9d5abc9086c446bd78caec97cb4d27c06b31a9faba2d6d9f53dee7117bf6f948

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
Size

648KB
MD5

1aaa47f471537fd2ed2a1f0146be24f0
SHA1

063a4c4b636ca88c42fd1f37967ca805afcc933a
SHA256

9d5abc9086c446bd78caec97cb4d27c06b31a9faba2d6d9f53dee7117bf6f948
SHA512

22bc44188b417162bff60f92a1c1378464e536284881c7e40d8d7cc121585785d5116b6a381cba0603932cbc94a0fc1d6d6323da671ac343b0badd40267ebb81
SSDEEP

12288:mqz2DWUdlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:nz2DWol11tmlNQ2OnBdFQtP51llPup3I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1176	alg.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
2828	fxssvc.exe
2812	elevation_service.exe
4452	elevation_service.exe
2220	maintenanceservice.exe
2552	msdtc.exe
4528	OSE.EXE
5032	PerceptionSimulationService.exe
4920	perfhost.exe
3668	locator.exe
1000	SensorDataService.exe
5008	snmptrap.exe
792	spectrum.exe
3180	ssh-agent.exe
3620	TieringEngineService.exe
3580	AgentService.exe
4900	vds.exe
3540	vssvc.exe
116	wbengine.exe
4308	WmiApSrv.exe
4860	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b526d9e9c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070b6171bc0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000238d4e1bc0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7286b1bc0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c7cfd1ac0a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000080ff31bc0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e2d0e1bc0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001adfff1ac0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095ed6f1bc0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001020251cc0a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
4544	DiagnosticsHub.StandardCollector.Service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe
2812	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3728	1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2828	fxssvc.exe
Token: SeRestorePrivilege	3620	TieringEngineService.exe
Token: SeManageVolumePrivilege	3620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3580	AgentService.exe
Token: SeBackupPrivilege	3540	vssvc.exe
Token: SeRestorePrivilege	3540	vssvc.exe
Token: SeAuditPrivilege	3540	vssvc.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: 33	4860	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeDebugPrivilege	4544	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2812	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1372	4860	SearchIndexer.exe	111
PID 4860 wrote to memory of 1372	4860	SearchIndexer.exe	111
PID 4860 wrote to memory of 2800	4860	SearchIndexer.exe	112
PID 4860 wrote to memory of 2800	4860	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1aaa47f471537fd2ed2a1f0146be24f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c7161d2cd96a6380d9361ba3f83da2aa

SHA1
9911d950c1e4f0c1310284213f82c53747a459e9

SHA256
ed7480169ba912f97176faf09cbff722f8171242a2bc9193ab014470d78ff278

SHA512
d6aec7b5162b9b2d10bfdc2d9d2d31cba71c5b6893a2c2790a475bbeeb55cb8b073869df4b2ccb4232a2dccff51319e98a3b1bd7968ad8240bdc6c37523db81d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4204f3f2d07c867b6f1542c6d36c6342

SHA1
fbe29ef79c9f4a084822f48924318be8f28e4a91

SHA256
fdabb82a2cfcff8abae6790b54e594c4df3652e66b21f70241a92d74e496ac7e

SHA512
9253efa177ae0648904dcd1d5dc638de3116e7407b98c4d86cb6818c1926ff22db7e7c639ed226cfeb76737b98abd90698b218136bc05452efd0c19cc2c75d0a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5a30dcb1e4e2f72135cf035d07e92f3e

SHA1
94e89e8d3ae002df0018ee28fbf843f3f8b0792d

SHA256
1b1945c2c3f6d8cb86b76ddab789f4c2a259efbd5aec037d0e16c7688dd0da18

SHA512
f4f72ef4aacf78463489accb42ace4f0dd1e327fcf0879f2d47cafe56738b4b72de0c9024ae5656b2fcad1198c4c7806b1e56644b32edeb50d0058323e0ed544

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
aa153e131eefdd6e33c77dc2862918a8

SHA1
e6128ced672c08efe8a7bc6c35b79cd523986038

SHA256
485ee87dfd735518a4284cc96c176898a747bcee58eed1b3b35f104d0fe7f223

SHA512
c33b846fe39b7cdfc37abcfd033dccaa88a0d957b6df2e24a4492ad89a15cb2be4d6ef016b34a318b81cccb27be3814173a0b6aab2b02913977be09687a1b5ce

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8af6b1c97ae8d18062bf353d1247132d

SHA1
8026c3c5a6926c6fe6e3bf6ad6134cdcf067235b

SHA256
194fa197fc782d97522759a9e3fc185a7b6edde4d89a4bac90426658afabef3f

SHA512
327edd08935ff2a2c17dac0c09cfbf9413eab6c2461041ff0e677d78aaea8c1f3ed198667cdb802af47e956c97e11cbe5a7d5d6e7e430c41b74b97ebff41ee73

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8cbe0948dc4a802062608f20a1539255

SHA1
ae44a81665c62e8e63271adc55064a40fa9f6611

SHA256
61374ea414e559a778cc8bdbc905042e6ba585dc2987bd3272c03de04fdc2fdb

SHA512
66b91f48fc974352ce2d808cee48cb1ad7e696b82a35235f3ddccb879505ef69ff24c4e5a6e3c1c80d31351a86dcdb0d9b30ea0b3d5dd62e07d8c2eb050a2f64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d50002332994f3e0fdf164d7ef45a1ee

SHA1
cc33a0d96add54a6baa15c0f700c946509f8949c

SHA256
5c9a958e4b16ea273c017e9e8f365792cbf92974f9b2bdffb15c93d4a7006ba6

SHA512
3974c90c615c7b6dec2f6d778895042dfe95a1ce4d4fdac916fb201ffc38291197a9d7f5733d2912904b46e2b797a3ab18e16029d4df0e7f49f62572d2061c91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
56fe27acbdab6d2be011f87fb84190b4

SHA1
d9148071eb504a46f6b9f6d879d55d8142e14c2c

SHA256
73286c1721eb6faa43e8690001119cd46afe9dd84300739d28d58c2bdfbff383

SHA512
47dd1586c2141234ddc3cdf1ec683b1b3df242bd09f6387bc606613b63cdeae5945f49d5937af41f3f800e6ac130d1a845cba8ba4c948c18f5db22ec98cadf17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e7ee0af0aa966ca7172ecd4e59c21ab2

SHA1
5d21c88af302c283604d1632acd939b150d94d23

SHA256
501ba19901fb7ce69fd968ba699464898469a5ba40aa79fe567119b13f24d38d

SHA512
299fd21a7b6713c900ca63a934132a9445471a74a98967ddb88362f4a1e1c6a2dbc951704e1dcad07136b5768c13a7e4b6838aaab18ada01017648a987cb7599

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ea64df3a76e47324cadb9b3f45d830bc

SHA1
af39f5b087fb6c14720ede90b6ce53fa4033e05f

SHA256
18df3a34de8fde22c165e46f4e76995cf78deaca8d4dee900f459dbb6e0295cf

SHA512
3d74339d704fae4d76bc34bcd2a0c377ec984d1252927cfa62c044ac75cc4fbd2798b60c46be10805e5eeb105ebacd1f6a51a3a99fc289212c7a8a10d300f40c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a1f96128642c8cd8f01aedec32cf1cd8

SHA1
895df73be9e497dd4dd7d70360ebeece7d439a3f

SHA256
35372212dafd7cb9041e782bbb4367151389a696392b298156882c7fb00b3f04

SHA512
a2dc897e68db21f345a5102a6ba65445e7a254dd9b53263285fc85d55cdd0f01cb31d3dd637f47339a34c8ba7aeb50cf1069d6058faabdac3ab8ac63d0a31324

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7976b70ec0f0deeb78973c719fa591d7

SHA1
6d0c4010a5714fedce4f1d0d61f487bf1371e8d1

SHA256
a29942654ca38a33c3530d3ff78717d0fda6c28e27ad7a125a94b5bddb9ed217

SHA512
30884218250f7017dddeead74547c6a5514facab8c8d3d0f99a207308ef6a96aeae01ff4e59cd0d8ed86f5b3182fe0cebdeda2574a63d73c46479d415f2e1169

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a9dbff2a3482f6ea7290fe9ca01fbb04

SHA1
b1b6403894ceab4a98296d76edf008603ee41879

SHA256
0eac0f647ce8e9ad9aee48533c3dc89eda6f4f553ec6771035755ebc7c0045ff

SHA512
621bc1ae9eb8af084b5ca55a3594a453ee60db7a727fd670c8233dcdb466db140103823ee8c6794cf161c1f926d1fcf3ba1883c95c426dfbbfbe20f796688657

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c15a2201acd4f3ad3fafa72d4611b630

SHA1
64f2db40dea9353ab10922627ca13007c6f3905b

SHA256
6cdb2c58dfbbd8f15a0736370773c03f0c616d75f725d83ec3aca2876ccdb273

SHA512
4cc01caaa304281bd20c04e94a5052b17f3122609d60bf7f297bca7ab31453687c54deabb3df90fb3edc5610dd983803e44406ea48cf8c34b3953644071e0165

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3810346b4291aff0c45326957961808b

SHA1
dffb1d78868f4936248a4f0a1c5dafb25e893e9d

SHA256
17c1bdc1bce81072ecd747ae3e74f72a9357f9cee7a439293894de80a4315d5c

SHA512
918de44ce9fa37eaa294be32aebf679a523d2c689958b73361820e196b541c136002bc12a191c3b5458a6074c227887ffea34dccfeea68cfd3a9d688f2bdc860

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
415b67198a823dac11c32e20bafc129b

SHA1
ee06c3cc5ac15d6fcde5c7c064431c2ef7b1ada3

SHA256
cc1837d8255e8a94ff140c2ed5abd59a9fef9532c3d345f46f8346e2e193d997

SHA512
24ae92163b448e3b5291c3df91059422c033a7c861e6e412510812d773934aea61106b0a04394356b32193b292267fceff94da07f165e36de6e6418e61b4692f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8e4abc5b1caedb24555f574a0a91eb7f

SHA1
ae2973ac744a287605a960ab7e88709ac3e83c90

SHA256
812a2e922911c4a44858db455b2aef44e770f8264dd00fbabc06f6624a7f0a61

SHA512
2c31c45d3df9f280140e45c8793e780d796c35f4fa8666ffb3230479ed5a89124cf98732987b257d96a43d96b8a9b6af16cb92c1f153f9ae269fd1f1f310e5da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f8f1505775537e85a133e3e9ae3d9f78

SHA1
c250e0655d921202c73108368a80de91684584ef

SHA256
89340a811cf902ac66afe5d0fb1cc9f4376435c44f611290b96720e1f91bdc00

SHA512
f4af079215b6c8fe86e0c363ca708b0e3f575c9cc9a6c52c954454f408572c7479cbad1ad5e2f9b263414a4b0fac0314232cbf766de5eecd3eaa9be84682045b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e9c13d08acf8aa9579384c99ff2456fc

SHA1
0fa96a7b251a886c6a2353d8e0ec13a322a0adde

SHA256
c624b768bda13b849a4d756e366746a31a5b7356fdae7d59f094d378a5878ba2

SHA512
00fed0a2fff54a46f0a2355c9b810af2723056effe72f30f4b016b729934c1e1a728e750f022d23c9c1c0e537d1bedc1ae17605c5d8bcc85e703188e7ae2b19e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4c9ba5ad7e7c743d18c7ac1b9e6f469d

SHA1
55f6710a59049c5b988d76b5bfaf05ec9c93a32e

SHA256
925f75582232f22374b01b6a7449e2b96d8ffb9afe1ae5948b095bcc390cae9c

SHA512
26a11d22b4a5e38373d7e65ab89a6433e37568e2ef144b28302b300ccff70d8a8a087e8708bf0fa6217a1fa255a347d9b1d0d0d12fa01862bbe063c1fe44c253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1af5b342a65fa8584185e32606258f4b

SHA1
3c6dfb7168f694fb7a2727271d8fac6131855bd7

SHA256
9abd25d48d248895c4599001ed8920c87497350b013b0f8078a4653aa16f50c3

SHA512
593a54a785ad69b529e027074726763cccf7bd69b44b0ebb5e64879e01a0660f4cd16062326d14c945dcdf03ac23965bfb1ac2eb757c9c3e4f85d4c07b7a20c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f5831fdc9669aec9c41bd1041db23366

SHA1
9ef334eafa00bf9f789d1f843cddbed569571f52

SHA256
a9633e6ca21c06bd90988d47d0d52ee5845a725017061f362bce70e9416d9e71

SHA512
221c3e6483fe4d0595b9e1b2e126aca7d4f470aa0711e5796b9955fbb148df44adbe87afca1cff365cd973d827543e40cb65537855fd6604b4cbd276bccdd12d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2b2ea9277588e5cf8c74c511956fdbe2

SHA1
41696b6c94494bee437f375ec59da4e9170a0b12

SHA256
0edf1b5d587cc3acaec1964b3524ef6c6bbf32f547b82105d5043e8ffe140877

SHA512
7c1d0b17ea32e31d762b12da201d2001efe70b4337077b27b40b697b4e99de07f97b96955f60da77938fe24d800177cfb2db017164224fea6da800882cde0940

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f530afde9139940b1a120684e6d16d15

SHA1
61970c42fe8248b145a41a6bed74369f22b937a0

SHA256
e79d9e3532da8a4066ba872e054cbac892ac94ea4c1bf2f2eada514043d1e077

SHA512
7ba6c51340864354f77671a6865d7060535ed44e881c4e528b4cc4c279b37ec2e4502113f8e19f05df7f553b404228f128e6b4822373a116b617bf3b88440cdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a1c55656d217f56949b62a64b54ba680

SHA1
b55587dc714d9ddc80c78bd8da64f88a3a142839

SHA256
d250b1d4dfd4a6482eb6efa8b541108d926561604b627a56e840ed08cbbca588

SHA512
f00d0fc877bb81dcf6721ab26d83a1b38f455f1762d7c5069050d1f19217e5b6f124b54455b4d29e7ed34aff3c2cf24488cc6d287c4a7459c5ecf8fca4abdc36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4dd2242d515feee7bdbafa9ab2623adb

SHA1
3903e7e105f35a617e51eb020547483a03735818

SHA256
cea155d22afd64c2d7f64b348026d25b71bdbb945328cf30751cce88d6138366

SHA512
9a64a8e476e060acf8ba71629ea71ee1d7dadc6d6870072994fdfd0a273348998fc493ac88eae4fcfda976bc0a9ea984085be4487b128abfb93bd874a98d890c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3d83db6c882a914be09e25fb7cddd520

SHA1
b854c6e754437701a9ac280659ececc9d8aed865

SHA256
3d4631ff828a707c6891aab5cb53eeea1f20929a0a628e32834a5346529eea5a

SHA512
3c073b901cda0d65139129735f310ce7c42e72123e3635a7e65e834210ec44cc51c32fe128b89bebf110155d399d040260e674823ba8d463d476b9a11aa1e4c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
181f5e78ead3c6894dc08fbbe1e36e25

SHA1
01768452b88590ab9cd4314d29f71a49402e9938

SHA256
fdbc657ca4ab55721cadf77f5e7e068db82989c1f14df2dc565354fcb3c00b01

SHA512
87f69fb0c95c0112c76a6ac83ea261ca22ba9d0c2a5f411e64c323f32613329fd42b9661b3b153a742ce1d358ac08edfee501190c47dc0a0b5492b0814801687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
44afabe3fd14fce3121da680bc30c3ee

SHA1
2d6bd2f7840ccf83235c4abe8763d9221863cd4b

SHA256
1a4b977b89f27e451f41acc1d8dcb1dabdca70a236e393c616ad3b4ceee4381a

SHA512
06bbd8033d8d3fc96f4c1d19f7ea4c7ca8c7da718d70a390e7ca704ad21f0dfea9332db746a48a93f7460671afc5dcf5479401568178383f7c98e4ece5f285cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d1b49e41554a556d490762b31cb0428c

SHA1
cc0804b15e9ca332cc023dfc60808a1430af1eb0

SHA256
ebc53206e6648820abf7d2c0d13174d8bdab8b378d7ba1c8e22649e69a6f59e9

SHA512
0d85c33b2bc41a9749cd60cde12f912597b611a514d39b18c03ba24bc63e1d5d5b38ec7d282739626c8af198efc16a3305d71a03ec7f5c97c4288b7e0cd40e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c8ea2670be7e2a4c20773ecc8c0a8716

SHA1
8ad8e443fc4404ff3436db2c71eca59ed64b07f1

SHA256
f8ca562eceef1f49c9f1048143338670a2c2bdf83650be73507c71997b925275

SHA512
f3a5756afba00bf613e9044f7d59054a53c6dda857e2f8422267ce310e194cc74a14a966c8aa23365e131250faec1da9b627e4dfd9885fd9aede3ae83c2c835b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f71e67bd686c74888fc504afcfdac913

SHA1
a066542c4a3e587cfb5caa1afe303e64feaaf327

SHA256
1da6b888a1224e721a14770240d9669a25d928bc5a685e77c6da61f7f6a6b072

SHA512
66a76d43a94b6c5873bbbae12c7ce4935267c576767ccf8240583a037ebc7bf42d9f6bc47693c83edd8fb6b941622c5dafcf3450c38eab24de06ea86288c0053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
388e0e0a09e69cbafe65980c271a672b

SHA1
3a64566441ffff8624d8f2cf2b8d48eac9116512

SHA256
db2d361d2230e0e8f0f7f7d8771b6ab459b4b9fbce9b347b6ec89efaecb44a9b

SHA512
60f407049f704fe139bd0a5dae7905c48933529dd60ee55b174d2db56908884a14682b68554c7380a8f20fe459feed5ffe6ebdd30be8681520c528d371475f8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f1b4f60b81d8e50ce9a571f10c492a43

SHA1
be4e118f9ac11ddbd360ed598c6f657ab81c52f7

SHA256
1ce1df72e976906698335be2c8142d1e2139c56025334b68baf38d39f39cf175

SHA512
be4c09351e006f0eff6a8958e81a62b99057c73a4939fd6319849a9cf7ca2585958c87e3f0467e4cdbc7f94539f762dabecee37fc790e78141e46eec8ee643b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5d6458b3be3f8494fac84d35ff566164

SHA1
cca92a1152cc86ebd95dddc4ff477232413bacd4

SHA256
ae76793f61cc7d2eba148439fa725dc1b835c91988eefd2db6a6eb85c0b3ebde

SHA512
c23e9c5bc41930001f1e36ac976eccb46a33c1bd8348a16b60c07af453f0dcfaefb44b4b6ed66980a13f957447689959b7c25cd5116a022e2a9b32440dc10919

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4f03b887e3b48c044f03571cb7258976

SHA1
23d9a130702c0b57691cabbfb02fe637e95c3734

SHA256
d3407c28216cabdfbefbcb5277a1a919911061c6a760a30c45b46a48b4fa1da1

SHA512
ab0934ca46f024d0608474f3b1c20f512d8159053aefdefdb42f0d4c152e5b133862b4e583f530cb5b34cb89669e3490680c6e4bfce04fd3ea02acdbba147a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fd038d6a8d7975d8aa518e31daf26aa3

SHA1
de6233765f7a9b61d8fdad8a1a22e614e8fadbec

SHA256
bedbbd71a0e50db618acc421b442179504af2b3ac7c1fc3fce58ab5d7afcddae

SHA512
a18ca10a26962917af91fb1b972f8121f9d103e9813ddbb7649df79caa3ed10f2554a06d8708adebf25e3f1a3a071178552cb8f94c810d512119c9b08517045e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2e59cf2fa950d9a1db12e6972026d4dd

SHA1
73723c485c5f150c5592aa38170ea45ead096e50

SHA256
1729045a221e1b7da49d7e8335afbb67aee1a4830de549c84ef8cd784c348488

SHA512
6f3fccbc4f104b70e170eaf46c287685fd53e4c9583e3b91b9a596bbf012afc23dab3d77a734247bea95da59081111e61a7ced39b8de8c2118afd7e9747bc8fc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
50efd429b454414f3b62c3d1acfa5037

SHA1
1e2c03fa67ce80124e767ffe392be273c5a93678

SHA256
33fbf21d942ab6052c98e685ed0569686afecde37a26f37c38d3cb748bbeaab3

SHA512
66e9531a8846f8384e405ceb6f866c77e3935fafda737928fa138f8b6c4d98d050dfeea77dcce5b651d4d8a9bc705e0c6802e2053afc2838b1d561c73f073219

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e55d6fa541d177fe384d569d6fb1f023

SHA1
24810865f2d894ad4db85734140e8af25a6b53c0

SHA256
c6b336c271b8acd14b3be254c4d6776b51a48a2d44d7f801055ccf3492f52725

SHA512
348fe19f15435538d14942debc95b1071976baac4377fe87928a907040463a0e269d48ac879021c783c52a87bfe6b66dabf86561d04e9262459e753ab2ecae05

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ecd36ce3fb52663e94cb751c8b551573

SHA1
ff56f0723a68fc9af0f6594ad25405cb2eb9fd57

SHA256
2f247ca3f88e9fca6a810cc5d5616b36a080592f8b96cb260ef83d3eb1bb73f9

SHA512
b9a21837c18e5925082a0578bad337685e62c76ccc0635b180d35905cda07cb2feda88d1e37bd58d9cabf212319dfadcf185e739c124d4fd0612c59874594163

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9e58b6f1bcb0c1d8dec88f5a95d86b56

SHA1
f59bb24fb7833fd321224f5c65a264b880f24788

SHA256
053e45a9d73da3d8202fae0ce22000b279ade29ed39124f154dd68783b450d3a

SHA512
827a0f20dea9c706c92d33de2faa6e04b912d368715e27762bca8a2c98ca62ed7b27325f7d034224ba1b37db6960790de8bd554d38cb720226b61c3fc2c7c0f6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
07753f67c3aeb6d21bcdcd8de2ba8722

SHA1
9a5aa12dd33e8aceb0efc8c6689bca81ca06f5ad

SHA256
5b964899138c57325e69ad82db4baef29deadf29b1d717c4bdb6dc45a6e7956f

SHA512
56feb197681ef1eb84e1586f90a36987bc44f556271e90f43d6ab7d06978cdced18fec49be3ec1062ef28d16f9a6c3761ea31c1f03793b9c3ebde01e7adf0f13

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c9382235e9c6a5967ec1f45f770e7217

SHA1
81de0272870c2a20fbfc240fa807786af92e485e

SHA256
65850a9f77f45072f36708b0767623b923aa95f9bcd70beebb53be0f8cac68dd

SHA512
7b6226ac06b6e7d27ab6c9f5fdebf9c8759ff9956c583e4e6c3f01c38578d0b7e7e6f0827446f7b39e3b90a6fde61f174ef3fd47f97f115339c0ecd9b922595d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
def9f6d9bcdfd6ff5f63baf2bc2fe677

SHA1
b01e4526f320385d48318366f43e38577bbff26f

SHA256
6940e9af82f918c0379757940170b5bb0beabdfac324b02c99fe2cde935fe2bb

SHA512
3b0e738092a2ddb484f89283315712d633ab4ecdab6c2c21a5b5ee267cdb001810b92591015ecd79113e479bc59b38dac97d1482807a385ed516857d45a1078f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7d7d51ad19df39ba25ba15d929f7d128

SHA1
4d42efdccce3f2e7554790a9c97a4c85fc2becef

SHA256
32d8acdf348128446b3fc788b93c76957a9518ce02a2179475a6c133869984ea

SHA512
76d1a8ebd760693c38f106f130a7fae2b1058a6e07001014a951ba60c6b3e424c8f9a44840a9171b0fca5c665744e29627607c1807c583539f57a2f655100572

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
569bbec813e3467522a2c100d6742488

SHA1
0cecc5be621f99d5138e820e40013b84b5c5299f

SHA256
3340a7a1d51b50091add7ea38efe831fdd72dd136cf79ac404ebf5bd9b1950bb

SHA512
cb9cc98281c4241212cc17aa8a31fc55722bb0f3c66bf99a062a6cfa408740cd86cbd25f711f1a573cb673685dd350f2ad1e84a15763590400603549c0116f7b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c63e833b3dd6e687567620d1f2244aeb

SHA1
1ffb7c739035ec37c5af85b254aa11d2340c3bbb

SHA256
edbc459d9a41ee017582a6b22b1fb0e7004d9a95aa3e8b0f23b0e90056e14f40

SHA512
5774094eca35dfbc16c2fb759e8f9bb666488955b619470924c2018ca5bd3696b24103520049d601d19e9f3cbe2f97d68c4c979a31ee74279ba8c80423137972

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8feeb4a0621b9c6515aabda5a5af159d

SHA1
7c2af65f61b79e69497bab3d68f043636cae8078

SHA256
16115e838d57d1f742cbbdf5786b0b2cb6a885e6f86159f9bde2482bc79949b2

SHA512
f77baaad65d4080ab578035ac015b4b2fc5839c2e6ba7b50b4c26651b9b2d9f068df1ed82e63d5cf6ce6b7eb66c678da63f3ea9eddc06f1ac6fb2485f23c5176

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
73b6fdbafd1de46b4803d1790b794ee9

SHA1
29783488abbb4428bde1c4a3b5ad797447cb62fa

SHA256
a26a67501b49ea964f0f5a91868c7ec6b00479eb727cf07d2d660fb4c59d18f7

SHA512
293f4b633616527ce1fe60db4175df71e2585f4feb4bda00e0829ff55626f39bf773443b02283b0c5f0e2b976de5b7bab3e594e090631e745c1239b78333760e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da9bcc2cbe91c5063ecde8f3627cf179

SHA1
6eefd4b43281909e888d33c10523d8a19e2a682c

SHA256
502fbdc37971eeda6eaa7fd45a9528538c95c7af1965448f2c5779ddc9cc1b41

SHA512
f9746c915054d8264b0cecfa48f0b3add65ccff20a6ddfb80a847c457e4f340a49ca6d21cc6f88f5b07ace0ed57b8a8645ad2c3da0ca32e85e9ccae13eb3838d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f2c5d0272841cd2873e88815853026dd

SHA1
55f4ba44b9a1f43765a8cab35d2f0b8a4a1db61d

SHA256
84eb15b482b546d817936a696286097b47ffb35f2b1d7ff210be3f12b69db6b2

SHA512
3ffd0518acb7904b3fafac8fa6f7dc85f5e938c8710d400f7d05607d27056155425121937a0f4b1879d7cdbbb85f6248ee66e31af8bfe0381ecb0304cf9a8567

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
aff3ddce212766d69e81ba0ab9e355a3

SHA1
45c845e4c2d61cb93eb4e91c3981fec72d6d6913

SHA256
4694af78cd065b6aefcfabe8bd69f2fd3a89b28aa4070a20c806d074a0f16f3a

SHA512
0e242caa72ae3f426ff6dde07ca9fd0af7b22dd4f16f293ca4286b99394c750e89e3c91b48e2e1f352e955de216c179594e51dc44874ea601e4204f4edea1d14

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
09349b93c7d464a76390fad58224145b

SHA1
76a2533c842db46863780374e2e6e7baefbdc7c2

SHA256
d88844a18e474e060c8a6974b10270c3a1055c57a02ff091aba5cd68231bfd86

SHA512
33de55f5427ffb41195ceeab349c2f6f2a7cf9c448a5a13cfa942f6adb276c9fd3ae34b2c9728c51b7e0e0437c8d41a54dc827bda6e4b14b156b7ffc4d69624e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
63020eecdd0268635dc84674136ea5ab

SHA1
ec7f6c47931fbbb4e7968f49ddcde878afbee3a2

SHA256
7f9e5569e97ddbbe52297b010c8ca5f9266c373bd3324e476d6f6f139524c5fb

SHA512
656e1e326e236d0cad103f8f9c3f104d58625f122afcc32d7233c917ea04278af5df60d9908669037e947ebd6f1b5f579cb55b3728d257c13b591c57e1654c0a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
05b3aea5442141a36eb4be5fdf8edee4

SHA1
8d84122f8fcfb1724e7f1e5969e07abadd04031c

SHA256
ba671cc66e82a32f515a0275347509d790727590be1e51cec6c160486c01ccf7

SHA512
13fe3ebc8732f94b531ad9f011aaa011b380eae9b4309db74afdff1b2e97267452b498d039f44dc62e77bd2f803262cd7651b39020026bb347fc962072173182

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6f2284ba8ce83497d48a64365ef7483f

SHA1
312d21ef0149948c72dfb2a9fc8f4b08b2e5c8f9

SHA256
4495aaa098934394ee6a8143eb31fb4e9f0385fc8f4ea38ee2356ce538485811

SHA512
928d6dd920768b9abc746880466bd34de918ec39fdb1cf5dddc4789525a030ef86cd1b126f2ff537fb6ecc91395acdce5dbb6dd5663bdd369bf9953868cdb4a9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b19b1af3891d255307f47c5a110897d2

SHA1
097396497e3ec9b15c33276b03756892bbba4066

SHA256
419c183306cf3cfc8954f3d63e94796e22551bd1461797b01f1550ae20d964d2

SHA512
d550a4a004223129a2aaaa43e18c5f59ffc0625dbd0640fb94278fcc4ecc3f74c167eead71d41535c6749f7b0c19883027904906ae6b76397ef86bc36cb5e1a4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
edab8fca70c80ac2c8e29faac82a34ea

SHA1
ecbb65790cc5253e9ca77754c910d60d5d5e4793

SHA256
b638906adbdaa6396a43ca9842e55be91db8b50606782878a056f0977d599846

SHA512
618e60f4841f1d0b142606229ed6aeda9fd32f914a0834d5bc11261b933825917d52ddc038f3baa9e51cd4b32cc11d1bc24271775ae80772a4bfefb2bdacbfba

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2dec0ecff7303ecfde44a8b4f251bd03

SHA1
2062a8e494f773b42d83f3c6743b86c0b2fee775

SHA256
28ee8166e6461ed047dc1cccca2658fd62ea3c5208119d4e6f2c8b8664a37bed

SHA512
c783091189d1433736f6022cab7d6eef5bcb0b0422e5384bfc3b67d62dd6d57149a581091b20cfed59abce2ebd108da2b015a235909e652f2bfb555bc5b8c634

Download Submit
memory/116-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/792-145-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1000-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1000-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1176-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1176-424-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2220-55-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2220-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2220-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2220-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2552-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2812-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2812-39-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2812-32-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2812-469-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2828-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2828-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3180-146-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3540-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-475-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3580-137-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3620-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3668-142-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3728-165-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3728-4-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3728-393-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3728-7-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/3728-391-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3728-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4308-476-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4308-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4452-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4452-470-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4452-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4452-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4528-72-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4528-473-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4528-78-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4544-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4544-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4544-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4860-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4900-148-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4900-474-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4920-102-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/4920-97-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/5008-144-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5032-93-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5032-140-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5032-87-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download