9e8d94f0e2e42c276566d82c34a8bbaab12a4dbcf3e8ee8de0d2a6ba7cee84c9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
Size

1.5MB
MD5

d18ec1f976af02ee848b3c810e632750
SHA1

1eead56f2eb872658c2779168b305ff4274dae33
SHA256

9e8d94f0e2e42c276566d82c34a8bbaab12a4dbcf3e8ee8de0d2a6ba7cee84c9
SHA512

0415d3e2517735ad06c2cd2ccaeaa08cc95068ca633c9afd5ff59be52c67ca55fa9438617a5a1aeb7b2c919c6ea86e5f2999c300da9fdd7d5e4d1c2fffce5c63
SSDEEP

24576:uPkMojzaWXFol/j0nTNjx+mZCkt76f/24pN+XNqNG6hditW:QEnaWGmf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4468	alg.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3628	fxssvc.exe
4592	elevation_service.exe
2168	elevation_service.exe
3384	maintenanceservice.exe
1488	msdtc.exe
4640	OSE.EXE
2628	PerceptionSimulationService.exe
4720	perfhost.exe
2084	locator.exe
920	SensorDataService.exe
2944	snmptrap.exe
1532	spectrum.exe
4520	ssh-agent.exe
5064	TieringEngineService.exe
3844	AgentService.exe
1416	vds.exe
3864	vssvc.exe
3796	wbengine.exe
3008	WmiApSrv.exe
4644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9dc8645a92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077c3f4f5cca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8267ef7cca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004393a7f6cca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b10636f5cca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081e9fbf5cca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000603fccfdcca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000750258f7cca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9748cf7cca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c81768f5cca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000536279f7cca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014a2edfdcca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1888	d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
Token: SeAuditPrivilege	3628	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3844	AgentService.exe
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeBackupPrivilege	3796	wbengine.exe
Token: SeRestorePrivilege	3796	wbengine.exe
Token: SeSecurityPrivilege	3796	wbengine.exe
Token: 33	4644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4644	SearchIndexer.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeDebugPrivilege	3272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4176	4644	SearchIndexer.exe	113
PID 4644 wrote to memory of 4176	4644	SearchIndexer.exe	113
PID 4644 wrote to memory of 952	4644	SearchIndexer.exe	114
PID 4644 wrote to memory of 952	4644	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d18ec1f976af02ee848b3c810e632750_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2168

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1488

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4176
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
673d6ac3ff827332665a192b251f35ed

SHA1
e3566a010ab4c4a7847e752553d7548c65eafd63

SHA256
ba7984a241fd8912e9775e2b14ef5964cb9de9c8457cac8301d3ea1977364202

SHA512
47c7e227dd0ee0f7d693f5e0b7be74c63989ee9c6d91f8e53647c64c65d8caf3247b20883356a95bd8f4d7ea8469f3f5b4d6e8ab242a6a25c29621d5c4eb0f93

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4b02f5a6ba477f1bbb2c1f26bd965b6c

SHA1
c8ad8a45b678e720fd1c347dadfd9b2e0dc9fe8d

SHA256
2e61c6e113d81d41e7400de6f5ada6b6b88244d80026de824f67c9992a91dfb7

SHA512
1122ece0f105230c40877aed9915b7809bd20db7fb9a81100a96e98dd688a3d0145a9b120d40e9729e49ee9c92d57895dabcc5f13d38fc70f830ab6b7e56470b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6d239f3f333cf6b3493b23f35d3caaa9

SHA1
99541b08251f176eafa01a50ecdee73ceed4649d

SHA256
b7e8bb29d5c3233bcaa314e8dc184e94431d0fb834f462385efbbef45e4ccd92

SHA512
f2b02313703669a3be929793117f3d31df767011be0488e696516679784fd004f3b5f97eef705b783fad87e10935dbb7f64fc7cf4598c635313c66815dd96749

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9b74ad67081eff47779b6236c084c6d3

SHA1
e9b887479834362135e0f17f470dfd797f0b3a45

SHA256
0138ceb063011704544ac3b9dbaf1d6487c57997623fdcf997f00e4e954ac458

SHA512
8f4762ddb9c78d644844d048854623438b174125d487c7704b25ebf71e36191c086f34959231362716142aaae94d6a9b96e9cd5115b676636dab13d89c29381f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3e780f86e3d12b7004b5760e9092c288

SHA1
1f813807c0f1fcb90a320578f7cf54f07cfc0f3a

SHA256
5c01863db35b638de0ebab2232f79e03df6d3d08f1df82501e532e4a8519f4eb

SHA512
b58682a310d613b1edf316eba6c7f9cb83292d6b02d73f6f06297f794fac92cfcc011d539886c5ee051106d2e62f84db0537a8ceb23a4619ecbcee75a23ca91d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
26fd96f9aa467c2853c3a10ae591542d

SHA1
0fb5884b5decc1c7c3b6f14ac5cca4a4222f237d

SHA256
cbd142f1871fb698fe8cc2aa5a76ed7ec1d8fdf887b6db622710f1f9862875ae

SHA512
54bc6866d19bec378d91a643f7e657df3d6da2df7e45849e89356e1b41601d6d4438c7e3e833a073df16bcb8bbcc71297ef211417c5018fdf5e6e410c1fea02a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
11eb3ec85ae7c5d7d30a48d4ba1b60ac

SHA1
b88cc01a62468325f266d839609b8c2d9fd89bcb

SHA256
d1a380b30de7b21d73d0e1ede6633e5690371f189b7349616d6e11926998032e

SHA512
6ab281fe0b9efc1dc30f3b2b94111c56c48aecb7082c420beca249b6be3f3db1aad3c7641414a7ccc554fd0b23c7e0aa9d3bea6a0014ddcceb23487e00c7d781

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9c92bde4797333754adc638f2cf64690

SHA1
56840031e013ce1f9b9ca90b845502a1e8dba76d

SHA256
4efc2b6d64f1c57f02ac4819b20990cdd0bc48ee99d5aac3c30327eaf901d362

SHA512
007bef0f62e356cb45aac92dbbfc152094dc1a8cfd0b9698ef7dade16c91b92bff2f690be75963530d5043d7263e5235784e6eae3b8756d7ef742976fd545f50

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
12f6b99ae7c1c97afe0bf3134050b360

SHA1
8a8ac1f2e4467b854928f76ce10516baf6661f67

SHA256
1bfaeba5e0b18d693a3bcc8b038140a0ec6f036a6d3eda4c758098331678816b

SHA512
75e7fac44690b3f027d54d416883817f2b3e76703e1613350b064e11e213db01b951afcfbff245e55e276ddedec8dee8eed12103e65fd7bc7613c7c8607569f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea53f765481b9b228fd664641df2317e

SHA1
3929ffabf870fb59cb996d729e9f3769258ecedd

SHA256
692859f64911bff47ba306737534f7ef27da2470507a9162729e49b4bad50da8

SHA512
f1d96a391374d153cb92d5c53da5f1cca92891f4a2faf1e5ff965fc3b7e5cbeb91fb16ed3cd57d48981469ebcf2cda77638669ae3f68615c17c31bc0f002e3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d0d2ff9899544e93e27d6eae2e0e81b0

SHA1
bb494339ea89841ac0164fabb34d48b0fa797fd3

SHA256
f37c3f48eba16b4a68ec6a5ae822e6d9a1f6d015390b69d44e4b911b8b4f309f

SHA512
c06a751882da0af8c4fe8787ecb65eabdfcbf279b4ccac0f4bd2242fc437c8fb4cdbbfc89ffd88e36a609ff0f1a174e9638425ece14a4974790d7393ceb135f1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
121e72eab50cfca8ab9b9119e051017a

SHA1
e57008888121b7b1f7d97b82d53fe59d17584995

SHA256
f1e51b3d74506d1df3fefe4987c924de0686a6e2bf675a03f2f5a0e700c8a76d

SHA512
5e48988c35b28eb6872cf3c6e6b5ad06bed016f82aa0724977809a9c99191807958c06f87460612697a5515017c5dbf02be2cced662fe5e0cd6efc481fdd5dbb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7fee0d875a1f8a32af283ed07cf61ea0

SHA1
622494f955ea4c54d59b46187381feb85d457cac

SHA256
5b1f5ef0a0e1082a4221cdbcc906c41794d4b4cbbb62952b135ecb345ad820f1

SHA512
54814d26c4af7cc102e945b56cd86705a2a99f0841d0c8a39a26bc3f532792fbf27145438684930cc48401699e5695e674e80b08528dbdb8b32ef72f3323f01f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
822a33be7216372da7bdd3da7f7faa79

SHA1
62f6a24de8157d1b7a92bbda6a5bac15db026609

SHA256
8524fa0becc219d7c498a9e3a07d9e7ec45b53d892d2216e79b9834935e85423

SHA512
bd8893d2a53f09f9501ae3bcd72ecf27b7a9523e532aaf6e1585eec6a3e16dc1dd310d645075bbe1f91cb4cc1e47a9f4ed56bc6e37b302c775fa5c7913cbca97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8aa7bd01d35eefe6ec619b5c3ff1c3d8

SHA1
961723964e20a1fe3e5b586bd29df41bc2588ec5

SHA256
458b1de0c1708790e79c8a1f13a9e9133f9adcc96f2c94eb1f3bf803496a8807

SHA512
de574b2baa9bf589e113324d14df549c3e3a2c010b1b741ed8f8c6e71c977312892b67f14437274d618b43e42db9e1e76dc999f2ffafeb2a018afa58ee7ac955

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
de1cc2578e091a9d25fefe92d17d7611

SHA1
b809bc3d49906edcac35bd802ee24c2331d9357d

SHA256
1584f5603a20e48df7ae68ab4954ecce645199b3bc0412dffcafb08c48ccc0d8

SHA512
70d57e0f73630423b20d2a512256aa0bbd695b8620dc5abad60a967fb9d811ab2ae40b750b0f00f7604b33f8f889063a14a8e92f9fdcc19acf02ebbb01885c77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
83391bbe47e9529a6347244eb97d2b14

SHA1
d70d002bb924190a32242b207299ee66d93b013c

SHA256
dfc9c0874162e1cc2f336d54895a85b1618df1477581a17551e9e160d505f096

SHA512
1953b54b6509e183c55ead0515224414592c5ab140e39232e36b51d90ee1cf994e4cfffc13a71740898b5125309bcc1e1544a783e20e37dc8cdd70efaf3f92e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e632cd0c20193102fbf5ea699b123c2e

SHA1
9f861463c825aeb0aff80236b15d7371f754655e

SHA256
e70c26f2dcab0d67c36de4c71af9e48d8b4d9c09f3abe32f4fcc33fb6d559b7a

SHA512
cbe383438808405b539eb409b80d007c71176505241bf1ac77c4d41ea50995bf771ba6d737acb83554d8bf6b2aaf85ee6aa308b03214e101549fc58c261decbb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
98665e3b6592199c8655947f346aafa4

SHA1
1d6bc46c5096db08caf7b2f878e60fc84fc654a4

SHA256
6fe45ec5b983c3e8cf990b94fec69bb9f4d098f54486268a39cc44aa3b03ce2c

SHA512
1609ca6c2cb13c8b43aae3f6061d2e7c9f0b05a7255562cf60ee17213d906d83211d5438edc1bf5421650c0b0496b0d907b7bf074093560e9593d2424d92b4e4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
aee889134b2328d6d0bdad2093ca0ae4

SHA1
6b11d1352b370c3dd82887cff2c84de7bff0f83d

SHA256
04bd8e669fa622bba4a27b041555fad6b16baaa486d469cf0c2fbc5e47b95c2f

SHA512
6d7c3b9abc1345276bf94273f6684686a84861697c6aa8ebdf1067a56f12d39434f0dee36ebb4ed645525cbef81b77121cd8c75e5176f4fa35fba46515ff25a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
690bc7645f39a23852c1c9d3a9fb10af

SHA1
92fd3aa25ab88e53fff9099a08504b52eda2585d

SHA256
8a900b6db954e570046bad108f65cd272156bc8dd8d8d6698146c55287bc1d5f

SHA512
2f0a8da4417cd064a12d156f3647173b96997ca1ea386c61870f9f8f14b0c7570f5c4e2d050e1995b14ae46dac5e6856e2455bb2494ad0c6f814dad6c34e4970

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
023c80b7c92aedcaf7e11873da7771b2

SHA1
3ad4d248f3fbea4c00ba594f122978025c8b133e

SHA256
d6ab39ccc569cae0c5301861acd257a78b09311be2cf40db806da40791fdca02

SHA512
08d4dc1d0327799c435b869c9724dc42b25ade8a7020b60aa66bd4ae2ea8c56b52dfacdbb102835d27ea00ce13c094722282e891c8cc59bb2984e15d25d8e5f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a3ce855315147e30f825de6859761398

SHA1
694d3b4c6936741f8cdd01dc254d449485751dae

SHA256
5962e7f1e9457e71ef264137166524c5e0361464e979f8ae5fd962d6e6483612

SHA512
d51c8a17d0c94049d5887dd7560884e88556806e47031290de52a237ba540187bafa73f6ac9275ab0b4c856996f29d90d0ae1779aa7c85eb3a242df3a389eff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
854ce28653c08186497ef503b6728b06

SHA1
5d40229c33ca17fba405149c842143ebf9900106

SHA256
5f4b6c7082b13ae6de66c33dbc32743d6af8914db3afb71867b55bfbd3e115b3

SHA512
ab43b839501f7db7b36495ad46e2f700790fb587a0a88cc1e49cc6b000f028ec4ab9124f9480f87b0a7843c7338c718f564a223eb3833eda65d28c83d83ba5d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e4bd677ce54ea10daa9d5d528ccff4e4

SHA1
de362253743768387f2fe4d3bb4fca0664478aab

SHA256
6a42742ddb1f6d8df90ec61b64b716cbc7b1d8225ad1fff45d054cef2dd899f0

SHA512
592a0d0b9813204647d18c5bd6047879d1f5cbf3dcb926f8815df4ba33d2de0a3cf31b7783769a8307488b94af95ac742a7fb641e99d3ff56d0a0d39c70357bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7ff526cb3df28e271925d9e76cdbccad

SHA1
2c76f834028c1a9b651fc02b5ea5bff660a6fa68

SHA256
686b2a85a9b98a75fafd2d15d9ba40484919ef95938e846a3eb208e5e51f3f30

SHA512
66e1289f0722bd504cb402998177ed02371262e2df6be63ca322f89c5833c8721515ab0fdfbfbe6c860404be4fb0c672ff17a9ce751fe03e8017362f290c253e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0780fd3bc49950f23f1ab144c47f97e8

SHA1
423244e8fa6c3434ca66690b76db01901650495b

SHA256
7bbd0a2935d4651fe1c683b5e2c66d7fc83543f8556b6f2da8bcefad2d780297

SHA512
aa894c04f480a11e7c93f165d093f0264200dceccaa741dcec7e6c777551ee2463e71feeb5d697f1d3db9ba3a545e48fb44547315400e3bec4057db10b595f53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a14b5dc2725daf7ece816c97395f0790

SHA1
60d4d3342ac96dafb8006d69fed6be8e73035667

SHA256
1debfcb9e63ac2e102dfdd9a148e8bed05f0ecc0cbd2d6f18ae7adf2f867cc3a

SHA512
733472d559dfd5efc07400d4c8c82da070c0d34eb2f22736323da66fad84b2a5ef3fb374aa3ac0c9265392a2690abbf949ca14f222f3e8c59367129c53fc6676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d1c81c27d36d0a97fe6415309cfcf5aa

SHA1
4964452d1af19328416d95b40e493c6e1ec93c3d

SHA256
259863653e708f0d04e21d73eefe459e733fe6bb6e1c01bc97207e267c189199

SHA512
e30c2f03c6f2fc9f85f61b4874c52e9e4104aff863c62dad165d69510197c2054c524124555758a4d3e40fd4405084a5dc42dbf17ea7eeff6b643aa4b5ce78af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
00606331adaf11fab74ca56d451b3711

SHA1
2c02442d4e83dc03d2b5d3e65774957c5540cff7

SHA256
c9da9cf2869b1675c19ad4f06d1ba58c98a7fd5a5c77ffd3ff8a7879b4d6eaec

SHA512
1ae4507a56762f69011129a5659cf1a51fa0d90c3de64e9a8278c7aa55926ec27c0e503eae560ced97e6ff5ee2943665cca3e6737b62842d2dd1b4a731444968

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5cde9be3afcd9ca56787b3e291d24cd2

SHA1
1251bf489420a583483012edbb520567ade02bda

SHA256
097cd941009d082978e550935df7e82ff839d3954aee2c9da2bf364000e3aeac

SHA512
703fe84917148676375054d91d5ca4aa9e9fb32c2cdd02dc02d67fc86c7ea45f9d4c53b5f16fe5bb3c2b74f3e04cfacdac18ed37ebd131898d8cc30db1d3ea47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c3856ff057477c98010e972e8d220034

SHA1
c962c32dc2878eca08f4a962b54c72f2e5002ca2

SHA256
f49589c3a2e540135b910fcfff4594224eb847dff40d1b2962ca49de1f44eb10

SHA512
0fb6b49254cbf5bf63e722e2271b38822427dc6ea954410f2418292af1e0db48392cad082c4019b2238df58f1701671abd51b35ffb552ed06a9e12d227be291b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d2605f1cec635427d9c0ff28f237a240

SHA1
c0a1e3fdb85f8214b3f26671e8303b2f6c96eb36

SHA256
7329340e3b02c5e7d27406aa699af0bc656cda27e1ceda17d57016ec63bae39b

SHA512
8319e88619d850b629d4938a02a41ca6db1706157fdca744249a44661f2b639d476d7747eaa89f8b92476abd85394a430acd64186fe8c02f40dbe3daae63df51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0b7f0114fdffb40f0de3552564c2b03a

SHA1
42b675cf00d3a2255178e9689c36c69145124b1b

SHA256
833c12c6c15a7f1903389b229b28b80d3f1515f4dd193a88f6189b94557c06fb

SHA512
938335019f61f33cd02f46a418e6224d59253ca5ce62aa8504a4b40572e10d50be38df6be2b5db308a143fa19d6a86fad7497977be3bdf6c5e53d543a4737880

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
de6d23bbf8fccaa8038f8c9d27be1369

SHA1
8a29b0c1ae7b223174c1e2e17da8fcba40eef331

SHA256
b5858a44554dd8890358d05327c2aa8a2d112bfa5fe28185eb3eb31112d71656

SHA512
b68e12589f639225cb170b7d0b431323946878972019cd2769a697aeda4b380a5b4db88183dcaf1990afd53bad89ab5f03e0798dcd7facefe8ac3cb437fe296c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
075cd9303d9d72a4c88bee12daa50c41

SHA1
b97625dc8ee61def039fa385f3ba8d077891dde4

SHA256
69126bf0982943bba32cf8ad8b467bd9a7e70e2f202f53aa6f62ec00af6d1af6

SHA512
9b89fe156c93f01f9ea635b7ec65b3696dd045effc657fa826411e7b351558cf031e2488c1880120782efb364785430b5bf58e329a63a20c6d52d5cab47d8142

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
979b0abea9f0f31f3938929305ae6265

SHA1
b65c6fdecd788c1207f89b89ff373776896dfca0

SHA256
6a5b616473682dfe2d73a4f421ef14fd90f1a6d627202936c419748a08bd9d67

SHA512
5511b3ca3e0c21a0f05305d7045e13dcd056ce70bb6a9fb7441ab99a3967705d24cd3bb9fca7b2fc7f0eb75cf98caac4f4e7af737337080058f25c742a895ddf

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
18395b6f2eb0dcf1ff6575b3004819c8

SHA1
d090cb881b7d228fb9694039cbdc040e17bf84f8

SHA256
f8d0fe8d6e61b2e7e3b5d6aafb64acaf0a161914b429d9bd5712b2d7152a3d27

SHA512
083dcddb9e95ce8af1f674cb5f67062d2982fd456ee7f39d36ab859762770b181eb95a9192acd61b6cbb273ca4892ee0946e8f1758090c8db9abfe56f78891da

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8a14bce06e95edda3b8ef22da3ee118f

SHA1
2e9f2b7411197fd94363fdacdd4af98a0d26caf0

SHA256
49d6f2a2e9df259f807b4b3869372f4285a624be0a04261369ae8bb7e6f6f252

SHA512
a631aaf6ddbf6068b9787e3737860824a553bb3f388a3dd612976e98b304b4691ec8d3a0c8784ceddde577ecc310c2a8fd07454133311866406d4ec6c557eed5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2b1688a90b812c2423ba94a44c9bfe22

SHA1
a5f03a650bdc8e222c7178b16ba793241855bf75

SHA256
15f38c385fbd5092cc06a93d766bf09a3b2e6ab85405db52677b81ef3c5fa75b

SHA512
069851defd0f1ddd69998024df4936b52e8c56c47b8814f347ed2d023b0bdf97698da14f76ffcdb7db55ba3ab565f314a39fcfaf5e7842d026bd043621dce798

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fd73e5754132aaee2b8eb2bda200fa25

SHA1
176e439f34be32580ec58c6067eb52abdf67228e

SHA256
d56f14a44a98aa47c05a85081300788d485a3c424dfa83beb7be094df8639df0

SHA512
af5605ea9f21214fa9f672edc83d3c3a1b4b9eacc526f023915280040752662cfd3da7e99afa28ba134e86bd8c9e942a8782f2bb5b72c4e19ee8e7dc77042fcd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
43b2ce1f7ee60ecc0c17bebd39802b2b

SHA1
11c1675256c65486af50153b111fe3daaf17fbef

SHA256
02a26cb67f592ca497f8ee8e3a057227690f64046dfb6526def7f8e26324d22a

SHA512
223c04621e4c4be3f7992d1924f4ff4b61ca15d3be15ccd1ae4f30aada009f9dd3500cc82c3ab85a1f6340517b3ca40f1919dfd7549c12fbc0ecf5b154bb78c6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
be119b0d18a86fc35ccf1ccab41907bc

SHA1
eee359fe72e3f1000e885e729527943fb7162e1b

SHA256
3af4a7cf87d09698589e94d0dd599bcdbda2ceb8a363925f6f8e63d0ad000aaf

SHA512
238dfe7e62007e077b732913fa5d81a9ed5ae46911708d23f39b531e343650f6275b1950f138231ffe0ad3c0fce14d18fea01eb5b98b295cac71bb73c80b9592

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5795ab18cb6bb0841b7abb15ded54909

SHA1
ac59618ca3f1aa61046554ced40c88d6041c4f8b

SHA256
27b8224108426b3d049557e98a47303c33222ab07beb3dfa17b14e6149c21829

SHA512
74860cefb4a95dc0dae0d3a93e4a6b7139e58eac61f3e9f496da6e65fc1a7c3b4d5a2fc6c59407d35c303b24648ed28628cba02823414d8dae67fc648265b032

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
90b1892b0029789619323aa1470a5e26

SHA1
3dccaf739fdf3befa5a8ca5ce64191e421ebbde3

SHA256
113906c99ef02ccfa02cde27582239d6dbff28457e0aa96f4ce4e2bfadcb65bb

SHA512
ca27df237c1987c378c364569e8e6ce2982bcaeaf2927398c29dbe6c0ece5a9e38879782978d0d43fd29019b4617e4ca16b7bf5057d2bffb3da8ecbe17fd364a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b0535260a463b0f4eb58cf04f2112ec5

SHA1
d3a568aacb3ee5ad8d5e7b67adc0894581a55e26

SHA256
70887d2f41275758dfbb71fb51b7d1cbf200bcfaa7f118bc52e5815958d5a4b1

SHA512
1bd191c3b6a513d4a0374e9d08a407ea38573ea4d9727fad30f71172f4303f96c3ef330fb18a80d995460062c0d287bb87823e00e5b5027faec920ec28fdbb33

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
64e71565b4799c52ccf9f0cf2be3ecd0

SHA1
8b3ab80723cc3922a1d15ea2991385f2aaf148ce

SHA256
2391b2b432a2ac07e17a81e074e053c92fc3ae1e2b4bfb2f43ff5e7dec9aa17d

SHA512
37baa1d1ff6b5ad893abe7d04683feb3845a8b76f3490632f27dddb1f7d008b490568b3626387cce629fe0e47e989946e16c04b7b273c267fafc590f00d8e979

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
76ee211f02554bcd195b042caa6e35a9

SHA1
da172f85963f8eb046986775e9c45174613bcf0a

SHA256
9dfd84ecf70852e5556aa113bd244b5663e38daa3a98b3bf17b486c3852721db

SHA512
2fc5729cb3403c0b43e1ed497668a070001b2eb9d10734656e8494e049b4e2d1b1fb018ec52d639d255745078bf200356a8848828d817e14a4664a28cf32ce74

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c172b30cf56cacf4ee674290482fe3f1

SHA1
5ac6289f85f1b315ad757dff50c884300c1775d9

SHA256
8c7d0bcab2d9474c821925c29d9dd59896f1e26ca99ffde2ac1ef3ff62ea4279

SHA512
4a38f402723e2344e608a677ae6b831f68f9b5d10fbed87805356e2dc2a041d4029b87a7bcd756773908507c3320bebf32c12186ede00708b41dea30f4da496b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
40672c395e1148930df549b39543b2e2

SHA1
7a15fc929fd952003e01725d669462958be50ebd

SHA256
330976e093b068ea017462bc08086c1ff344dc84dfa3d7e4f3c1bde65c581f86

SHA512
70c2e6c8afe80c1e5ee628dfe053d4bdd153917244fbcd889cc93b0c00fa9b25f1d1a6a759e62054fa5c7fd9b0f5328efbd824dbde305c7781a475252ea5da9b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79686aaef451a94ac1c9239b5bbd5368

SHA1
331e997dd307cf1dbb5760b3b180e5234ddbcfff

SHA256
8d57b1d1185fdd954aff5ec897532509dafc8b387931145edc89b682c7dd9b95

SHA512
c3c5200729a33c5303256e6d3dfad5ad202627cfe6f39d683c041bfa01db4a56fa82e15d259796978cb9d07be323d59e30ce1ce43b3cefd35b0d495dd753c11b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
fdf05d5a3603719f7de1483d1616f209

SHA1
e9bec52a93e4a992ee66fc0ac2413524dab4a3a0

SHA256
dd3f88631e3aed9e8d5dc67c8e4c739b887e3fd26fc2831b38fbac08e1a5cb10

SHA512
8517768936865846299dd8d51c71e449009814244b7d99783b4ebd6b59eee4c481661ab303229003be76e5c8274dd5e29682cf85f59c8b387dd1f7cb8eef5c97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
795408fdb8faa62b67b93928b928e0e6

SHA1
919a0e8e60504d0c036de366e374bbaf40d85209

SHA256
d61396dacd98ae2da4224c590f3b89846856907d493482ff3e2b3a4e3b157639

SHA512
b9729a628b420d573a8c2cf4c89182bb5373e39a3b0a1f6d80f883ff79f95ce61d0f4645cde8c8850d57c1c7ac8ffaf1888e9795af2f09722c848042b6c9ba2b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
edfe594d196636649d740d787eaa28a9

SHA1
8bebde040217560da0be6bcadf7129e37bd0da6b

SHA256
8a24e2cad8577db33cf777018140779e7708bcce254d367a19fa4359b1b361ca

SHA512
6ff590c799410105d50e78c19f89dcb1e06a50a1c1eafe7891b4453002c272d72edd62e881eb2bc775f881b8c5e2853b63933ec5b50ee38c321c2758050011fb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cae8d410169fb6d716463b6537f89bcb

SHA1
94d571c53138da6f0a131b8ea47ba700b67c9ab7

SHA256
40bab61647624b950bd4705689afc082b08c8fa3796591d55c171585273121a8

SHA512
e1590b9ad7e1763cea48dee305b3c28307f4ca2c9b746bca9d3a6ad6c64cb93669aae437453701b96fa95fe9ae8cd3e2f395287cca6d46d229da212cafe58c95

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9183e35ff66597c0eba2e4a6143f044f

SHA1
9bb4235b0ffbcf32e55e517d828a65294def582d

SHA256
5f09d1db1b53a5d9f041378b2f63073249444635fd46b036c911c4aac3b03863

SHA512
7484ecf54d573a605c6ae233c3cb30b993424e2a597b7345426d246349f27e003cfe70d5ba824af49a15838b4b3101c649e13d6f94aa2c70d521d10f04c2f0ff

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
64a46bc6acf276cfa9823fa44a4862db

SHA1
8354fbff7fd8b4d2a2818548c3943e4709da4cb5

SHA256
b38f64eaaa1ecf0310238a170f9653df4e0cbd607c1e78a73bcb62382c7bc31c

SHA512
9372c632b618890a08c295f74846b1c4c26d3aa96a2eb3f5e9baffbeecf85e30c0dbba3c8db4382123ea5374a2158526dffa56ad08a3d90825ce3bce48d61247

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
69cc2648c45d227b7bf0d1032645a92a

SHA1
76e008cb6cda627944d5e980998e84749575398d

SHA256
96adf7aa85a48c91c6dea4fbcf05bb4ff8b24206b231dab71019b39d236ff8d4

SHA512
144e24e24b677c5118b4b47e6c3e625ea63e075894289451dfb79033912b1a7fce17d4b439be9bd27d7e58175eed8e85fb42fb8b3cc587f7df0d011e610190c4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6b98612e11288420d61a4473540e1279

SHA1
f18200ac3e811b20d57648a760fd1e252f466671

SHA256
087daefc6ddfa58e795c9c7b99bf9f3b411ee49b1c386c82797d84b8a4412b68

SHA512
6c13fdddc46a36c81b9d44a895bc91458df1071ade22c44d927c20edf143c0833b30a002f6eb355aaae3077a7f293e8a73e0b383805de5c0799f0c8561950f09

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
15a894e449494f3959e9aa2f7889a1f7

SHA1
504600b0cf0ab871adfa7b96507c7517f4f62af3

SHA256
480ddb550b99f39ede906b91970cf7c8e6f16a3d85f189b2a80ae2db0566f8c2

SHA512
9df24dbf67f293d6ef5ca0c4cfadf663040086bf1a519196e7a15fda42ea5a059f829702813f5d5188295f8d563eeabdadf66ebbd364e8969e7443921abdc96d

Download Submit
memory/920-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-550-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1416-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1416-553-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1488-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1488-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1488-90-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1532-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1532-169-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1888-6-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/1888-2-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/1888-435-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/1888-0-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/1888-89-0x0000000000400000-0x0000000000641000-memory.dmp

Filesize
2.3MB

Download
memory/2084-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2084-261-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2168-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2168-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2168-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2168-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2628-238-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2944-407-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2944-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3008-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3008-558-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3272-31-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3272-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3272-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3272-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3272-130-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3384-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3384-84-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3384-75-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3384-81-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3384-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3628-46-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3628-37-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3628-59-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3628-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3796-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3796-557-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3844-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3844-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3864-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4468-113-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4468-20-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4468-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4468-11-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4520-551-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4520-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4592-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4592-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4592-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4592-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4640-114-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4640-225-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4644-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4644-559-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4720-139-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5064-552-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5064-191-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download