51967e446e75ca0cbb2d072271e976d5eab2b67db187bc537d5ae1be64e01379

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
Size

1.2MB
MD5

04572b735ad09b735b179b4881bb7370
SHA1

8f8fc705bf480a57f27290c1c4b6a57bfddeecde
SHA256

51967e446e75ca0cbb2d072271e976d5eab2b67db187bc537d5ae1be64e01379
SHA512

bc3e4b181940e73dc1bf90b44ddc5ab661aef00593fa54aca348e55de49a57f70c86a1ffc1629d4eef5d2895d78759273899b4a69f12d497cf2e4a14f51da3e4
SSDEEP

12288:Vcz2DWUm4+/x8J7ct3z5htUcQ1MlhrmQgwwJzt5+7fyZkCtXFiWZF/3o:Gz2DWZ4+mIJz5IcuMlQHJxrDiSi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3972	alg.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
4800	fxssvc.exe
4548	elevation_service.exe
1440	elevation_service.exe
4380	maintenanceservice.exe
4408	msdtc.exe
1860	OSE.EXE
1536	PerceptionSimulationService.exe
1512	perfhost.exe
5020	locator.exe
3024	SensorDataService.exe
2776	snmptrap.exe
3928	spectrum.exe
4788	ssh-agent.exe
4472	TieringEngineService.exe
3740	AgentService.exe
3208	vds.exe
2424	vssvc.exe
4480	wbengine.exe
2332	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b12235d6bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010026e9da0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c2beea3a0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000838d589da0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004364709da0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000509e8a9da0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027a2e4a3a0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2638f9da0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096515d9da0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1168	04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
Token: SeAuditPrivilege	4800	fxssvc.exe
Token: SeRestorePrivilege	4472	TieringEngineService.exe
Token: SeManageVolumePrivilege	4472	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3740	AgentService.exe
Token: SeBackupPrivilege	2424	vssvc.exe
Token: SeRestorePrivilege	2424	vssvc.exe
Token: SeAuditPrivilege	2424	vssvc.exe
Token: SeBackupPrivilege	4480	wbengine.exe
Token: SeRestorePrivilege	4480	wbengine.exe
Token: SeSecurityPrivilege	4480	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	3972	alg.exe
Token: SeDebugPrivilege	3972	alg.exe
Token: SeDebugPrivilege	3972	alg.exe
Token: SeDebugPrivilege	1060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4888	4540	SearchIndexer.exe	111
PID 4540 wrote to memory of 4888	4540	SearchIndexer.exe	111
PID 4540 wrote to memory of 2780	4540	SearchIndexer.exe	114
PID 4540 wrote to memory of 2780	4540	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04572b735ad09b735b179b4881bb7370_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:208

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
23d2f78939c5161e1916c27714a57079

SHA1
25d4b724efc822eb98430f9a8b5d55c74e4f2b4f

SHA256
6f92643ea42ebd0f163fe01771cab26bb001108363cc63d7c0fe88582d0cfec3

SHA512
f376e54de3de73e2f2ff10dce3e3eccf083a127ca44412411cca06ea94bfc7d295e21ed23025181d74b7b33afc9133860a69b85edac2ca25faf07f9efb643358

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
02341903b009aecfda7ac4ec72f05509

SHA1
e0409a30a51a705d795899a64af7f2aaffd4f8e9

SHA256
1e1a4bace59de186240bd46be544855f963bc810eef4267ea8952131cc34f1db

SHA512
85200aeedb5767b50f49ca064111184a2786548a96d7037b85ebb4283ffff89bd2f770b76d028eecad1785ced3fe31aac9e492b1dd9002f13706ff66910a0f94

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
58ff57606aedb949d577ed684690bd29

SHA1
cec457389114eedddfe55bead922f682a1b38052

SHA256
0e24b9d0373c317425802837161585e1a88cb95e07739961973e8b973beaad2e

SHA512
3130ea714fe8ad3638416692e77efe69f65eb3115e79ddb47c0d7ff4b201e95bc2f7539d6c101f02ce319cdd24f4e4bd775cb5415cabe03cfd21404e2d6ed3a9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
341dd9fe3be2fc6104b3f65c20245c54

SHA1
f63fb3dc17921893f9447c3850f6e346de729d92

SHA256
adf86e2716ab0d31175d507c1eac1d2960fc16dbcd494ab4f6b92e948d9e8610

SHA512
f123105db8fe75957cccebf01e517b5c221c876060e7ac1d70ba29e58cf34a3a16d25eb666bd6e7519aa47d2ea6d4acdd572d3da7d23d23047486719c7ff29d7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ee901b797bb0e36ba7fb2c8026c92381

SHA1
2f193827f814eee47206d56f45791210a13097dd

SHA256
1a7ab13424b4f1788ee8b4441834ac3af1be3f6a435c5e7b206942a27a32f3af

SHA512
4d41502663bd1975f746465790f6982fb339a3af581fb6edefc9d65df46516039400402d88d4d2f8419f3b95c72154690bb06554cf8d3ce327c75341bec3b9aa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
24f1be8102af17d1c1f2a4d8314c7bbd

SHA1
d9cd7b3ab189992d8b7a51272eddd55516f6f304

SHA256
b6827d8b6665b09c2f84dad0de7fcdfee31f148b86f363def97dca3ee0511952

SHA512
2e03b0ed58ba2c1ea612332bbdf45fd4f94216ae08f30a86d3101d6d5333b29a9c340423b9ece80e5199e8efb13fca9f9e44328ad07cb9295c28f0cc5bc68bd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d15bb45252b8d5bb0d3db2406f474b05

SHA1
db649f1f0f668f65abdb6ee0ef6473a4090c6b1f

SHA256
7279d918197c256fc549c1c8cda0560469627197bbab75c0b36e11e87a8de4fa

SHA512
cc8cf899cc48b54411c656f3c458c2acf7c2cea1b15c56fc1d7f345139f1802b64e5fccd41e0e975e0ac498a492ff686b23c9b6b8cbbeb83fb221c93b961054d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
35ba9b57bd5e627c302eb2057267d0b7

SHA1
2c4035a53b59c4ad27168de3bc09a41d84409833

SHA256
af95feab1e5dffd17d0315b455dbce95aadbbe70f0c5dc7848fed59e35cc4f83

SHA512
7500079502ce295b1d53d1ac1fbc4f2bc165f23bece2bc44b0e66ff6f3d2430d40e061a6bc3da45b84b30411e8c5f68d6b8267e49b62f61794897a2aafe666d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7efde007a675ece7aaed7872e1baa639

SHA1
9b3775749c3ac352dcb897043d26dbb511b84219

SHA256
d9ff4c54f2b2a14ef8ab8c43db468babcdb5b3fbf893b3db62593660696064d6

SHA512
4dadd4b15a7b99eb6261933774a78a981ea36c0dfbf282864868f5bb1fd98f8dd4bb1d0f1033e705171e9f8f34c6f2c5e71e07546c7cd93948499d17312b6f00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
00067e3174b27bf0d2a8310a04d034ef

SHA1
8a56530a9d2fde13d28088c28ba1f6fd1fecb6ac

SHA256
8a64bf6345c93d171e71aa6e661f66d4abcd59f101a2095ee8b1a0089e9d4f90

SHA512
d3780514b0ff7f41db6376ed8e799faecda8848368b74ed1511e5d946ed0b7a36e40128f8f0566b17c603c8dff43b803df0ff1de3dbe681dfe5b648c044c3917

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6a83b9486926c917e125fdee392fdeb

SHA1
479ca685eb8e2effe126a56b1781daf6de85041e

SHA256
0323be19425bbe9834bbca8b68996e816cb6872bc1638f58d9aa8d5c745b8367

SHA512
931e267442be09830fef396987a8e6b91ad8cc573257ad76edd374cc2635eb2f8be104543d158b62ef826df5264acad5035a60899153bc55007bddb90d79ada2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d9b75b34191aea84ba44907343564c60

SHA1
435d6ef9738d7b687084257d0b963590ba8b26c1

SHA256
a710db959b96de969b4fdea23ba3afb8b3b5621a21778fddf203e4a089cd1759

SHA512
797ae3a2fad0e6f23029765aba19a956f0b363634ddd55780d1f8a6b13850543d97b0facc664d7b9b2fcff5cc4c8784c2cbb3cbbb4f3147693071c2ae0d9a985

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
03231c1a95cfc8aa1050d2ba71bbbb70

SHA1
dd1103d2fc0d883145e1d9d15a1a7bc41e012552

SHA256
7e10e21dafaf5b710b8ffa3d01e44a9b2fa86a69f5b59c237d79737267f0d55a

SHA512
eb9b6c570d51d139dac60a29b526342238277a35938fd4daba59ea0f3139616c60c4f90859c04afc1f8f47d84648c0ba5ff06b735c3cbff8ade5a87bf3e3340e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
e3a5a46128dc7b1d4992e7dfb11a59fc

SHA1
183e5d407049f1ab5491d85e5c8d5b723c2b0b82

SHA256
9784f0518477f6acb4c267d487834eb57b5a4f27d450ee7cf9c5f1c80b114aad

SHA512
2a91d01a36671d9f85f4004208fafade7baa8abbd482386220bcc4c8c012b0fbc663826800001c1aa8ec9534927486d4325223a46f89b65df9de09d8f624567d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1f122f23fa84bfe6ba06ce4b291fcccb

SHA1
8ec9715d0beef9d622f1958b85d964cc3b1ec393

SHA256
375576541432c8bf19b8f2e8532a529a8037e08c76c86901be026a5a45c4f11e

SHA512
8cedf607e9792bb84785db9fb3b4961c2796bfe4609fd4d204a00aa16863841608c013624b3a68858d946e72a90a2d0c360f0cc75937e5c236f431e59b134313

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
61243b13638af0a45c6d5b71b6133326

SHA1
0d4f0b5ccdb89d3b7c0caec69a05af8aa4c86cf6

SHA256
cb7a185b69e67203f8ae7700ae8fe49453865861eb1f8dcf77c295f89da3cf58

SHA512
e1123e24d35b29e8d21c006b187c628d011c3db7d67c272b4e5e09940d61f8c2e0334f89346e05bb8afb1fd3e268c901ec69d0125d8f58f38db3fa3f267cc6ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7cd168ac590723de08d00b33e3d0bf44

SHA1
4cc4170b94ebe7c4747c6185745ceb1a0fc6e44a

SHA256
27729b6f9efc4bd8f3077c9a98351ff73cd0fb1d5c9a3b8a9750de418848599d

SHA512
24ecc2da81d8bf74dc24d09da16b89c41d3dfd1045b8fa35328d6856a3ab21dcdfbf6c4576f86ace3f7a3ae793246c4879fc96cc1fb18756f4d9c7815ef84397

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8805dc6c08e8d2ab35a45bbd5cd4060a

SHA1
9f37f03983c42c65c67df0622503f590acd6ab06

SHA256
96d8041b3f6cae4beb58b005657a590d51043e51dace6f7e09ac4369a8972ebc

SHA512
e5aaa6b49be18cef4d34543ffa6f1720b6d8bc1521e0db3bc333cf11faae8d95b5d7aca341e3fe4bb6b6baaa8ad7b1696c76f25f75cc0a774ff09525c14aa1e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8f8f47837d38d8f61448cebf26492481

SHA1
b9c4dc47828982fde9d85edf3ac32ecdab17e137

SHA256
ba769fcb3fce0074916bd9df6ceae916f500e89c370e9aff3fa6da770cb3679c

SHA512
ede035a882671949f07ffc8379948faff71fed39983469e8a5a01824d4b1fda6d9d2e30098fee688290383b7a49aa6c089a890320b3ed70621a991d81189e96d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4876759351516e5a20795a0ecbd97061

SHA1
bb480c96544bacdbecac2f6d73531bc3e5abdf32

SHA256
46692c2c7231c41713d795092a3438e253b70ea2b68ee39561c7a48af036b570

SHA512
3ab0a19410eac30fc41dd7491a98fc60218813cb73cdf45e04fc754381c3fc7b06e3efd14c0ae14e386d830d223e0369cfad7ac06f12fc28051819e7c799d73d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
93c2325db48b824142acf074532a226c

SHA1
d1b967f908c899b94ef7f29d0d6df793c55abeca

SHA256
f479d0ec4ad056cc0f0220af2005b26ced31349ec5126588dcac297090e52599

SHA512
7f6c8a7d3bdffe351fe12dd74dd77df9c830dea322a30e153694533171e98b8269c84a844f335b9aae089ea2c2b77d27ba18419695546b93f4714d10780ab90a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
86e5eab9b4a1075701850e53db990b90

SHA1
f93fc2743647691f939c4dbe8d231d8051652961

SHA256
ae14f02675fd553436fd39a4525f98bec297cd9f1bf78168d8b7e92a044fe602

SHA512
1d535ee4ee831053d4bb97b58a97d72419ba281d6dbab761852433639bc226e5e29ecef3346185db3a2a9d6580ff1dc50200080324bdd4506942d18681723fc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0849ff2da110e1ff4d2c306dbb6c4776

SHA1
a97dd63a5c0c23d6ecefd4b43d6f341a96c700e4

SHA256
828cfc081cc6808cd47230c8e05532f1fc8fc9031d421acdd81417918fc2221d

SHA512
12338627d5a378a50193358dd06b45e80e33716ee02fa1d18d49386ad8965f33197b55088d9c0d2cb45fa29bd35051dd8081ce7cfaec28e6dc908b3054e46a76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6513a7bd5d23f7979e01f2a995f7aec4

SHA1
a46bd18789b8927f2db6d5175667a9c61f1b9caf

SHA256
c885991d5eea70d9d22ec44f94013b94c6203e1deece0a01f8fccedd02beec34

SHA512
d7518023323629569e0afb5357c0e2bc4785a6b15dfd11f24a5a24549bffa8ab3848357519840b8990c447398fd636edcceec03c20ef7677f101acc82bc2c166

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ba2ebe1acb6d333a0f3c77b8cf98870c

SHA1
00e1c9912b8c1a435d858e31ad73bd9e313d4031

SHA256
ddaef9009cdba2bc712baaba495a048fc5a60068f8b5f67a137d87b3add5f238

SHA512
41b163e7537df983d901114f059b90d175c903f42aa2311d5a03bc3990edc6ef07c2314890c8305482bf83b1013eedda900c5fcb5e25f1b509c0861b6ef77645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
09a49f6cfdf2d4459029dbc34cec56ad

SHA1
5585196784860d7c03607676f4725dddc1d8aba8

SHA256
5c8ba33fcc4c816b59c021bb8cd37ed1c590cafa53c0e726328eeff7bbfe21c2

SHA512
7d824042062d78d9e164096ea3e32fe30e008757c437a4b297a6be32edebe28a8bdf56add766ba3fe7f3f34e1c1fe924dbc6a29b92d87e2d5b3deab9d595ec79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5ffa2ac1d180624ad30eac2f3184bf60

SHA1
423dbc7e01af21047a4df80483b9d781b9addd8d

SHA256
2d958d1c2ebc47f4bc7548c9e10bb5864648e88725445a53df81ea3528925d30

SHA512
a7202ea4f1dc73696eaa5e18e9ff20dab1a3217c0ab0640f031daebae289b131629f6f6a2316c8e8a6a31a8a46b9ad7bb3c97114c4beb8ae0fb0444a29d5317c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
d296fad713f4f6f62e900907630774e0

SHA1
f56041044e1225388a84193bae9aa0f6d0f22782

SHA256
125344e510ef0e4812918c26d35529c7973d22a713ba09fd0a2b775470d74355

SHA512
e6d30f5b100884075f6dca3aee0e42de3a07ca26c19d3c9322ef5e1ac0a15516e94f687697b00ceeb520a444ddf63d5b35fbf18c76d8b81173974e94095eef66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
fa02d008cfe34230cea007f21aa84a25

SHA1
d82fe53906e65086c7df5eccca146a91c3f546c2

SHA256
ba9217a0de29f2a5acee515c08bad22642bf0d7af49a89af0e527c3ced44e134

SHA512
ae81515059483d21315814c921b74654bc2b8f9acc5999d7dd21e758c847cd42c7123aa4f4877f32f4c5ad1987ad52eba44097a5429bc548f15b0f60b2965fc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
775b7fab72ccefb10ecd57e05ba517d0

SHA1
316bd8437694d39c82a1fe94a715a1125e130db3

SHA256
6b1c8e63db952af390178b5fdb687d61e67e59fe0f0faf205e4751de88b562a5

SHA512
09c58172fcaf463b670710fccebd1234c388ac482067612309255d5617818d036785dae18bd9003dff78ed26d896af8740265d1b19ed5e2f42cda69d3c6a738c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a2c1d266fa5add76c82f9c7273be5a20

SHA1
30042fa5cf772a6fde623782fe3433b58f47e406

SHA256
75f26a4bcc89c4107653a12f39a28227e764da72bcf53972f41da2eac773f998

SHA512
957ced967c4504d87002f37136a4d349df665964f9dfdd67d132ee00e35c743bd4a2d9725844372ac240302941a2911fd483fdd757a092bf16c6d6d1a199bbf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d92b3d6a7ccbe6c2f8530eefd68cea3e

SHA1
e37dbca909b6a876f9680cb7b864e73dbc24f02c

SHA256
187d7fd19b285d7482291f14b0f664155c723dfc9c5c1d24a47318f8bc14826f

SHA512
2d0548d219bf51ff47e85b92a44b642d97199092b3da51e573c13e306b48a17eed60e37ad339efe0e60eb6576d250645d46d0a126aa88328448c0e3c9d28bd88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d53d53e9b3ece97a7e5217f8871cd835

SHA1
e8bdfd3c5a7ca4d75ac91022a8543041f8c0c1f5

SHA256
85693ee601d1b4326dd0fc865f5b9ced12271f58821449c568c9387a159d36c1

SHA512
df4b4d6659e9c8de2a6fe04522f9e97b8761d3e995696fc2e285bd52a17a41b5d38f9954be53d5942321077f6974759aa27f0239f8789a683f7144818e4f9204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
bd27df1de5efbc96b4dd3b2a83f9c565

SHA1
3ba776b511ad7596458fd38a306fec3a9d4b9e21

SHA256
19c99556e7465587b1ee473ba124baa44749b02d49a5ff220456429e9c17d676

SHA512
e82dc9c231f4bffcf4954f1df814857f1cf9d3013471233085ba0412a6698c74dee4cb8b8dddb151e5bc2d2db737908df1a0858a8c1ca071a3c3e808cd6f266f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
9f4f3e52015b8741f56a814d02a224e8

SHA1
fd092bd8b7094f775aa5f6572444efc98a4ac78a

SHA256
eaadc3b4cc074af56c4585f38918a52d53e81ad85afe80cbd7b8deadd9e7465c

SHA512
7554ca5f30fe72b7d315e104ed809e3c454e49a0c08443784dcc2cd4317e07d40b1a7bf840e1ab1572603aa56175eb614bf82dbf4a05a40e306fd90ac041dda5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6bfa346e876dde73887f43efcc402e95

SHA1
d445d0cce3182ecb3e23f1c4406d86f2d2c867e5

SHA256
8658505213b7311e08184c406ed0e2c1c1fe3fd1e5250ea45e13afb1ac450dca

SHA512
6c1ad346beaf913f164b8e6c7383349196e1e2cda6512f8a43e42c8f9f180ed656abc08d43d47fb2518c60b9beeb88b9bcc5b7da3570f40426ee4df72d1bde0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
be8cbc9876069aabaa2572000b31951a

SHA1
5c1c51826cb4dad4749b7a05a6b9159b54b28750

SHA256
f7fe2f04fc47367a25a3bb4832441577d0e5b3dad5a496af4112d04235544d8c

SHA512
1c4805e6f2ad0cdcbbaab517bef4c1ddd95843300e4e23dc5ad86d698a78882a1e1fd2990106a2db7b30196214cb8cfe69eb13e034797aada45667b5b146d143

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ec0f153e65561a0712920b9a30820200

SHA1
4bce4d0e0008d208f3dac2e5aaad75c0c0e08018

SHA256
a32dd82cb392e7ed895d8d8370ef58de1d1d8bccfd7aebc5beb1d20e77bae47c

SHA512
2fbfa1734d43902a535607568ab02fe79fdc177221b611fcc5f0c339131da34d260cf5b0a3cbbe773f91dbaffc8a0b9f6d7f778059ee9e6b56a006334dd0a889

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8d3c1c65a41e84253c47a950c9976780

SHA1
70cc4d8c5fc81a2cbf48e3f18c3124a9cd36fbac

SHA256
b781c6eabedac7ab2d5bca98a602c8cf04aa3335f59a43ce23ad0d6fbedf094a

SHA512
9b9ebeb4b1a55abf50b1ee6a36c3448ad2c05d98be7d3f13b88b0508fca04f8ebb62a2f28a314dce02c0c4b03969b4e587cd90c323718b27d525096c89ddb60a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ab45cbd2264ebe3916d4a9c1237a633c

SHA1
bb3e49a885df1dc51210998d1bdc752879b92e2c

SHA256
ab26098cacdb7c4f2b291b447c8607ec00e5652c5dfc0af738f59984d4be04a9

SHA512
20df9df63bafd58a705ced39b69db97b0d7386558461ebb6dcd651078044c216b19931292cadf69cac1dbfbc740d1e1be25a52c71d5205c65e9f0c4c4c75da51

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
db7bbc739ff2692ee0bfc40e75423bf8

SHA1
49637cb31608c3188b261120544013ec842e4ae2

SHA256
90921802959b3de3c7cb061b9a351d3d70ae6669e4eb8f375d04ca481b6ced95

SHA512
d1417fa7ce50a3811dfad31aaa33f55310ecfb28af7ed570355fea7226198490a2fd3c69ec426971c1fbcedd3783fb8fd36c950a92b05692d0bc554cfcf1535f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
4f09f33d25ec23269774597484a5e419

SHA1
6e45a425e0180ef5f57c2d917b8684d0a29df50c

SHA256
05486281cfa889e283575089f8f65200b263344e111375b0f8323b3e1084bdab

SHA512
36e0983bd56b0de9fb2f2710ad2c00a77aecfb955979e2f6779137832638d63ba66684d31f1a244a4c879c026d8e51d2ad29ad29f7a450a6dc6e4631f11e0231

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ebc486d1e804b79bd9dd992c42be04d5

SHA1
fa5ea167ea29c35aef69e973dd404908a1bf0592

SHA256
e512043fbfc04703d1541a94d1e51fdad5a976c77fd5f2e35688bca5607ac993

SHA512
93006eb02eefa3c3997cff2764f0737ac39ebb0ff83555d5112912c63c2f4d221527d9c4504c49a5c3f299158834723b6df8d1072cb33395adadc7b9070f2a16

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
53a252a708e4b4f61e68639079d38430

SHA1
2e4d8f99d1667aec72e6ad091f5aba9bb33809c5

SHA256
7946da9363d38fad40ce8a2b5cc591010d848f7b6852b5c522b5f78355835cc7

SHA512
88d79a521fe11b95ede729a6af0c8475dedccf3a4eca07f27c045a3ce9e6aa4f0bd17cab57d9926515ab1fbc132c1130773b9dddf0241fa4b9066817faa8b137

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
972c1ac8ccb7238e820b5fa6d75d4a12

SHA1
163605c64e394311f5a5d86207023e987f5331d5

SHA256
c1281f1efc3a5b39dab5a1d210222b9ae2dd58d07087f2f781826c325c461f60

SHA512
12e67967a27861e9fac3c222b189f1bf7c5b8db777951b45c5bc49aab35bbba21ef74f4b85ab9311cf33364899942ecec912b404f163e544fac783919b2cdaa0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
a03242352c4b6cea45b9222025772270

SHA1
f50396062121f41afd3173f1856e6a0d159173e0

SHA256
38cdcc6ab5792593da1a63349a72ab9284bd8dc24f062b89e438eb43e6221ef8

SHA512
10e9b4071e779b4eacf7c9aba7c13f67d33ef6e4c59072d4051c7056b56a9eb74255ab4d019919f542d451e896ca8ecf82d9bf9ae14c903c0f2a5e5c4fa03c15

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c6503632035b486619717b98f071863a

SHA1
4d8b3813835f4565c6be1d5a451143183f559521

SHA256
0063a152371f4e9532f4cdee7fba2f468a8addb788e60c02143198c2ccf8f71e

SHA512
1e069a68597886174d7fd27ff0714d57a37717fd63636be028feebabc7f029ee3ce44f75bb6d792853fe5da7a4086b4a418d7553ead0f4ecd74a0fd6651d6e37

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5bf1e74543facd217eb943ec1a837a4f

SHA1
63a82b1efafc80f295cf7aa02b51a19f2ad5a03f

SHA256
83a1dc42b8eab0646a3d8966673e7cbf2e7763c8c67c7229b74dcf9a6f10bf47

SHA512
787d9eff4fa7ef6ab050d7ce00097089bd3a4935f4343732f89757aaa9604c96cb03666c90d08eacad551adcff88799ccc73b651562c523474b1e5cf80bbb578

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1ac18f117a453e4cac36540cc9f7cae5

SHA1
f5724f901cd93cda405443b2c68a8f129d809a74

SHA256
8f0e98ce162f86e575cc91b09b94dc0a972b1aa85a3192cd97ef5dfb883b87d1

SHA512
ef05a4a20ebf6e9672cfade739fe242179bcfce226250297b195d17b8a9d4a5288bf52592c87c67266f72d9391b4145a8b25f46a077ebd472ad89269f4c8f851

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
95594b4bd80b8ea6c607a7ba66037906

SHA1
452b1b7b917ddadab16d2a05e7a5df815cf2b98c

SHA256
cceee2a746a5c315bafeaf092176005888d247ec09eebb61fd1e3570fcd1eae1

SHA512
8011791ed8529957541eb9e5b4a0bf6830543329aa81e2aaf198196ff4279b6fc9f49cf1ed07be4022ae2aa06ad1c140cdb54be28b8aa783a09850259a555bd7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0c87f1ad84afda844753c406e7ab8828

SHA1
fbfd4c5575b6f2cd54feeaf5a8eadb9f3db76e09

SHA256
2f09af39952a21753138a38044d2a46fdfba5877868fb838ac92f5c2af080a2a

SHA512
c151424109aae97e7b0fdcb98a7c8ee366504f5a21c6e07f3cad9f00179cf1651f5fe9517fbd6041d371df58f231ffcf1bf5cd94a8b6aa4ff1afe72cffff69de

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d95a29bc693659b64646c5e670ac3954

SHA1
ee9a7a3ec2eeb72a364f6819a6d6139df04765cd

SHA256
c0f5b3efd8ef27b5888c9efdce8fac4432539594d30f08b84923f5e8da7ce9ad

SHA512
3c363e6314beb22c7aa70f3276c57b74c6ce1482502eb03b41a82ae875fc070eb1ab8ac3bb9a238fce933a058f737667bccffa14826fc754f68aa430d498c2dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c817c07249ecca1cda40f5181e7a7a4e

SHA1
62f007e0dd38fe24c75cb6bb579104f328df5dc5

SHA256
bb79b69042c15d48c44e5684bc1f1775654f6a0a14309d5902c31ca0b988c815

SHA512
85677a28a43114fbe4d2de6720c57ed6fcc3e84039e9610cd9038967e53ab49d2887b499d72ca181dc9b6c1d0c586d3b59a77d4112ce2059b9de2ff125cadfe2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ece4ccfa0bd954e7418e884bcef4c7fa

SHA1
f91843c09368b113489095c96756767aea05f1d7

SHA256
a818f45becc8e2a4b1aca0980028fd94b629cfd3deae385bf14cd6babd487692

SHA512
ba39a406b6907253878f88b87aadfb191641a2b90b83fcdd7cae714fe6f8152bd729e9059f5a171564d3847c688328beff1899d2cce7162f1b2c962a71aca12a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e05318e40220b50817eece70b20ca038

SHA1
d24c25d73030fe6632f97464176275ca56f39fe9

SHA256
0a8cbebe97f3c8399dc96f0cc701375b3015bf77fff90956093473dfe62b5ae6

SHA512
d01023f698c2821820d94feb6b9ad3e02128d26e27514495a8a30b889d45489f70ab948140bf3d603befac35f3ed7a1a4e6fb1c2a25b7be8c29cc10ac93eeb7f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
732a886034cfbce9c23bd478958e9efa

SHA1
0fc68eae963dd2b4061323452956d1e6b0093210

SHA256
461cda5a061d2a37afe546a06e8d328de035d07d93bdbaa5e450432c426c327b

SHA512
7712064f225bafcae0739f5f723855bea87f071e89f76eb2d3760ac6ee36c290399e62a035280dcddcbdf246db484ea517feb7ec41caec3200d122ecd3e94b0e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b7299416033cc392fec98a605ebc5878

SHA1
215a5aece7d81d65910e5ae8cc8c92d432fc5ec9

SHA256
6df1cd7f5c5f4891d7905fe3a063d9b4c88de1697eaf8a3855fbe29bbc63813e

SHA512
ddb1108941cadcbdc91d0ad7a737bfb30ce6b295013b15bb0d0791832b6c4413f8e621f9319cac5df560fe0321e5f78b77d5524e141117be843c34d5125c8bb3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
be2c61a5d8617157cdcc2cb0ce2399f9

SHA1
0d265bcebbf36414e4663dea81e92efb304614fe

SHA256
d7082c9bb1eccf027847e6332d08c141742737af40c4fb19904f31b6932c264c

SHA512
5d48dcaceed1eaf993c14a92e4a1fa559bfcf3a4eaf39f55a66538b4019ffe9e5b4bf82192f0d2242288cc9b94b033d9952f01f2efd6390eb50b6eb6c2fa0046

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
93a8e8a4fbfd828fa928232ae4bc1fcb

SHA1
8d5068730127a0df0495457e404143272908c398

SHA256
e7be9351df0ede365801c7a532ef271df81287f402c45defe23383c7845335f6

SHA512
96f25bf1fe5615fe4c2e7fcee1ac3548dc2204f6eebe0ed0717c3c3589a69553f7249663c19d2217ec2e6cb2454b019c538aa54414badba44cfbbb9c8a0faf27

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1224440980d79b24657edbbba23c367b

SHA1
09452098e32f9eb4763933994e843f8bdb252ee5

SHA256
8ec01e5a6bb4bfba9444592e702471db2f80764cfd59423ce30cd64d5cfc1780

SHA512
8335be0244bb364a6d67acf83be256115ccaf92411aa9f4801c0c040b7c980ead4c163dda7e1bb2ad995c67cf825103c101563f8541e5b2750b6f74b78735d0b

Download Submit
memory/1060-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1060-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1060-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1168-99-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1168-1-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1168-476-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1168-0-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1168-475-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/1168-8-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1168-9-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/1440-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1440-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1440-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1440-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1512-246-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-136-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1536-117-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1536-234-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1860-222-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1860-112-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2332-267-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2332-598-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2424-596-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2424-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2776-169-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2776-453-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3024-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-526-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3208-529-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3208-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3740-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3740-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3928-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3972-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3972-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3972-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3972-110-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4380-74-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4380-87-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4380-85-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4380-75-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4380-81-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4408-100-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4408-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4472-528-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4472-197-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4480-597-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4480-253-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-599-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4548-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4548-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4548-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4788-186-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4788-527-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4800-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4800-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4800-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4800-59-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4800-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5020-144-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5020-258-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download