d9c3bce5105d57839a69c2dad87d51b01524cf6e807dab2b1d0c0c907d097bb2

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
Size

648KB
MD5

882ba15bf33b47eaeca1855ca2288fe0
SHA1

75a1baf4f9cac0d14e9ecc45faa61adaa5278b71
SHA256

d9c3bce5105d57839a69c2dad87d51b01524cf6e807dab2b1d0c0c907d097bb2
SHA512

f5ee6d77926039ee31d56e3aaab44dd13aa96d754b001bb9f1ccacf4fd4b6894dd122a63edc6ce723a4c7834d9afc16ea5a0d33353b723cc673a2d986dad1af0
SSDEEP

12288:iqz2DWUgV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMsmn:Lz2DWdVg9N9JMlDlfjRiVuVsWt5MJMsm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4336	alg.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
4368	fxssvc.exe
3820	elevation_service.exe
4620	elevation_service.exe
848	maintenanceservice.exe
2748	msdtc.exe
1516	OSE.EXE
3540	PerceptionSimulationService.exe
4080	perfhost.exe
3424	locator.exe
1108	SensorDataService.exe
2440	snmptrap.exe
1028	spectrum.exe
2924	ssh-agent.exe
3376	TieringEngineService.exe
4104	AgentService.exe
3180	vds.exe
3488	vssvc.exe
1532	wbengine.exe
4652	WmiApSrv.exe
1076	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb074c42e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052448cd663a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009511bd763a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b4fed663a3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010da43d763a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bad99d763a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000779e48d763a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e3b46d763a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000143e27d763a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000481c85d663a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3052	DiagnosticsHub.StandardCollector.Service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe
3820	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4312	882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
Token: SeAuditPrivilege	4368	fxssvc.exe
Token: SeRestorePrivilege	3376	TieringEngineService.exe
Token: SeManageVolumePrivilege	3376	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4104	AgentService.exe
Token: SeBackupPrivilege	1532	wbengine.exe
Token: SeRestorePrivilege	1532	wbengine.exe
Token: SeSecurityPrivilege	1532	wbengine.exe
Token: SeBackupPrivilege	3488	vssvc.exe
Token: SeRestorePrivilege	3488	vssvc.exe
Token: SeAuditPrivilege	3488	vssvc.exe
Token: 33	1076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1076	SearchIndexer.exe
Token: SeDebugPrivilege	3052	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3820	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4920	1076	SearchIndexer.exe	112
PID 1076 wrote to memory of 4920	1076	SearchIndexer.exe	112
PID 1076 wrote to memory of 3912	1076	SearchIndexer.exe	115
PID 1076 wrote to memory of 3912	1076	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\882ba15bf33b47eaeca1855ca2288fe0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2524

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4920
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f9e3f6a6b23ca4e8f1087d366007c560

SHA1
9ab7557143bd8262e5a3f2ff48ed0596d2522bc6

SHA256
0166cdde0c55ba4cbafe3fb70fec1d8d904f98be7f65d31c12895f0ac1d0d57d

SHA512
657489c82fa32bb9f9318a31c42cb95b47135177bc8ee6ac89b4e3958ba8490f4e6e970726cae0292b10a98a70dc1a8eeba691fa0ab9d6b18a1c21350dfe950e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0214417211057975f4d39c490661b251

SHA1
e08e73275ef319a628d2b830ed48e1dcf72f7f15

SHA256
c0440dc3d3cd2b7bfaaf59a27005eae279553b1889daf916c864f6a9b8cbee6f

SHA512
0e089e490793ca9741090fc1158dd79e3c9c4b1bfeafc6b3e3fbcf64ffa0747805eb39e86c60f079764acc425f85e48e6ce086a6445f44eaa21e66c1835cb0cf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cc399d1dcc649dfed87a269d1adb43be

SHA1
c68bc7e7a53f1e629291d597eb9300e5d09fbc60

SHA256
133edec6fc42ad06284b13f2b8a775e0ca7a34974d2046747753ca85326cf632

SHA512
6bf567330c1ced682c43b87d48cf5b226f03569424114f072adbe51c392aa492c5e3b9434fcc3b3e61eaef5f0270a65295335ab1f74ce6ec8a6426379a53d41b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8078d6dbc71000c6d3c67974fa2aa616

SHA1
a2c8277d5dd3a49ea20b19a6284473ed56a6f979

SHA256
47528ed0af2288d15a1a0235903bd416207d21dc2f34e580d3c72ee6660842c9

SHA512
02876d58753d3c78869044cd0bae2a786b779edd6edb0ea9e03a1748268325fa73989d7b1d3ce81cd833d622dd63b07dc2d54b30d9ded67fc6cf97bbd62c8cdd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e79458ec3fc8d34f049fc8a8038805f0

SHA1
02dbc559f440587b591dcf137fbbaa4d116b11ec

SHA256
a14734d9ab7cbda5d8d8f4f6df86b062a5a79b264afec96d07aff456286151d3

SHA512
00bf1272e3d9c22f793129718fe52c66e4cb952c6e0708bc2dfb23c466dab091bbc6db76af3ba6d000662de17df0209f613313bbb46dd934c7f9ee590bc3ab9f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fc4f914a088af19c970d7ca64ec77f39

SHA1
769d5c4ee30b32755bc3b62897021812c5ee61c9

SHA256
edbbf8642683d1a187076648386d29ba273fee0db618cb4e509ff2edc4857793

SHA512
be2aa5f66d70a191717c22357955c301a37cb2f0145c414fbfc2d77d7cd870d22e0d87dd873432895e079ca19330257d0c7fb3343ac087342577291722d539da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c250d680f08dd7e0e392aaaf42b52eaf

SHA1
74fe01b29130896dfd575de57fc55dbec9f4fbab

SHA256
e4663727c412567ff401e859b98391d9f9f183ed89d9814cbcde77c46fb85cfe

SHA512
b689ab54fc47a5f988ce7c06c2ef7a4fed14aeba74d1d70dfa33f078101c83cb89acffa32ead975d0d98c27b8b4ab366193f470ef072fe0a03463777aa09edf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e7b00ae9394a4ff0b7772952cd3e175a

SHA1
bbbca4d118fb491467faca8d8466beba81b27efc

SHA256
85e96c907bf29764551e265b2081bf63cfa607375f349d8766d59d2495408a43

SHA512
15af6b465189fb86a35bd0bdc30f1912aee507fa2f190b6779d49bc5d8c2ad966cf290224139a4024036f2b361961cc0d1d1bd91ef7a9665655f0a028bde4439

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a333122b02f0e0cd25cdf35389657668

SHA1
42fca6d9716583fbc0453312067bcae7897a703e

SHA256
02b2916135d3d48f074b8fe517fcd50a9fa6623f43a3721555f6503d7be55c2b

SHA512
df1afb1af12bd4278d6e8cefff126bbeb8acd17971f26f4080e700525b915e8f900e6c75ee496ee54ff853e14bef6f9128a2e280785a653f0d5f61a86b305436

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f01430465b1f2328b5f5ed6824adfcdc

SHA1
d1bafde1313db8bbc5e6edc922fd4a1d6c3147dd

SHA256
a4fc5cea105233a1432271bf6610035f55dd255ca284b0fcd7c1d96c077a1708

SHA512
54eb3445de282c21bc080d7691db45c5c9669ec01ba3e2417f12f41b4c1c1443c0cb740ee41f68bc1dbb10af60f2cc8c7d15771223294e9d71853cc719469e69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2c5a9599442614bdde8fb5a53331610b

SHA1
293cf4e80c508cff29e4490e104646577ab03641

SHA256
c699ae6871ff475909cd0b3320a179b2842d4a3bf80fa7162af3c94aea443646

SHA512
7967ec11101c0940a7de8f47b1da18948b37aae87569d7d113e8572d06e28543b1d55e6b5aada6ec2b01bd61f121350a1c112e4f416c429520d456be39e7c39d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b774bbd0584ea11a4dee8bdc0f937b86

SHA1
405a30a315bd6dcff67bf36aeaa3b5c2052c352d

SHA256
32050a0adbe9cf18f98067069dba139ec403fae942968cdabdf78c9db5773931

SHA512
cbc73e86144f8eb16d28210b460f8ba963b55f49dd00d42435dc512f4de43107086fca57af8970088e4d39b48b1b1e880a720bd12b232ea15b9dd2495af7b913

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5d8d3cbd58cea5abb00db01c2b6df7d6

SHA1
4785c457b745e9e9a32da80d97203747b1f5331a

SHA256
ac3feae9c9a354055033485e878f2f28598e10032b79a7ea6197b2497b56be6b

SHA512
40299d38d5ba243edc1a912e907cc1c4a21ad19fecfa7d2059b385a37deaa98909fcee0e91399d4bd69f3cb11d7df5ec4e63af4d0ca9202cf53d14e31fb43595

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a22f9362b650384df10aad9b98dd4722

SHA1
e0bdfabe36af204ec89dfb8297b1ccafa15682f3

SHA256
7772523a69904cb54e995f05ed84588500bea098cd2036dd2954afc3177e4ef6

SHA512
6b606ce02374fddebd651eca00104e0150ea19e9aa1c64d578db5d11d1cf6c15f49551fea4ecabee89a4d2af960257445f916bc825082949cbb1d2ad49c20ae9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5d10fec0a43df2565b976c589e5211d6

SHA1
69abe6239035305c8d25839c036e6da0267db163

SHA256
13511b832da8494ec3a8b0f0be52075da7c015f68eea81be8bb99bfdbd1828f0

SHA512
0fb107800aacebbb73245df39878fa4aee3ce421ef7351302cd3701cc7a501e761ac273fc028e4bf38e674e998e72ef047b681150fac6b5718d02d36e10ecf24

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
842cc68d023a5ebd2c9181e78b1eba98

SHA1
b52dfea11440603834212104b21379ff5b284e8c

SHA256
3befed1449a31e5349aa09f42cb6c836bed81c62647994f8cc4b61fadcdb788a

SHA512
de2838ea4364f8ee1c4960ac2281d9b5b80f43ab3b090a9fe0400d18631155e32aa633c7b0c4a3cda31eb98d4881f34b1da48504a7e509a029343c7eb01b3c86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
afe2606a9c38ee5611041cd933bdaf2a

SHA1
0b7570083345d667449aa921d5e195d47b6c4487

SHA256
7c3bb6abd547021cab42502cf1c33ff64c293c7ca3ded087c8c235b49010d99e

SHA512
279c033b8c530c448b74710f76ca9994ee5df583d84618808c8a41f3640b0fe6c765fbc97ff3a65d62bcf63745332156a72057f3034688651eaa5597fc0075dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9faf6dc708703b893f853d7045005d99

SHA1
ceb6bc972850b0346649f9d21b5ec5fdf7c06d30

SHA256
126f9793a526930c3c1ae9701d8f5c02ba027d5855f8f3fed5765701b89169ab

SHA512
4b7f104d8290ab92a40706e23a9100f3a2dbaa81967c3aa50d80f50335ff2052df7d1bb02def8a5a299f5089215d38240279cbe39ca03a0c203c89db22f2f2d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
541c8fcf83d37653a7a751ecdb9e5e9f

SHA1
dbde8bb8798dea0e4038e00fca8be62ae1592910

SHA256
8859ba6191be90a3e2e59669fa57fc4a3cafb27f280963e47c6f733aec995ae2

SHA512
8ef25205dde0e29bc725332725d68f61fcea7dcc9b90b44ba5944950f9bcad60dd8ad87b3c76824f9bf02a1ea2fdcf5e368ceb502bd18b30104dfb9ccfb6133b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
85533fade9d09c79d7d0093b9ddde966

SHA1
b821c9cd3e6fc22a2d401ed2daf3dbf4ab877286

SHA256
26971adec804e697e27871878a38d8ef5cd49d6b2888b5989098a33672a9c8be

SHA512
2d6e70f6bc89579effc8577d613e3d9324f44f3920eb70e3f31034082dc251e64e94e60cacd6d5b647da4df84b30d1ef3c242636e5b27ccf0d19233190fd4f49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
fcc2e25dcf357b892c82e756df454ca0

SHA1
5ae5394ccbe590fb41b39d2319c5db37213097a3

SHA256
31ae299927d0c857170dd8afe10613b02a24203fe6262b453fec9ade6d2964c7

SHA512
f1a60322e726d3255193825f7872d434ea1ee08260fcb3a5419aa2db6c1f685e3f58946a5b98d35f94372cbbce4bd87f5a506eabb63a058e075a5d78df41e4b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
59c85383ce61e2d6298797b31a0ffd22

SHA1
d6fbb8482919648d30d85332c3455451ecfacded

SHA256
337c3d6dfb8696e775c256f25ef37590ce309b5d1becb6f9b010b3fecbed0e69

SHA512
aa02058a38a50d0b956b3b9b0b126e5561900fafbb3276b0e153c3fdeaf010c6d753b149b045e050a4f4563594533e16b3fbf1afe3434578f215f954e2ec9c5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
82a3c4fd61020c5861af8c13c4cab34d

SHA1
c73c56de33f5afa8b2a458aeaf7318da2d46dc12

SHA256
413c2a3ea7d427e39fe11a96d8ebe0460ded9b8322cb053e802cd4dc7ee34383

SHA512
7c950305e276a867ad86d18833ae5566a5f2c036e453408b05216c0ec51a10bd3e9ae37fd721dec32e080c349e1923ce5654f9d8a5d60d7fb12d76125f645561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0c336cc7c19ffe8fe35a30aa61caff4e

SHA1
53ae3d8104e29d6fbc0987e4da75360c5bb2e4ad

SHA256
c109a1b3dc3792a314b25b61d495b154da3f617bb8d69851b83b0e31bea5f487

SHA512
945f1c8f22f754c88e2334a66e9ddce9066d74165d4a371c2a09ed6275c6e911af33c214874f4a96ce42782c617d30aedb886eb0242cb9bcafc0bf24649a5cac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
48f0bc03d8f93488518ae999afedceb1

SHA1
a46c5b141ac58eb7defb0966cc4dc8f002921c98

SHA256
8c42040a86f15dae9c2aa938e22d6b53b804fca3e798c4045ff8fdd0272e3a77

SHA512
0882c13ff8ce2ba03b7a7686d4fc28368d048511ee72b3f7a877acf969ce37601e76c7a3425f685faa14331b22a236571aa23946de2b40a2da1a9739756e27d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fb7dd735b0dcbfacc522f6691114af8d

SHA1
a8a1f8399d17911f27e617cd301aa00caa7e447d

SHA256
124137e1238a0030b122414efa638d6453f474544fd9a9ea5dd2217205d398d8

SHA512
7411764846ae31a97aecf65d0cdcf696150bc92635cc51fa0a44fb4e6023790018d38735d089677f9dea0b3a121c448a93b2ac02e973c0be130afe62bf23e3b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b6bd4c50d2f0660ffd1bf1f5e1380865

SHA1
2d398b09a8c4da01a4d98277b6d4fd127be680bf

SHA256
3c789218f8c892dcd77d6370c98eac592026cda863a0653373939fceb0ae2f99

SHA512
ca8f509cc2ead8c63d461cfcb10138d7cc4e18485165d5dbed1ac9ebc8b8c94da6460645263533ccb92aa7b52c03c1a70484deaef3cbcec25084ab3f31e86f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ba98d2dd30c26579c433ed0fd88b87c2

SHA1
1504c3ce9bab6c1f3b75ae548d5dd38243a3172b

SHA256
0ae315b968d9f400a24f0c922b5979eadf29054a85ded24126a0f233b5c2786c

SHA512
aaf0b3633c07cc2886a9d6f1561125c4cc85f09cbe7a4557af01d893692e7233e3a56e0eed34ac19eff36c48671de0f14e71b17381da5d708b10561ca056eac1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2261cbca92f56ba05b0bc1bb11336fd9

SHA1
b79b20f63db14e27432d4e78cf810db3ceb22f21

SHA256
305fc7e404b663a513b045c01fb26c00598916741bd7502c14b9b85e18de667e

SHA512
442afbe76d3a2503fb83f40d68b962c5d5cb3cd56bcb79c47c0ff04a14950b9e2e9bff34fd7b125eb373c0e40e4483b018c0fb5ea77d21b363980a3e46593312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3dd8ba2ca082cf0b3de9e3a8f710b689

SHA1
6b443ceb4ae8c55ce54b8803a5b15e38a80a5732

SHA256
88df05608f17a4fb01e75a225ab22dcf328ebd850f206195821206dc089167a1

SHA512
ccc041eacf5dea44cb5580ff23e4aca3dab1200325e60942190ff3eef22ba7bd9f906e5508d8b218685cd8dafdc5f8d5612e529b2d6334782836f3e3ee2a0b63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
272c0432b8b51a3ae329d60167a720e9

SHA1
960c8e922dd3438c218aae6ac5f760da2d77bf0a

SHA256
b9ceb4c6498b92360bd83960e29eace6b3afeb1473a88d09fdf930c5d2c1c001

SHA512
20898a4fa22f59e4f7b8b75c8399756c9f6fff88e580c76c4272749261a506069a29832629c571112e2c0a23b2214d25265c8a1a955a341801463d3fab72bc81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3a141664866b6542d51945d99727180f

SHA1
50becf2c6ed3c917f61e871fd18b63e8210b0c60

SHA256
f62fe721f474f800af2a5f584508c27908e31e60df9218bec6a81fdbe23df91c

SHA512
459241172526b9ee8dbf3d995b6b125f18ec66d4fc1aeb50f0177b62e749c2f242359329f791defbd067437c01e63b79ed582f20e0ae44853d8ff93a8664e41f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2d04406998af212ba84670ba9756ca83

SHA1
0f3fadff74c4f687d7cdfb70ee190777e829d83a

SHA256
06f786f31a78538613098d3596db8b19375bc220d4dfe160e8a875561ad16d0e

SHA512
30e5532ca10b8aabd6bfde06202f4bd43d6270111a9589dc91d52bdb8f84c060a2edfdab4b1b7e8429c04faaf5a2a95000396a4cc34164e7f34ee771ee759413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f312b3ff8ada368e7649d4d5b548859b

SHA1
534e39e26f942b2ade8abc78209f5560befe2c22

SHA256
ab573a4aa3430b51b88636ebe168ba8e6d8f94341695b6a49c4fe06e4bbc94a9

SHA512
bca591dbc508e8ad4d92bab725e8ef041a03b2cf0876d5dddc19eaf32066ee529f0f580b63078164a118f47c89c8be20167ad3485f94de22d97c2afd1819cb0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c4b5649c14c659b76de053350467fdee

SHA1
2cc729150d3f359ab4d6fe05228cc824a29a8b2d

SHA256
7ab595665f477397a94fc0dbfd374d62ce29c9b74594a51611f9542e45b722f7

SHA512
eaef275bbf1cb97b99f2fe3c457d72619cb5690f4708e2a9e796a124dd7177cac37d151223fb81e522700886efca6899d6e664e62fe6aa81a5567cf71a890c94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
34779c19b343e4d2c8191a739f389b0c

SHA1
f7079fd98b993f4b19e02dd0109a2a914b8088f1

SHA256
289b082f351028943f57c7858c88ea06ceb806cbd377d42444381610b7b354f0

SHA512
d357ee0227120899b42e809e1cb5603383f5dbbde8360ce2c0b51a5986063c4331be262a7ccead052103ce8613f3ac140f4c97e63d0d24bfd177bc36ebcafef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
2dc14bc8cc90792fc9b0f946e6c40626

SHA1
7cd95e1a665ec2349441460bdb01c0b6665453c2

SHA256
082d639a6d1d1c0714b676bce845e2527ecd7ceea850b5855b6f230e8d36ca52

SHA512
282176b8af76614a29c7e5bf60503e6bf1fd1147686b1a4666485259f4e37ec69b81c0a8c77ee68de204661e4782516bf45e87c596a502c4dd06709360bbb962

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
09702e950e1e08c2b2853031edeeab63

SHA1
c00ec52bed6c97d8bf074db74c2be3b9ad8aa3af

SHA256
33d97b98e069e9a9a4b86914ade3f69119ac09877151a648ebdd5ffb6089340c

SHA512
c6dddc5952624380d85059480b5810e4fd7f82d7e771cfa1b721d30820aadd5f0be69a0e116dfea1df8e3f67927ee51091279366d8ad80d5be0991ae4b7d4291

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
218d6bc19a3bd95bd9ad9a72da4f20c8

SHA1
0dd7bd00dfd2bc7d99feee6ad5a15fd0abe54bd1

SHA256
960df2a5fe3310f9d66074b434d8c2187f9be0e3d3711573c59abfbe2d62892f

SHA512
5836d8a6ff00245c2ba53568b146358025ef423f1a87028dcdddf7b7ec7632cdce520a172bdf13960362892bf081e15ff3762dd9f5f235f8150846f2cdc4e2af

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a10b68c7359e38bf875d39b964b310a8

SHA1
324ed275de32eac6e3e05b63be66b2efd2c2e4ad

SHA256
f700421fbcbc64baa4e1da31d30364788f25a9c3b6ef7e60851e3304cef538a3

SHA512
1316437ec83dd28784fa340e0a9a5711f89b035b41bb9276dc4db94d463dbbb38cf0c918fe9991a22ade478ea39628f924dc61de940bc4fcd22e7c63f6e4391e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ff433761bcf270f83f3ea19befc384f2

SHA1
268da96c10adac7c1d0ad097cf39d8b887f4a198

SHA256
2b9d96675ce2125821b38aad2bb086b83ff42738c0615a9046e621f3e2302ddc

SHA512
63271c86b2909be2e771a77e949c45921893b79af11bbf09ee79603dbc289746ffa4b0c33890b5bee3e1820737c533493b41ccc30dda5ea9b24b27f12e5e0d8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f0dfe68db89c60c7c256433964218db

SHA1
ca6b31f32689270d04319b8bddf72354128cf4a0

SHA256
a405e17ffa4a45160947b586d715104debd979afe2c7c239e6c148833f242485

SHA512
6c147c84092ecfbf23845c55cc1d408c6f3ea7d2827ee6baa743f6c361e356dd116f1797d7669f59203702110afac5a017ef215f195ac546b95eadbefc693262

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8a2414429ad3d9c323dc2752fc513d6b

SHA1
1a6d2a07550d4fbd5c5927200fa95bc58e512a03

SHA256
bb17f163ad372aa1ab5c9b68500cfc5412e28f78db98bd2a8d7bf97ce4d081f9

SHA512
59f297ddc3910e3dd9e4db94ab22374b9b97dca2b2b163e0ed2ec24a8bce17bfb2a8ccc949087827c893d0e8059a384a72bfe911b51d009e4a0a7077dd7fc78f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2f7b577c8677593dc9ab6e7ad1958c7e

SHA1
c42f070835d0b9c815e5ba57b24c9efabad23658

SHA256
7e3f67916e4fb94e7e4d95517d431b833d63dbdbc151bf329e507e359b1cb0da

SHA512
8ecbcc9f23f2a5d404795d7b2243def9530f12f592758e93dc6409f58cd18c79a615afeb27266b69640636d3f6a2cadf3a16ed39a54120472d58e6f3e7ef4188

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f0941ee538ccbde57fd218dd177d6614

SHA1
09b65fa9a3d51ae1d21a9a47fa5998bd3b65edff

SHA256
238331c51a9b2ea8b8b339327059b0373d864b2f394e0f997cb439453120e9ac

SHA512
be267eb1488fdc0993f533a5986f56c40b9532acb66f2289342db0905cc3066a50b4dc779a0ade9afa74393947985f8bfd1940ec991ec82a61997afd4a401a54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b5f5602a0df0528167b88f42b93bfee8

SHA1
b3bd36d5fab138fc2ec3223e2fad05ac90f39cc1

SHA256
f37e267d103a2f0d22ed7c80903f6f78110d62fca24f07daec73a3ec8f1adce0

SHA512
1fa3c5bb1315ac495fe779a7cd44ab3cdbe96579e9e66ddf9bd0d2c08b815dac43cf6cbb7dc87902d94bfb5d63523b644513ad65f5b400f8b3ce1b52d0e20740

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8cc5cdad0b6add9225226df482519584

SHA1
33b55f04e021024fd60114d248a0c7c8d98595cd

SHA256
c54ae3e70fd64013af7f510cb26b9aad30bcc84054f8cf6388084498bbf73ecf

SHA512
e04d2c9e339f17da5c0a8ded852f1dbb24f8e27f4ff673739a1694578b11871cda255cb71af7077379debcceb817b631cf862eb754fc07548643a0deda07881a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
350dcaec330fa4ea18a81bb6fbca007a

SHA1
42689868647af1a9dbffcab41ab15172371723e3

SHA256
18880970a7021d3220aae6f4a38a4bd523e07c20e9e2af4fcdc577bd20e02f72

SHA512
c08fbdcb7ea5ab4cdc123a4eee2ae90ed41e276688e5be41f13d468bfc52dd07fa6fc711f99f89825c7eb660b71beea17052b2e17b5737d1cf1508ed9650789e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
994a3b47ffb93016c0c9dda7a42bd06c

SHA1
56fdc912aed5e626a89487812747fd01a080b642

SHA256
4fe636c05b2bb326ea57a7367b9ace18e7cdfc27ca62b86028809b832df8b88e

SHA512
cee5dcecb165678ae8db5a2add4ee27f27542e2993458b62796dfe558e71d4b6fb7a86a2908bf493c87d84416d84d4d5533363b613e93931a9c819ce72f0e423

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b0636e48c4614d09ae4b67b73fc9a0b2

SHA1
7121535428cac1189fbc4b943266bd34f3eff29e

SHA256
fc13c940628f5b3fd98615f00bac25139c4edc74cc18799eea0bf9ec36539253

SHA512
cc63ea9472ef0b680407a1113f8d21cda316a8eaf71832a7cb81916ee0d1cdbd165aef8b7a0da15c6d68391c282961849da73bf2a6f8df593e18a389ff19b448

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2f004dba29c85ccfb7ddde4f33d45bb4

SHA1
99550df64e97aa4c6c00da5a7acec3a45b35e757

SHA256
3a600ae19cd530f82b0c4f2597f1e281f9860506bfe6f94638efcd004ac3bb77

SHA512
a1ec4a06fe1e5a40edf9a4f0149eb27356a6480bca631bd4a9a851c1920a91a83cea06352626c24ccf1205d099c0bf69daa151966675a60f6ca9e7d9ecb1e681

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e0ad450cf6429e65339b9181afc0dbde

SHA1
1281b4667100c30e880338954127d6c3ea22952e

SHA256
537db0ba795b10dbf4ab8bf80c4492406f285e2645c4e4ab93f972b4728beebb

SHA512
418d7327b3e3c33e405951ba1d0abbb72c46b92188fb31a17eff6cb3c6a13ffaabd6d632acd87a4a72bff9f30e5cdadffa0f15ba16f8980af67a3cb50b1ccf5d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c4ec7fe6e9f98724740bf4ca55f2c898

SHA1
707ff17096638bbcdd80d16fa159a0f4a34a989f

SHA256
14de2223188f38e15eb10e414841aa1835d2603a34189d1bd5ce07a2c0eb59a9

SHA512
21c6ef6e331cc87eb527782cbadfe56135b9d7c606607dcfa5afd45788808d89b260a229808044bed9edea5906b1904826ad17568bbf394ddfe5d60d5e4fe6f2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1d091cc9e72a06acb1c761bdecbc4dc2

SHA1
47a7a8bd00f83cc69d98d00d3b7faf5ba6cf5029

SHA256
93bcc589f17180896a383557450ebe1e5c6607493b7c2b034104ee21fcd6daeb

SHA512
588c926707b431cbaf1da5165fa5bf286d0e39101bbd2382f8ecaabdb08bd01c7912a4f77edf70256f2a71cb76b892f4e1758dac25b6cc5700b75ac7a97240a7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7e7c00c2dee79354878ee6e44e9fc9e7

SHA1
a67ad0f23abc04bbccd2eb8e8ce1f5b40646e2e4

SHA256
98f6bb6ef523cfddba89b053cc870321be49cc1ce481f6e7cd912e46030b863b

SHA512
51cd6c5af4e1745286fbefed7cd39bf46d0c633cc8adaca2e315cef78adaab46eb41191ae47d31e8231b66c1b5cbb9545177b6c63d1dece72d6a01372f816fb2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ec5b5fb27f669fcf7feebc54b3c79b7b

SHA1
09a5cecb41ccd7140d470fe24acd672705aa16d7

SHA256
78ae91bae68a816cbf97d177e4a530ca532273d60b1e720387898259a756d1af

SHA512
590e761f0660505a6e59d2109aa33a224fe6965fff52b47a41931807a88feadbe85c9fdd1cec25ab814b25affd4de57ef270a72df2c0492195463773d42c701b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
826d01e8f60c45892799ff9a75d397d5

SHA1
6b71fac5146dc476f120c0ad8a0e344ba37c2108

SHA256
1c4cb97a5cd6a8e6b052d68da9a123066f2855689069161c49be3415d596e0b2

SHA512
a9ee50f33d633ae34b3096ecb09e6cd6f09fb0e8c9da19285f6ef66d1edc63e7f76e9d287684574b7c9890ec934f5e537882e4fd3b7c00f44cee182a1794fb26

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3f34356f49026841e6aa814fd256218b

SHA1
8314ac69bf07c6644fb9b63898ce2940b65ea228

SHA256
6c3bcd9a1f1817a9dea5b0aaa3ebff36cf37a401b00aa29adcf40587f7f12e1c

SHA512
3b7173bf34fe0f2d52ec3a0b3563ee4c4b12023080293e12eb3a981feb2416698300746c9a1d04088b386ee7432ce72cd3a890a0998a59d34ddf98dd0a7316f6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2f424445d74df98742ec11ae51425910

SHA1
31358bb31b4a20d9ef34218d42549788303c4d57

SHA256
7fe833f714e22d225c123a091a8c48ab1c19d3117b3f988f0638f29cd73ca8f6

SHA512
c5aadcdbd6dd4c984b2e7753a18548b5519d9c56e160aec46bfd00b022b392f7f53a1b07c6c17735457472d65248d115893ce171c383d2928057ff95a24a8f22

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
da9f0ddc041c727f1683ff9a7708ab25

SHA1
2dd2f1cd683b27790bb7ffd1ad363bd3e8569a63

SHA256
2f5c84a24839c0ad64c8c33d159987ae83614c803ec249769513f220d4d2df14

SHA512
a9e71f12aaf6eb31e922c7fa68eb684b0602f8bda1de0c49d21f9c79ababe26827725a1ab8f7ed30533dc06bffa18e5adafcf13a00844938b462cda08e03e97d

Download Submit
memory/848-62-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/848-56-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/848-66-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/848-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/848-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1028-541-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1028-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1076-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1076-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1108-405-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1108-498-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1108-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1516-75-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1516-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1516-81-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1516-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1532-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2440-443-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2748-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2748-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2924-544-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2924-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3052-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3052-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3052-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3180-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3180-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3376-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3376-545-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3424-170-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3424-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3488-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3488-549-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-96-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3540-89-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3540-90-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3540-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3820-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3820-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3820-33-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3820-40-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4080-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4080-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4080-106-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4080-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4104-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4104-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4312-88-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4312-1-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/4312-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4312-368-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/4312-7-0x00000000021B0000-0x0000000002210000-memory.dmp

Filesize
384KB

Download
memory/4312-366-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4336-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4336-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4368-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4368-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4620-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4620-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4620-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4652-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4652-550-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download