3f948155f707c034647a161f25e47e5cb3024784fdc6e00bc9db4666889d8549

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
Size

1.5MB
MD5

b34b7fddef637dfdf9ec857e8d507ff0
SHA1

62d3db001a175e351c97bf67f53fe5cff419a6f3
SHA256

3f948155f707c034647a161f25e47e5cb3024784fdc6e00bc9db4666889d8549
SHA512

43ecf64f32c32d23f3c59578540b422ddb56de08432a738a0aaf93c954507ec27d5256528103943adbf04d4a99527aa1d048de332c19959c825b4c7e0c55aead
SSDEEP

24576:cK8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:cKgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
920	alg.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
1916	fxssvc.exe
3148	elevation_service.exe
408	elevation_service.exe
5052	maintenanceservice.exe
4824	msdtc.exe
3508	OSE.EXE
208	PerceptionSimulationService.exe
4664	perfhost.exe
2116	locator.exe
3212	SensorDataService.exe
3668	snmptrap.exe
2476	spectrum.exe
4208	ssh-agent.exe
2184	TieringEngineService.exe
1468	AgentService.exe
3608	vds.exe
3784	vssvc.exe
4084	wbengine.exe
1824	WmiApSrv.exe
2804	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc6e4a638beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afb38b133aa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000137a17153aa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bea259133aa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf1ed4123aa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056bcd1123aa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002c87f133aa2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002809b143aa2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce81d6123aa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001995ca123aa2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003deb02143aa2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1504	b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1916	fxssvc.exe
Token: SeRestorePrivilege	2184	TieringEngineService.exe
Token: SeManageVolumePrivilege	2184	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1468	AgentService.exe
Token: SeBackupPrivilege	3784	vssvc.exe
Token: SeRestorePrivilege	3784	vssvc.exe
Token: SeAuditPrivilege	3784	vssvc.exe
Token: SeBackupPrivilege	4084	wbengine.exe
Token: SeRestorePrivilege	4084	wbengine.exe
Token: SeSecurityPrivilege	4084	wbengine.exe
Token: 33	2804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeDebugPrivilege	920	alg.exe
Token: SeDebugPrivilege	920	alg.exe
Token: SeDebugPrivilege	920	alg.exe
Token: SeDebugPrivilege	4284	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4860	2804	SearchIndexer.exe	115
PID 2804 wrote to memory of 4860	2804	SearchIndexer.exe	115
PID 2804 wrote to memory of 3888	2804	SearchIndexer.exe	116
PID 2804 wrote to memory of 3888	2804	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b34b7fddef637dfdf9ec857e8d507ff0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2476

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2196

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d5e525227bb3785dafb2c7a22d61f0c

SHA1
5d31b3aa9601e639c00930cafd82dcf015438662

SHA256
875bd2841e9c04cc5bbffae84b40eda32aa90d15eb76a30f44d173c103abefd6

SHA512
cfa1e0607a1999163babe370f38c230a63182e80a6b3a8e453eb321a20b7889f59a63f412eb3d25e899a593d85f8c94bada12575287230485a0e2ed51fe74b1a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
8f9223fced171bb3590098d873f7d4cf

SHA1
3e14b46a30201b41858cab750a2796bd7f762e89

SHA256
43c7191673e91b80680d176a99a9012ae83deb0cb3a284460d7e7f7e9a4b71ae

SHA512
d5274d4a9c170bb672503dcd921c9f6e41d4ef0c76a1ca80a627d40e0370bab5fd3f3e0962a06bf6dd63a85c0aee38558bb9fd4fbaa2cab85ac6980b8d4a1d64

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
46414173132547da6501c7df317606ac

SHA1
7445073d96da910a8184bd570cf260f05081c415

SHA256
016def49105f5cd060c5228ef013fca4c44c469e89d4a7f2b3371be498c43b95

SHA512
30bf31dfbcdd6c2ecd99b5942eeacfc84d75e841c5af0922f605fb4d0d9b1b71f851c2766796f28245f438e29fa6458d0a87b0e6c8b626be4b24977b57d91415

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ec0ddf2da36af88f739fa60e57b2d846

SHA1
a1d21cc40aa1bb8cc0b5b583d0efa43726d1f8bd

SHA256
d550d1d00077ed5a972b83eb533978651e9f0aff9a74e37f8a823243e9850362

SHA512
7501a617412fb63ad45b3403f4e7aaa10d4c3eaf58cb5e39af0afcb6c3eaea8f653114b76c666cde23f776e4fa596b889e9d3fed320a2ffb3e4606235fe82cc3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8fe9eb93f4b113d807442082f0c2d06a

SHA1
d57569d41e861582c70e789da2c58a1a4941223d

SHA256
f65f41967001997c724a20a74ee3388652cae36f16748f3b65b2c42bcec65511

SHA512
7968591ed5edf1e9aeac55c1b24309f4155a0ed811d6b6c8f21532799705b4bfc801c6df64d02d35c8e516cc2ec7522cb3c47887e4f3752e0d717a9e50b6ed0a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
93608863336f2445328fa359f12ae2ae

SHA1
4992e80bbd257c69662aba90049b419fddbefc6c

SHA256
f9cbd9ebbbf955201e284fae57d83139fa0603fa47bb38fa9a837fb9a9ea46b7

SHA512
c76c0061f5dd6690782c142506cc3dfa2d68c5c8f79d23ad2aa6c3dc4f90e29b39542c0ab10d6d8837e2d0b6fc33e84a2be4c5ce02592081b64def9e0c3402e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
8cb6e81cc66c14d2d3199472da5caff2

SHA1
067fd47f224cb460ea55b4981a434dc8f9cbfbeb

SHA256
752de0c89da3288563e246e61e330522b805891cdbc364cfec17fdd45fa94032

SHA512
e8a6d980ef933ac5e001ecc0a5ead957f67ecf49299fe8c4d0d482693b5967feb35f0b7c887425d8c9059dbcbd53576a1d1d616f83f25008cf28c11379235979

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
efe8ac5f0c0c24f81ac4520078c24b92

SHA1
0e250af8b22d316a9d893912a8264c93f347c751

SHA256
cca00467e3e201bb7f830f1968fe2892c764f91df6150865c324c289394835e1

SHA512
85695fb03f8dea4205ba1fdf577f2631588fd7cf88695418550d9810779412b4aa6fa72abba59a2c7d9c1b4d122c04b18596987f9ecd2bfeea8a5c5c5bbb015f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
0a58d1b465b51d758bca92ea7ac77e99

SHA1
c9e6781cbe2bb591fab2bb704cf479ab5ddac828

SHA256
db3c2d57869ac661ff9f74f7fefde70a2af362a601930d65b2f950646919f307

SHA512
5230ca1cf586ffeb89a2fca6caf3eeb8a4dab58393705b4de531cf0b9645195663a5fdb6ce961bf6d5fd5fadf85f0e54a18b897a3fe33bd6436160cb60d401f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a21f26ce37711f30aacfbdcba67f3304

SHA1
9c91f5ecd50626576686cc23abd71a766307c431

SHA256
7b52b22c9cda43a1c45090ea0d799ea1dc16a2f7edddeeaa811d3dc0993bd286

SHA512
dbc6a7a807c096236905b455d7530f462e02950354ee8bf516395520fd9dc0d2b81bff9db72e82a575b2f141ec2d22a840793223ecb12b6fac64efd868ca8932

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
1.9MB

MD5
3b287de8dba3872780992f5348a6b5f5

SHA1
cd2a4aa86f74555a8842b7fa63d8db09e4f0d86f

SHA256
57baf23a6a979f16c6619de8b385e1563be3bd65a0d8b4067fc73c22fba480f1

SHA512
41ae4ace7a738cfc20b28a7849c6468dbb45f0b169ad7505bda151e484b849e75145d987e1ae333284342ab67a55015961b175e86f12f7aa094d16f47319a7aa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e6882bd1da3f1b3984b80f7b3f755938

SHA1
d17b0c70414224b6f2ea031eed206529d8a1f0a6

SHA256
855eed44c545503355dcb52653c181994b132f97f114f79f0e7c133f97fd8b1c

SHA512
1e52e7e5c1f24c7792aacba41c9b18ef944250ce796d37804c69aebc719977d93713aa7cc3288ad2ad0043f9565e9101f08cd59e32ab9e2511372e613e32504c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ed8accb456a44c9258acea7bc5995058

SHA1
6c2dca63decd005d78dbe5abd678dee22530eeb6

SHA256
60eff25027bba5e3baf09bdf39b3a8c16a4ea80da0d2d10b0fe3993a93a36d84

SHA512
9942a185994d013aca3195e09f1b4378c61c69289197a2545d835ca0c5bcedefd4aeafd86fadc49efd2cc9a15ea4af4c4f3ebc62fcd3d2f0120246952f171aa5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
b898c2f5e9b88be0c52fc7425aeb6bf7

SHA1
e6a0d2e57eddd634851f2609cf281ee92c0aa446

SHA256
42780b5e238e7f721f99932ba836ba2507af3636103995c6fc64b4cb7e0a1349

SHA512
45f3c53cf0874097ad10e2a4c021fbdf32fda23f2ca27c206292c3bafa790be183d39dfe619d50854c865c77024c180b30d008ab711ae07ac12056a0793933cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9b0707eb1418cce82809732ca5d7c31c

SHA1
59d8a9cf5ac9a5ffcf97335c1af2825b458a09c7

SHA256
96c5340e3709763f656c173311eac8a2c969d4c75f276193d2f38edf01ec1cfb

SHA512
42f8d1fd0e3247960d563f3e8fe760056fb2413f95f28951d3007114e7b77b342a2c4fff71f7ae8c841bbb597e73a77df2dc4412a561374b715a1f7d831fbab3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2ee152b5f5b1c64328b5d8efe45fdb10

SHA1
8516fd85de480792da2cfedaf4bff627b3b53344

SHA256
91c1ca12665a1a785ca1b7b5cad601f0ee309ee08d83916b03bda4a4c6cca1b1

SHA512
4d167cb1ebb1d8b8b73caa5f9ab2e34fcf19725cc661c497eb8d8acdb95d3f440ac469aaa62397a92195921e2104f30fa9f8377031de3399c885840a6d23caf7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e1c4bcebc600d7cd9e546f74bf46ba2f

SHA1
40d06848d135c4b94b4a7e10a82f98254d6a4a7a

SHA256
827b73174297d5d58415ab2a1f4a49471041a88a5b653055a022bbb47c6b9b54

SHA512
0fd6b4fc1eb0d62266f853a48ecee496f8cec45699a18a39ccf1106f364152d80daf259d3de4477fe1728ed9f533493297f5d99fba7630ace0bb2802b4937398

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e900d332fd40e5d32b2a32ad18e1703b

SHA1
0869fdf66311def283a4869cb0270bceedfcaa49

SHA256
a2a8d4bdaf67932fe80c5fabfa47ce0239cb0670af53682d37662554438d5d0b

SHA512
3b771ca1e519712465609f6b1e935faa39523e5e2d32ee7fa028dede019cce591dd5016817704944cd1cd17a0a140234f2698f5d8f9d982b77e8c97bc5cf2d79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
478a09df5f821395c99ba2f39c06f3fe

SHA1
a0dab962a3b4d6b19142c050189c8439ab8a3573

SHA256
603c1dfd7a85414ac5a440551659a51e1b0e0385101118d85041a9ae7c14e976

SHA512
e4ba4c2934694f0f110eb6cb441185fece5fa62519e508bf94363a9c0f89b47215671ef706bfa8f23b615c4f660e3a268df4acb565f42a4f8702c300e5011d8b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c6dbb519bcc217087bad7cd0bcb04570

SHA1
37ff0128b5474fc5a861425cc316dbf2c6259bfd

SHA256
74c2677ffe180c11a1a7a3ab8627ff908af41f05bc3863d28e39eb4986ecb1b2

SHA512
b12823a14d9822cfbdf495615fa2a280ad69bc48af202db3d9e6f2946f963027cbf86385b5921654eed6dc338daed2e7f597fbf2e7dcd2a85808b7cb312ebf6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e2c1d4661730a1f875c1552166d2c109

SHA1
089a0a25b1cf8ea3dbbbcdcc1140413184bab9d8

SHA256
643177c87b78e4a674dd0d820f743c51112ac72d569a7ff24dbd5e702f081c13

SHA512
9f930dff22ec3cfec13bcca58bbeff42d815dfcd70c85a7d23123eaaca7060b2de5f7a16a7f4c1033e1cd6f5b4c7437fc133f62c533068d817b66d616a67a56d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
84adcdb20d09876de70d1c1e2c1a9ab8

SHA1
b8e7fff720beadb4f36acfceacf21562b0d2ac15

SHA256
35b8fc60e26fd48813a23eca549fff8e38829cd4028804be75bb1a445c12603d

SHA512
7e71b8202323bb1216ec9bf780826f0508921c51f4a8829ca9f0aab640e3c9c679b75e7b2bd1e0e257ddbe621b47e0ef73d29e0ccb19f0508fa7f5e303e29e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f5c71d6fda4aae3e6576cd9733d8de59

SHA1
19d2bc2ddb25e511b36f00073ed8ba4767877d65

SHA256
138f9c794397dee3f969e624ed45af857f4e2b1fc8f2eba228f57aca33cccd78

SHA512
6c83f853f0df1fa69384d1e2b6d82fef506b50b98c8926718698d1f0b691e616a193f770b513c40c691589a9ce0489b64be3f8086fbd0ad353bdac318ff3d6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b4565eddcc2ab27cd7617c83fb198dbd

SHA1
8a61611b88c025a5152407a861abdfeb0f6fa942

SHA256
b052e838c752a8eb41202ec9514dbdb5d735213bc3b1f240733e570fa6a270f7

SHA512
1048b64799302d481cf118f73922894eb282ac9f740022ab4a112792d0516b48c8f80962f49e10e45b7e2b8b7bf1ad6325b7dec6c7d11a43f0a2c4ce82da79e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
fe648632594cdafa70341903c124e599

SHA1
fa868d98ca1d69c652e43d43a7fb4cdbc10f7218

SHA256
ca3d5f4933b3da827236455106b888c17246651ac66e1c6af66df0b7b668f410

SHA512
c4944d11240b7536a2b6cbc243d1dcbbc71f631cafd97a4377ae12ab0dfac1386f23da19f64202aa77cdb56baa85e6240a2fbb7e3644b29faf4beb6d76ddf965

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d3cbd3911c7f8f8458faf1e2f7afeb37

SHA1
0af450a3e2d4ec1a5bc8b756c83293df55577ff1

SHA256
a0b42181f88abea44060e7c1d65d9e1cbee5647165cace37de623357458bdea7

SHA512
61b4dba1f07fd253296ace46b51722b0d394c724e7f2168cc7116f3d617e916f58af9fd7ef5fc68f3d560f60217051a968339a557f72267b50de66e8a6ab6c4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
078691d60ed27c7b7f1febfbc91b5919

SHA1
8db8d943e7306d4600a61fbcc84009b8b4a02e7a

SHA256
241b03d23401d49591e750f68e768910bf49561a11048919975c74464451491c

SHA512
203a1c03aca356eea1a10809ec3d68d794186a2cb89b19327d24d5399f697c69d3fcc795a99bccbb501eaf74b176ea9e6f7960cbfb0a6d68e8d79f78ff808f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
245b27ba2b8737bf38b85793e4b63cf5

SHA1
865ec90a95b1b34942f609a6f75c1338d6dca84e

SHA256
a4ecc7586bcdf9b78f54a45cfdec95d364f221a52e53b7ef7f7288352e0decba

SHA512
7efe961bd0b0f65e96e132a225a97b55dacb2cd5ee0cd88744cff2a8ce67797d3650bacb71efd5313cce87f631a8015902b7f2bf7fb2500d611bea18f35f3768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
e7604291ebfd256a7b9a3d121eabc2d7

SHA1
b96b2f4da5b9fe9d558f6233869e4f8aba2fc076

SHA256
f4d5ec1fe02d495fb0eb4a10d850f129c88417e197e5087b742f72ecbc217a1a

SHA512
cd5a5cc8f388ff1cd89b46748abe390202d7bdf9e4bb105d1d4444c350d54cf919e035440599154f2e5e19f05d7211969376006ef815b2c652bbd8fe9f774705

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8a691c772171a0cf461653805bdc70d6

SHA1
90f5d56b320dc43c1d8e5b32941bacb4fcf6d4ba

SHA256
f7dbf117a1884308132698b3367ebb4ed61948e0d7cb92fc96de183adfd1e2e2

SHA512
8e752d83c662045784de3706c226e797397298b80b78c47026a063939dd3b08e60cde1661fa718d7234585d470f9542cf8e8215b32646f2efab0efac5dcdb0be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8294c3c9a20b2b44e452b24cd305e4ca

SHA1
afb2b8023ddb10cac794cc7ebfb7d3e23fe6bafc

SHA256
6f647e2f77330caefffd32a792ee8d25c2abde83c7317110fc73f04f830f37cf

SHA512
1b642d412635ba2b80e1c47d905eadd7b1fb33330145eed57adb6415e02940b3058e0dd38f3bce906186bb785d6b300bb30a51333b546e46db209ff77342ca0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
123d54f46988e644344041bdff02f12d

SHA1
23048c29b08810deb4d3e16402f2da0131d9c1c5

SHA256
d62f7e85b2351aba88762a398fa546efcabc3fad0e422b12defccb974baf5559

SHA512
03ebaf2ff1d48bdc5b037b3576ffa52e7c3b7a15c3ed849107470ffb40e88530b4a83414120be11ff1de83c01fea2173980d82feb1e71cc69c4430b4fb1cb3ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0d6a2ad06926b6e80e6d49afbfecd712

SHA1
3f201a1f135148357e8f97e61905ee4186da0a0b

SHA256
0e0f4599086ccee114f6957e78485762cb91ddd4cccb95af2e6a4dfeb2eb95bf

SHA512
4ba7bffefe0938b6fe5aef6c231082d8d015b9bd4e15636b1d161aa3bde67625db75547cb77d9363887e6cb002926ea1046a48635edbe9e9f2f3417200903f64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9e5316f04935544a34cac4bcd4cdce7e

SHA1
63d73cb22356a207428babf1ab62d4cf52f52e82

SHA256
edc876f9464e9656461eb397d86a2134fe583085742e83784905a9cd8f8fd9d1

SHA512
c28b9bea374c83560412b1ee1fe065442d142ca3d6085184d82b3b100f15cc6ca03daf8a0c938f11ab39987e66c69fc133a649bb65ca55e81789eafca433b6ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
c7cdc7d34dd9217053df9e13d26c1db6

SHA1
633a2f4e4de2685ded7ff32e4ee884682a3bcaac

SHA256
6867875c0d50973c45ba505d43d4c4d0f9167f96ed02635b77d222c598685f42

SHA512
158262db55faca70128c3b9a55fa94ad5091e665ea6e1184ce10324613b21d911c9ce9f0d2aa86ddd58ae7135ded00df17bbeb1e3def27f2fca28d93bc5accce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.1MB

MD5
608ca9b606775c750fec26d5d77a86ee

SHA1
aebaf41a226f391165dd7cff08c9d9620e2fe089

SHA256
55793d71cecb5c9cdd300b8375bdb7ac2f897736aae1cded2276f524ee50036a

SHA512
13eec85cd97879579d871e71de0c54103f6e12e616a8aa7a310c3362e4c8315f86e05f7ca16d366ac9b54fc69fe5aae5b02669ee81571d443ef7a7ba555deb1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
3c76c2e2f73c97749266a0e52a4b5761

SHA1
c73fe1585fa9fcd08cb08538ea0df195ba8a43df

SHA256
ed568207e1c590546bdb53b8479be579227c3b28b8365e2b9d10c0409ff2e319

SHA512
56272f581f2b9db8d5a0de59a68436b6766281a482b995799e77df5a167b934544ec2380d00e667f04626ef63d1aad64a39ef4b376fefef763afecd495e36434

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
837f5349ccea4acdffcf066d923fedda

SHA1
351d351a2e0687305ca8652e1bcfe41fe97c3172

SHA256
40310efafe2c4be401a7eeac8078e502b049735334047424fd6e5a03869b52aa

SHA512
1d42c0692e1da3df75674464e38252bac1e4ddcb289d4f23deb84e8f6b7bf4de43c8aa944e21651922c1911e063d40e6341637a70a422b65eb30216ffe34e7fc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b36cca23289d74f4c632a3b7d6501d69

SHA1
b55544109069a6636409713755e9282c59defd02

SHA256
1f62dadc46bbc1a3df19ab9a9b2a9001af9818d3cd4a88de8416c82f1cc4779e

SHA512
9057fd9dc2e2d5a61ffd01cdb4d53bfdbf4c507a660764e29ff0d5bfaea2ac8e6540517a00002b7ee527c96e7f5fb080d950e9bb4bdbcf0a94c33256f17bab83

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
55567139da4a78efed0a9a32ce690650

SHA1
643a96022a06f4e639b3dbddf9150c65ee0e51b3

SHA256
4d7ed786dbeacffcd122eccad8251a89df61d6a929c7028167140712b1d9f8c3

SHA512
01d9ee19e99814faf71ba18096a19ab3e5d3fb4a1af266e078bb7f06e3ec4fb7ab5aea5ea86e0ca5465a709c1a15ff7e6066cbfd1e5798ed1fea100f6a8f98d1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
44f058f93a30190e289e49519fbfbf83

SHA1
a93c63a3985c854b8d60a152c41c4b29dfc2bb4c

SHA256
6e71d93ee425fb71e69c6b44d32490a0dd26c96c77c92741edb5c121eff34eb3

SHA512
b4ab0c352aa146f26ddb2f218cb7b4da143221e976cc2628ac80d57dcb67d30e2058d51bc25235a3612540b74cb1d576403b9dd171a3a462848eb0be1faa41d7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0fceab96d749f0b2eed26b1eff948262

SHA1
6e974e3850da44b0553bb5534dba07d235b72c3c

SHA256
38fb81d625d41a73da614552001f9fe13e1f95533821d607ef06b0074ca1f8cf

SHA512
c519e6f70c270d69f92f5b71903aa5b3729d7f1cd69d6d96caac0f2c52b40ac46f1917bbf86865277e5046025b49d761404ac5adba7420b0c0ec7f1729ee1542

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b734b9c30cd5505740b82f3df8fe21f1

SHA1
e37da4ed9ad2779bf81a98e5e60724852bae7864

SHA256
57eaddda2e23eac209cef65a64836ea5e0c64e69931e32f5320e775e6aa2d60f

SHA512
732252a7918e8feb3c596c7dbae24cab4d2cd165486916ab4966c7250d365f978f843878da6c639fff9c3c501e70dcfca5e94b961a66772acdbb932acfbba592

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
12897192e2a7f8593143da07353fa979

SHA1
a6d30533db817e140ec2b665d06817d970ca3207

SHA256
35361928cba5630e4ba8f0d7edfd43d28087bffd080f369e2822b8ec96fcd017

SHA512
162a55af14850359d4b73c301bac45c59755c03521c99d4ae6bb5611c21285423259aff3fce664e382266cc8a17336be1356dde841b0492e573bfeb02e197065

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b834666dad12ab5f1e05177549ad021f

SHA1
2cb5bd43b773b4f500071f81cbed263903fdb6dc

SHA256
5fbe15ca793e9c967956af704dc1baec3c811b86c699887a49e9082659ce0393

SHA512
2ce34801a3f4765834cb3dda11ec365111a566755fa20cba0179b684dd305d02b82489d13f61cb7c1610d3d9731a5774bc6c05305f26967ee3d269cfadab9c41

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6356e47194fbf814bb305ac494180bfc

SHA1
3ef76600cb10eb7b4b511044604df859ddb4ecb1

SHA256
0dd1bd39ddd5f5aa8bdcbac8aa12dc63cf14a15020b36257a1f23951ef9a6ddb

SHA512
c55669e64d3c27629db5efc31393790600e4087a04cfab1b12edda461633c446c8b9de42d6a8b54661ca760cf8c71ce515f1ce22df1bbfa10e33c06476e878b5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d414eb9fe7019b4968e0412309bf1440

SHA1
c1f849eb29408856dcbf1fc564ea5ce99d869bb6

SHA256
891e3f049211f874e54400d0d636bcb592a4c7b59185e846173cc5962030da6e

SHA512
5f34383ca053386a0d3fb5513603622b4ef2a57d103846ed39dd94c5b80905936602f19f9ccce3c926336bd8e2788737b250c1c8198b58cdbfb229d05b91287f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
28145334efdb26a1481f3b16fd29bc2a

SHA1
53983ef64753f60f2ea9b9feacd4d8757389ee61

SHA256
d38a05894caf759c46f8a6e6918e95e3988ba2aff4c8a1fc24e901d72d9d7c1e

SHA512
955d41307b29c52230d1405f642760c1013127db92b57120cac9c306a21155f48acc675feb4eac4fc583a6669fce0dddbd8679727033b0e8339d9b9e66d95e7b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ed1f9a602a0e7222b6e2faf8f88914ea

SHA1
e875f233b73f0d59eacc6e1c32df717cd79c9719

SHA256
45b1bfc1d29f218d966cfe5db62c48e519a04632afbd853667d1a1231b8af10c

SHA512
a30efedbcf98eb8e1beb2d3ea1287ec7f44257be27e44a3831b59028a790747d9e9dc93f9269ea296c6da7574cdffe9659492e28502c00d2bbcf8fcebe728e40

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1e921d8b6446a0067feea31131ff2123

SHA1
3b961e1d77d79fedf4a4c03edc7e7acfcdfe5977

SHA256
a2e4b3c4e751684d2d93d05cd7ca14d00cb6ffba8e4db10be5ec73e680f97840

SHA512
d7573a37e3d3a825b87a0267204cd1ccec22c9066cf96b6fca691b007a71d5cfd380984148b7257ecd2a9dce5249f3cec9d852f9945eadfef895145401a8e44e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
22f97dbc2ff45b254ae50c8160b2a13e

SHA1
4ee56ad7dab038244aa2a5590662cc1b2c553f14

SHA256
1d78fed423a0df09ab24b4be9a439f544468067c75d293d3368efedfbd5f6f84

SHA512
e56537a5035f7ee569b05511fcbdb578a619571012c787279fc985c37609b2640132e95dc7b0bcaab554083f99e2e1ace917a2798042f9bc491b22edf399f51e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0b4205fdcf7592f740bb42e4b4f68b17

SHA1
5c2072d58c513e9dddc8a92c0b9b447ce2c89640

SHA256
dd394993e7ab7c9a9ab00cb7d745b1535f4628fd429a6e6746002423fe0eb491

SHA512
6d5085dd7c3293d443ce2ae273d60f2d58d932d8703f7c470ac2e57616e0732c940c7a4541236a1e747a1945533cfd6b93226bd55ad418b948684fe805ae11b7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
085b73fac516f8a07b7eca7e4e89c1e4

SHA1
0af556d3b15594082656a7415eabd8a675bcd89a

SHA256
b6b573fe6ed7081ef99047a5cfab19326a61f8b24d3f56d1ec605540eb3b2b13

SHA512
9e37d3566ae978e9681babd69fe75309f0eee8427b45d62b1770ba7017d776135827d2143366777b37f562f9d1d6bfa4bf4fb3b562d3b90dee5d009172fb97da

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5855908aac8e23ed9412a4ddd3cc52c6

SHA1
93ffcf5ddec28959ff915b54524798e9b5c81735

SHA256
47e0bf05d387bff44b40feb352de25276e64f5a926de2cf31a99d497f5a9b1b9

SHA512
8b2c73ed64171933c696cb513a491a1608aa033c776db5c5aed676f9c01546e70bfece84b2b9bd8376907e6d6dd730d41baf88e1fe60b3f02312a45e4600ce29

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4b68d9ef9b258b724394e167675103dc

SHA1
7a67410c2032fc96056064fe80cd99535a6defc2

SHA256
51753645dda4901a36c6a5db84872d0030684d216b756dbc8e835a38faee4159

SHA512
b5b517085d8bb3efac9b1269c5269d01366ff901d7e1ffe1e333bc5cb2741c53dabe1488fc29d6582d00d89adb09234bb5f5fa5c30dc2e2da3db9f2824d4fe1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a624a22f7d14ae201b1bf6b9f6c76c37

SHA1
976b3b19b239f7cd2299d8f5170f159d267db08f

SHA256
1845a30eb32cd8cd60d91c2784097df1e37c18bcda7d712ef974152e42061bc6

SHA512
df7ef9a9502abd8a8394ce0a6abb2576cb5b422c211f2cf44e69ac0cb29432f23cebbe6a1c73917b526dad0e57b80b089631a970919e8d70bac3183f61977cf7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
117eefefe3921deaa3120f95dbf38864

SHA1
1cb7be74d9ca584c96391e64fa912c94bb864739

SHA256
7ac9fea4e9c2a6381a115cb3bff1f9971cf78196a50a8c43908b4a609c43e448

SHA512
f3af0ac644fb2b2fba716804aeed1f4d491a897331fc71ab6eb24bddcb0085bb48bc2eafa795d1005047b846bfcd3057f6b5724f6f732619550297dba4318163

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6fe18804c580d5537f7d2f2fff9112cd

SHA1
2727ddb056962590401199a9e1fc8af5b99f6622

SHA256
f3260c91860278427d1989436b09f43b304d3f37564ee0ee5857aa906f2a6337

SHA512
563dde6cc686af32b4e45eecc141a417c0c05829f62d4de77506e02155e77042956502fcfe6b8563c4f79520fa12c4c8cf57986ed8f1cea5d175faacce757b7d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c2fb6faff30ca8c619350c572104305b

SHA1
5a343945a85421a10c70d33c724e748f2818391f

SHA256
6193a0fd0ba2a19fd6da4c88e5f20583947732a1275bfe076b174d91662fb8d7

SHA512
fdf87f11b9713c2a364f92175f44b8caccd75c80e6b88a7a8caa39f9efcef56d2a7d7e63aa30fea05bfcd7215da25dabecb1f78d0fc125bf71f95223bb738f14

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
e8d95544aa094754bc5b949d7bce5712

SHA1
febd070c94b7a5b4dbe7af3584bdb16928c2f84e

SHA256
cd52812f6e220a1257c6a602b99ae3d0a1eba59adbfb1112e9229d277764d6a4

SHA512
cee127ed57d065dc7eb1b8ad5e476e77179c787a44eb782b977cbfd797c45142a4925036401f585d7e56ff48717a6af09ba21d7021aacd69ccd13a09d43871e2

Download Submit
memory/208-127-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/408-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/408-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/408-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/408-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/920-12-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/920-21-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/920-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/920-125-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1468-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1468-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1504-1-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1504-90-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1504-8-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/1504-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1504-512-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/1824-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1824-650-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1916-47-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1916-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-49-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1916-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1916-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2116-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2116-146-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2184-640-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2184-207-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2476-616-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2476-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2804-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2804-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3148-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3148-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3148-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3148-53-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3212-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-639-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-225-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3508-114-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3608-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3608-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3668-171-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3668-447-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3784-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3784-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4084-647-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4208-636-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4208-196-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4284-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4284-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4284-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4284-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4664-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4664-137-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4824-91-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4824-97-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4824-210-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5052-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5052-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5052-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5052-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5052-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download