56236509f704763

SHA512
900f11ccedf02cebc8944e53e2b31d410453c6ba9e593b8c1f48f60190f54362071fed00b1e2f969f0d854565633ea19f063637403b30a9d57f902a9d6e54da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
14d82b55799de4ab779a51ec4d5b78be

SHA1
679243bdfd841d34d6d2b717ec93128e22850f3f

SHA256
267b23b1f15ae3f8ecc95d8c714a90ae3cbb315c61d670444d8e3d0978749c2b

SHA512
607cf277084be877ed4bd06d78807eaedc9034e6a83c9551fb4323f49bebd810ff379c67735402d65f08083fdd88651c60b2c92b39c48789935e23fbe8bd99a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d3d82b3c2402142ace57abe48531e038

SHA1
381773232a6287a8db7163e41b68cd19745a64d2

SHA256
12b3d537a2ce5a6367ce9f774e575b82fa7224d600049d3ade15298f9ce35265

SHA512
55821b7f8f055ec09fbd6cabeb2e665cbe4460f81d618c8f7d39c0f22b807ae9a7da9b35dbfc65dc98b016916086dd6907780ecc2998d97b0b1ad5861f311c81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
59d509ad997273a2a2120b05a8557692

SHA1
3d94ec1d4c36d4fb905464d277089f16402bc1c8

SHA256
ae815869aa0078eb46c8d3e7297e4cfd1c1bd28e0b27f5010cdb2cbb28ce3727

SHA512
db1dfdad637858608055499818b9a40a5a44e642bcd615074651db60a96423a2cd9f2a445128556bcf618a3d7eae3885eda9d10597c2608d01e5ab828e8957fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
91776da012de9ec470438a03487170b2

SHA1
6c2dec306a7bdfc050fdf3edc08619b491d87cfc

SHA256
567ced35a1c52a04528406bd73c1f7ca20051f5b6b58c05ce52c71b8f55c7c46

SHA512
6bb012d5175ffc72341b51665d85024157c422e31fdc4564ebf7feae755a8d827e7dd9a7a0cee8ce30ff902891d67c896c364819cce1bf1f4e65c53fa760b65e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
493468fb62284d01fe30884f4da4ae7f

SHA1
bb579f8bc15faaa5e0ec62fe93b492af1e8768c0

SHA256
5656537ae9c61042f6e6a30eec7e77f2a7f9d56bc1d195b144d738da62e60106

SHA512
bb25ba6b75a2e4ab95af53d7f8eeb887e44d8838d050714bada3be697a3e343f146a29cc930a971e8d5f85a4735bf69747b3999eab01ac5bb46b1279bad0b789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c0ecc63138ea634aec1f77bb1296fe86

SHA1
7491990ebafb2c84d6c96a22d5d0caf84e2d7c1b

SHA256
80895eb4f1a69a62d8a0e1e89a2397821c1871a2d90b33e20f9aef4ebd1b86e5

SHA512
b783fb6b126c2fba4f9ce4f2ca73c7b94174c55237acf50d798676ddca1536a8fc4c0ced0e5895a025c11187f2183dc6b1afda242326f7c66035404ff5d99e31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
601d044f1416acd4cb6761b8c342e0e9

SHA1
a834cea8394f95226734b6e7bdd51a1445e99118

SHA256
f597c672d9120ea41febbdb0e1da6239282cf75f5fe9fdba0ffb7dc0e3c8a270

SHA512
9465467880ec593fb2f56d6e2640a630bfb048070d5ebb8fb957d2e5be24e2bc963651d32bca3432559dad3c1732040980fc58b89ad4984f0a445768da714a57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fb925c84cc5cab5a37cb97cb9d8cc21a

SHA1
c11e9694451cd562b365a428c59c65e079b209db

SHA256
f8dd2b24bed171797896ffac7db5fd9e17e6d39640fda788b222cc5889f55788

SHA512
a848cc49a5fb2dfa6530d36f8274fac52c405cec6b3c1fa3498cdcbeba1c526f9e9410a880a060c9bc8529758ac4456e950ff07d29f507b32fc2c92fa824297a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2d3e773fad7180f95669809b73526ff5

SHA1
729c8fb04e8b1d588c45ce3527fb3884c402b307

SHA256
fe6cdba4c17e1829f83e533dabe0160f5155a134d3856fc8aeed966baf88d552

SHA512
8291ae223d783acb650977df05d97faecee45db92062130b63ea4bb694db082959742121fdbdad694d01529f74171bbf04547e49253977ec5f58c63aa030ed4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4316f5c37047fbbfb0f9aaf72360ed3f

SHA1
0577150973a290683c284065f4c786104a00ea72

SHA256
dc9d8f825e74ddc30d67eb2d0792ae902cba9af93efb4b9944f217181de1b1d7

SHA512
7440e3859a6b9bd55b0a1978e986a0cfba172ccc895705a8c10ed5ed45055438db7309b0754ba79c2ea5038debefddec664ea37a8b05b2512cf810ac80842d75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b2b76109c693aefbaaa19386805e7db9

SHA1
7d1ec8bd5ecbaa981960ce08c2dd6f80a054fb68

SHA256
f3bbdd9f6ac5fe10bb7a9f954fd460f83fe6c5c76031f2774e88af00096f6fa5

SHA512
e25e2ebe1193e2d7ab7675c8d9048e55eeed4678f8d6b382adcb77f7c34f09370280807301817e22f09de6fd7f63499b13f7a91a1ac452d3f6055302586314e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c49a170c2df04844e54a634cc4e119a5

SHA1
e85e448d1987967855e4b67aff64c4955344248a

SHA256
8e0f9c23fe2412ab76b2b2893fb62cc1b7ac230e76f645ea4f63525c1878de51

SHA512
e42d8b6d3a0b5ab970c07eb8477f0244e98caa7b7e237f29d86e1d7df13bcbc1c0f5a18dfb41485be6fbf7635fa2c00c09b42f4f2a77ec527866340ccb162a3c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a7157b1b6297b151ceb2e60683de6efa

SHA1
4ab6e8e0fb40f256b5cf0b1539ed1ae3fa22737f

SHA256
2086e1dbc5a2c8732cfde039a277448b81a06e901fbd477395cc1e1933b337c0

SHA512
1bcd3db81e675c6b89665c24fd7d9b81ef4187b7b3d23caea7339b758d363dc8634c4b12001cd5b6d75b40d19c54306c29e63f8a44a4d1b47e12f4bb2565f187

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2f24706ed71a5f225ccc51ecde674fdb

SHA1
b3efa48c7a8688f3ee11792bc432772a4ff9098d

SHA256
1e0ebbb04ef8056f283e1f93c82234b144c2038dc7ad038431c45323bde76714

SHA512
b21b908dfaf1f9ec95168300279586b814d58942714051bac728c8a98bc04b3ed6e94745772bc2f0f0507b642009d4b5f95e6636cb42f4c02ad94855d471ed07

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ad250e71f74b33c9bf4cfe9ae40bbd16

SHA1
d6db66310fadfeba4e3ee6a8b331c88b3370a8cd

SHA256
ba67c3b349866de211babce5ad8d3be55806eed6c23ce406bedf9391906917e7

SHA512
77332accc520ea22d7e8d8bdfaca4604a81fdc17f6b6720f2b2e335e5e01d14298ec0553fc9084731ae076f54365fc8beb6c7a3286be9f830f97bbb8f685ad1f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b82b5462ba282d85d6b45d1d1f69d65e

SHA1
99f27ca99a5df3f50f879d46c23b7877eca033a7

SHA256
21a092840638de283a442e5866090913c2bb23eb974f7197169dc1cd993fdfa3

SHA512
bec7a52801e1aed65a62aeed16db27f8591603844e49863797606cec31e6f219d5c182b4fd9ed307be919ea8123a66fbda500afe61b7a20e7ad29f0f47b30545

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f7ce32a7df1df9dd0e1557bd6903e593

SHA1
e92c82d8917aa5e1d2afd38f00f24e8e9625ec10

SHA256
64603f7cede8d26c70f63bafef8c893d33614d18f814a35d9b0140cd4e67abc9

SHA512
dc37a768f020fb55f8dbe69b5efb5e71ba3df89d559bc509f0a6bc4737a7b6d09700348f5bf0200ca51a8ad807a5f9e70df5352dc24048a40c089178e6c1d27c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2d2877a43c2ec6d5a4987869fd5795bc

SHA1
5f0c73176e5513e0a6dac9a91401d06fa2b8ab4b

SHA256
1e17c6f46794ba1968c9cdd4a2f5fb276c6b88484e0ba5ee078551de3624b21e

SHA512
152cd9bd8902f30e35dd4a83c15d4b74527665ff1000637b5cc0e859243fb84410ce844b592dfeedacfb86c1da1952678a75d8d73c57f38b28a33651661b8dab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
57cfee3ae3e059efbba997404f1c418f

SHA1
d41e339d41afd52cc5a3388a618d537e2146d133

SHA256
fce197424f120275e241de65a5f88c0be67f1154b6b20e278cfa5b3f818b2b56

SHA512
13c0b6328f9379632e2a54b2e455fc49d763325136c835962d861bb04e52ef8f095e6e2e877df01150ac16ab08f31cefc2e856261d60ea597f49f09439778cf8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
754b28263863480c03329ea3b3e8e805

SHA1
ed92e4f82f49ad86502a240b6ea5ae601af2baa5

SHA256
305883cf48efb1ce8e972ccefa464f50f3cdcc9ed38aea57849e52a7ba1cbee0

SHA512
bbbc1755fea2a85ab684e25e89a42b093efd251479507e78ac782f9dbf1a7d688c74cb684f167201ed6273eb54d436726aa3762eacb8d04b27940afdb33b8d92

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5a7fc464ce3a67670c37a1c509693563

SHA1
34244ef75c32c00e3e783fcd240d8b54edf73091

SHA256
8c5bd7b4d78802671633608f794d6f9e548ff264278044fdd9105cab27b5286c

SHA512
d3b0bfd394485b600c7b10874ef85f6aeae692da3be5fc37184238faf0289953a18e25bf396f573264d30675e6e9c6ed7db02d085c5950fbdfe88a9cba54fdef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
237b75839a65171a855f2936fbd047d6

SHA1
e88c95cc8cb341bd9875cc8956b725fd7766daac

SHA256
488f2bc39fb5b3756e2b758161338a408b994ac8472ad88e87c60ae3aef99036

SHA512
b7dd11f8a0f3984f6609be8ccc45ac7a2a88378b45cb7493d639675b7eec486e317677cddc789263596f95acdea77a379e196544e84468b7e145004fa0c8247d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d9f9da8c995a5f93cf834693b5c66967

SHA1
9380c8a54c9625f913c948d5e34f89874dbbc4ac

SHA256
31904b6e0f9860300a768bbe1bba8886cd1f4265112aaf48cc2018a868bede90

SHA512
ed65e668dbc78888b364b4f20a9b7cb8307398255945160f98f38f774e5c9af95113d35f97fb0d3fd2b702b1e24b162f30cb73042ae4ac3f5a1650f257f00dcb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8777dcf84c43f8d12348376dbb2d7153

SHA1
97bfc0ce37a8326992efc9124a2df12e97cce207

SHA256
4d5a8da43fea6bb60aa2e1c28bd5701e590bbd93a44c29afaaa8af815c5a51a5

SHA512
df514266d8ba4ee6b65128a52100610a0c2af8babf0a99f9c3b24ef2f61a60cc4710ea9a99d52d48adb3009136021c483809b4fc6e730bd42328025dddc78281

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
96c980d5a570bc7e465b6317a97a6227

SHA1
a1811c93ecd22b8a47934d679adf74ad8cdc93fd

SHA256
8300d33cd1f9e9a06d9cb6d09a5ef4e6353fc90fcda391aabbe8d69ace89e2b6

SHA512
ef62c3470e12f75cb98fd08331cc0ddab96c897bf470c9ed57b879d708b280d84db224aa8a1f710cc79358a6f0264dcb47988b4a1210d4d7e0527fa40cc33422

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
495a19b77346f3b50364e38f7912eea8

SHA1
c23464502a07b74287b37000efb5bcffacb404ed

SHA256
d781097f4d4278993b77768fa2abaae8d28d41c68bbb34f131850308932e87a5

SHA512
73950c8acce6070e4803bc0772842f931f8e29be80d15b8c0b3f369b2cc7ea0b5ced8c51617e32ce8fc387b377c9d3a1287e885e29cef569b32d2979d085b786

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b1de9f1373e69426d0237079dc846082

SHA1
bb4b4bc159291df068bba7e469d88103ca119449

SHA256
ee9dd970bcf7b5128b5e725aedc956d803bcd7f8726e5db20182352149140ac3

SHA512
1f2182f2e0e7b56fc93206ba88fb986c5d117915884c6ce62ef26089eb70a3c3343dc7a055495641d17bfd751f253eb195d2ceb022411878d2d6ea7f93d5d93d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6e1a2d6b4a43fde5b327918c5d3d1af3

SHA1
a25ab431e247122ed40330b17510442220dcc5c0

SHA256
ed269228745cebc2aa44dc565f77a643142fa196bf7d24bc2bfaa53ae6ba63e2

SHA512
c98503913a6aaac74e95fd36c415bb5d40fc06568092564219334378ec39165831f35468b2a7d4e1990df1405e4d78956fd27360283704d9967f6fc76cbd7adb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a5cdcee0341a662cba1b61be70b0a2bf

SHA1
6d3d17a55f38efce422318b3523c367fb81f1c79

SHA256
6b6ede528a563349341df0cfa134889426a67d9fe0bfa02deca57f553d7bbad3

SHA512
df3f6e8ba4dfa3a7fec463dc967d412b8ee45e56268e1688e872b132f21eab19142ba5d52f6a0e7caadfd204cd3bd5c779b2b435d7bd50bab48be27d4070a19b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
999a36ce03cff9e35095d5db24330e81

SHA1
f6b08d2ac94b4ac51cdfd00b57db0fafb3f87fde

SHA256
530f1b7ca2dbfa60bce262bbd2782ead6e4811ea6989e84e5d98c88e0e13988d

SHA512
29951f5ed17eacaa2aab1809ddfd2125e7601d9b1da62ee97afd16d7018c5584fe333f80bfbe4b4afe7eac0240e06211d6201a02ccd01482dbc67c3e9aad9f56

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
22b1cd500fdf199beac6bf9571eb545f

SHA1
aa83b928d0d0bfe2e189813d34237f4edd1c7b36

SHA256
0e38808eaff18595ab05a331cfd7881c713433a6427a2a5f82353b12a33107cd

SHA512
13d258385670049be78186844db2cb53ef4da180ed12ef0b187969dddf16d5d9af13a9654272b8db5c2be3878dc36eb6d42b4b135a87d2cc0f41782c31025c1e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b90ce21db3ca785036447a6f772baea0

SHA1
e13a4003326fdd11ced4a403bd208b115326803f

SHA256
a292a5532421fbfdf5dacd53e1d55cd1989086c5b65f662b45f3e6da337d5f89

SHA512
a5fb7773be6b5aed47e82d871e24f3c548ad9f394521c7fc6ae607902f7ccc73109c1f5029a5679c8d5d2661518bcb70b953ce89256c1c5493e2284df2d0e6cb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
174941a1fc08c8b3e823b0738f58705c

SHA1
eeb571fa949a69c3b4ec89b5d5d833c6ba5afcc1

SHA256
7dd0318c81c1fc95ac2723e17b89db7c031f9452d406729d705c0ed6d47f5e8d

SHA512
796fb91a5076fb719e9a952a9e0a238c90bfe052ef3e3b4541e7315d8b3fac3b2c48d30c95879335c367cf089f4405f4422cd37788d9cc6d142e7c5da6fce48f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
23b84a828bf78f4a480a2a9fa894c08c

SHA1
f16ae29816c230066ffc00caae5b5756600a0c13

SHA256
c15f0871bdce8c3dcf0d56fae21e31963f11e448353617dedd92075e8f17f6f1

SHA512
5b2790d4e8029c8521cd63cf2ca98a9b5bb5e2a5ff8479ab01463e174fc06838ec7ac46c804ed04419565306c5cd8d270d67fa2fd015f1f84b33e9eb0f210606

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ddc93dbff06243ff8aadd25b6fa735cb

SHA1
7c51bb40b597c1bc70ec3474f5ca2c718b4257be

SHA256
8af9ff180a472f56db529504adaca78227bb1d39d722b1f7580cf587b5612568

SHA512
f5c0173ecb5646075e4ba40a19c3c1c3a0f0eaa2f7dc9f30757b32dbd57717feaf9e3f2f756231c494e9664eef05720eaf02c99e24e42a40e0eb9b3b37427d1d

Download Submit
memory/232-204-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/512-202-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/532-209-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/664-205-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/772-50-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/772-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/772-579-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/772-56-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/812-201-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1012-200-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1044-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1044-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1044-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1764-584-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1764-270-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2284-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2284-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2284-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2284-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2284-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2296-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2296-90-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2440-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2440-24-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2440-447-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2440-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2536-578-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2536-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2536-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2536-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2904-583-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2904-60-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2904-268-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-40-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2904-46-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2904-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3240-199-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3696-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3856-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4496-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4496-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-100-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4644-8-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4644-0-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4644-9-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4744-267-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4904-208-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download