8c11fe2706a7a732b566b9ebab87554805f7aee758c4c623012728088ab036eb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
Size

625KB
MD5

e5b0e4accb48e330e19ca4284edf7d90
SHA1

440259f1e0a845b984b9db3c209e17abc4b6a430
SHA256

8c11fe2706a7a732b566b9ebab87554805f7aee758c4c623012728088ab036eb
SHA512

431653aa24714a1e3db6d07bb9bf143202e3e92c4ea00157f73ddcf01ad0fe070ad62d9f812f1f897428c3d99630fb4b834f36ad4a9a34747cae0bb1f6ea9a57
SSDEEP

12288:p2elnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:gel11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3476	alg.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
4056	fxssvc.exe
3528	elevation_service.exe
3688	elevation_service.exe
4028	maintenanceservice.exe
1792	msdtc.exe
2720	OSE.EXE
4660	PerceptionSimulationService.exe
3716	perfhost.exe
3164	locator.exe
4480	SensorDataService.exe
2968	snmptrap.exe
1612	spectrum.exe
3036	ssh-agent.exe
3136	TieringEngineService.exe
3728	AgentService.exe
1292	vds.exe
1920	vssvc.exe
2448	wbengine.exe
976	WmiApSrv.exe
464	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4dc1bb1d4a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007151ce1db1a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d7c3d1fb1a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0f0ac1db1a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c55361fb1a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b41421fb1a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff8e501fb1a7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f767681fb1a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000221a3b1fb1a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3132	DiagnosticsHub.StandardCollector.Service.exe
3528	elevation_service.exe
3528	elevation_service.exe
3528	elevation_service.exe
3528	elevation_service.exe
3528	elevation_service.exe
3528	elevation_service.exe
3528	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3780	e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
Token: SeAuditPrivilege	4056	fxssvc.exe
Token: SeRestorePrivilege	3136	TieringEngineService.exe
Token: SeManageVolumePrivilege	3136	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3728	AgentService.exe
Token: SeBackupPrivilege	1920	vssvc.exe
Token: SeRestorePrivilege	1920	vssvc.exe
Token: SeAuditPrivilege	1920	vssvc.exe
Token: SeBackupPrivilege	2448	wbengine.exe
Token: SeRestorePrivilege	2448	wbengine.exe
Token: SeSecurityPrivilege	2448	wbengine.exe
Token: 33	464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	464	SearchIndexer.exe
Token: SeDebugPrivilege	3132	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3528	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2176	464	SearchIndexer.exe	112
PID 464 wrote to memory of 2176	464	SearchIndexer.exe	112
PID 464 wrote to memory of 3728	464	SearchIndexer.exe	113
PID 464 wrote to memory of 3728	464	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e5b0e4accb48e330e19ca4284edf7d90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2176
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0edfaa83faa107a875973d408ae99017

SHA1
1e800d5bfa35af58a2967f74ec01fe2ddffc8425

SHA256
b219e46b870bf3c4564d2d7e43259233b48cb5890e8725b05fe9f0ba62d4854d

SHA512
113cb5e12806e74bd6dc444c29691880dfb3dbf72a87b868925e28ef74a944da1d7a617348c92015e12c58a0ea7f8d6044dcbaf74bdfebe17782eae91032009e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fd0ba81d48e7c03a7fafe0ab4cfe5368

SHA1
1d10354198c402ffd2a3eec7cdfc0f1e1c3814fd

SHA256
7f5ec05b64b0cf273f969d7971cb79a83c66d8c5ba1f3df4fc36a34f4857a841

SHA512
6337211815985a281d90263a76e9bce94658910d8fc5d98acedbda9033876caeb35ccb8873ef9091cc2d3ce1ad7ec9d61d23d34e46f7169d3f245efcf8492c96

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ede3cb1812acb690880119e80cae0e28

SHA1
b4e4a59c2a69aaf5aa179f590223bc75e881cc82

SHA256
ba061a9739925c6ba5c7fd6ccaf54a57bce877413c259db2133cb43d68928eec

SHA512
5512e4b653dc78927c45cee0d1221a1325640203be5baa3c5e6d522aee17183f0bb2b0104f69c7ad2e9dadebeb9b2574e8222e09e70c3824d96e0b46be7f1ca8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0302384b6616af9f7a38fd2120fc8f2f

SHA1
1d3e8d89e9c2f8f8670a87fe954c8308cdab8bf6

SHA256
77ba8ba2ecb34c3ff7802575c7cb333a3cb52a79feaf252755059c5a3b013e03

SHA512
11846cfd816a30eddf2c6d4b53f363d72322238d1aeaea29268598a023a8beff05212bcba07a2ba2b8e5d8bf990181dca4199232ebf8ee6bff9edc9366bccd9e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a40cbd2a6905530cb0a957b7756953f5

SHA1
93bddcc05082c23fb21702b2d8e09e0d0b201242

SHA256
7dfbbdea87df59d84f000bddc99dd6a933c3c212d7789bbeafa83c1567a6b1c6

SHA512
aade7861229317b6bbb2b327cd0e9a7a2716c0bf727e164246cadf517c3aa75ccfafbe698da4e4d9c26645ae613eda3c5a5292387531d2caf1a66b2cd7af573b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
27d1d75dd8cb3c3e6630988c778bf634

SHA1
5c113da9d5f28c7f03b74da2bfb3445a9025284b

SHA256
0a573fe2e73d950ea4ef4dfe29009568ecdffabfd916fe99a76f9e080d667af3

SHA512
d9b4dfe95a35a6d942bd7420843b1a6ff78da486ce06813e23935309f6b002c9e9eecc6502ad037ff683874b85ce8aae9f30718f003f66765ffd415e7c3f8b40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
54b1c0b26af8e1c0313deaeb0a0a23a9

SHA1
203a8d1e8afaf73bc53f42c5dd2829ec5cc351eb

SHA256
1167659fd35d0130f3573b34f1aece78e768df8ed83e10073597d1d7254b4493

SHA512
435655bd0417d6550a32e0d4a088b826d1441a304d2ede1b3961daa71ab14f53c11a3556c2f153cc225ed21e2df806b6de4f05adb12a4c2a78b246dff5e0086f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
67439b2eb2f814921a7adb6235a24c82

SHA1
d0295d21bf82b971d02e7d8f135f0af60f3c5dd3

SHA256
c82adf83bc82985409c6168231eb9104d6ffd833dabc6e4fc2f0651bf8b261ef

SHA512
b2cc98505297fd5bd1d27258a912e7e688e8b5603b9fba2f80cf6839acc2ef0755f38f8e278f50da857a01baf0122e05f935285027ba62315790fc22aaee3127

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d839250502488f6c2ca543cb1cf768a6

SHA1
07215da7f709c792e77548e71ce5658d75fd3989

SHA256
e1ac17fa3aa4eabd2b26d37cdaeacad3381f59ce58a4adbfa4189f6b93232615

SHA512
7f9d76b28d4be12e0e8a6c374ff74b0c70ce075e58d93e254193bc96dbbceb9663ca4e5ddb0172d845b6704d8198cef00f66e0289764bb89920fdee44c04b9a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
5.6MB

MD5
8c540e64669573ce1c60a10aab797bc3

SHA1
3e1cca1f127f14a41dbc2dd569b0bf229bd528c7

SHA256
a009bf25018a3708efcb23ffd2270991be616edfcd3841d1f137c018eef35531

SHA512
d0753618568e05c81f525c8ac53f8d654ba5a606a6411d7e15d481b186f59eea006523e21198e40dfd5bc51c1b4068b3a6845e55fb86a6c3881185d3cfd69a06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a9738ff3357e5d72a3a3a27824f250ec

SHA1
15b1ff4c2d3557b771047aae339ad4b7554367e6

SHA256
fb8dc61293bc922aa722be7d3a2089ba9556cb99451d16ce281f933751dcc5b9

SHA512
4b0df503d8c72b79bc1e6791d373d36e6763f2f395993b7bb2f0b91863b8af998698026ae9abfa2e0e71f0afe383325f8ed2cf2e89ed176b2f5cbe7bef741005

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
72fbaf7df8c185d0cbb65953bca9a5f4

SHA1
67870a8cf6ba44d1d8f52ef8c250689f2e0d0218

SHA256
cb1d33a44f9b7291486e36ffecf2db7d615d79a3e0450af7b71bc3437ef83fcb

SHA512
a7f5676ad5e2010353233d5a4ce690e66da2fd07ea6a7f0a2bf3df640f96eb12c762060ed9416740fc1145751c6061a1f30643b71f3323778fa8c7b537c93bc0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
77f874975521673582468970a97f5ff2

SHA1
9024a45db191b9adccf4c49540175023da6aead5

SHA256
f03cb8cfd028a80c20465a0d3163f5b96ed7a5ec767d07a77ed1e9274e5f1f7a

SHA512
8a9b4812e5dd1300083d0880941e1de4d1f7da34581d4bca3dcd91acb2f3a910ebaac2b8f1849e07a0da1ecec8e9eba0b2c5dea80ace96c76735210d29ece81e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
05c4be196056199e2bca27c3aab719bb

SHA1
57fbbad7eaaaba487da5f6b4751955db2c33b96e

SHA256
90a0790407b3c4f5dfe415d43ccad62a375cec2089d914aac2cbcd44991f7ce4

SHA512
775f89dc6674a48760188657f0f0acb462807ed69585047c1cec8905581613e7f0eda7e9df30a3f521a488f33520413f5a5278e50486a246c95a2ec6bddf4ad0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ae5c100a41274f600728affe88667d0b

SHA1
04113de6533d230c224a1000b94dcf12c1fad1bc

SHA256
4274a5aed6b98f5613216d0a5cefdc2cf9d331615411a90ff1c084e855be3d40

SHA512
fd1cf9da113661723f01dfc9a313c6c8e049e78e6eeaacdb5511132c3125b0548543c129288e0f654143c0fa8680294b6a6ae31375cf7f26ada2e441545dc495

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4eb65faa3ecdd19e289f0a276c9c3211

SHA1
10f7fda4df5dcb0e1e90d3233e571d2fa04dffdd

SHA256
7efb9945124965c28effa79533206429999fe40fb2a078d81fdf01f93da3e07c

SHA512
4c99e475d313c1b2d43f89089b0715757ea57e3fb21062e114d96ea244f6fc683af8ca1acf4e205c47f5bc9c0555c6a7a1d5ef8f0c7f83cc94a025c960567a3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d71d415343e3bf8735b935e4958fa328

SHA1
63af4bf101e081acce06feaca416064a057b0142

SHA256
6e4b514d6d593364cb74f08295370f28c2e33885d31754f6aac1f89dda90e775

SHA512
fddb8b3d5ed4c33d77fb57569b5c5fbe7358408838b062d2cbd4bd0d5c84db06c0e97d33564addba970d8dd5820200511ae7787cd4d09fc73681f88bfbd9a606

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c31f98999c0016c6e76d76a66a3ce42d

SHA1
a5a21dc852a0f0340e7ccf6fdd3454cbb3359938

SHA256
dd9c46d4c350bcad1b0297807e1aa2146ca62cd529bc9b9cd706e0f4e7408ae1

SHA512
5e03753dd77bb3e4af570060a2283928d0303bdb96e3f05b107352baac8c098cd387d03ac0c61de0cb587fe7799b3374000a250b1e8008da17e9778a76f37cd9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8362062d9dc7dedaa642340be9e349f4

SHA1
1bee4c1d41e3913940a182e6e092eb2f2268a54c

SHA256
52ac4231973d5a5eee46bcbc1585ac5b1f6e29a69447088c43257e954b895b55

SHA512
784ed3a35a7d69ec078ad9bd3e221705699667bca311acf9f8f81a2432e1be033fa18bf20ef99bea86da6c687e3861a763d244662cfb62224f52f5ccba7ca197

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
092470d578e49799093bbc58dfa93a9d

SHA1
42955ec7c074243216f7574172b83d329b5c01c3

SHA256
e1765b037d1392c834013cc85139ede4c31eea0eaa048fc53b7835a03e1d98ab

SHA512
db64a4ddac0b140c02b1c00e7bb4bab39623062d27f6bf35c4ef521b66f3c6b1fd49091c939859973c4904a3d014a04ab68b2d217d772a45475b1cd1f7e0de55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e150a70cbb5e87ab1c8f8651b2aa5e47

SHA1
c045a731e240f61a216af6d9a1925b8b9466204c

SHA256
2afabe914a1473d76e2ed45703ebe6057261ede2e957a3174805a03a1ae07bf5

SHA512
bf81303f27983c3a028466f094df3b53156903293d7d9fca48c7216d06dceb0eff6ddc615b65a70e52daa86b4e269a987816dd83270b3237299d4bacbc633c64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
74bac8edb2af6d693a10ad7eca6e4ed0

SHA1
24491475d12b7827d0ecd085c6565967c1da4c23

SHA256
2c6d62aa34432fba49b7baf12999fa16f9f136ddffd1bc818a2aa96589bad214

SHA512
0be3d8ef274844dfae7d49a748a22ad0ddb291e7b6850686091f983691d17453fb3e6d5eaebf734e9cbb137bdb184c0e7ca8d6c58e4d27cb38862c011539267d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
adf0602de64e25d5a110479ae2ab7f5a

SHA1
d05531671d85252b4556672a2fce8db0091db4ef

SHA256
6ee150cc4587dfb8258f48915e24d8efad2cd8c2d143519a05e3c0acd205e4ba

SHA512
6c011becd511bb4a8e08a71e4271c0607ca2ff3ca4af0c7f34d805408cd7615207b5ec8a2b82cb339756bb09fc30b8640977cbae74e608b4d810bd3de22c6336

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
71d54a0d8e40073d0590b363af98eda8

SHA1
36c84d8bc4ad72013cb6f5d17c850d42e235d66e

SHA256
fda7bceba357204b5d13e94ef6a649908b9e384bfc2bd93953d468a1e01fa8d4

SHA512
eff6bc71d98e3c458af4ce98199ee29e701dbaf4190603a238fba62cf475e2e9eb57f2882e32f58dae17a2320647ab062265ccb52d22963df2e1059d4991be6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
dc7c0b14abbae7cbafe9167132731166

SHA1
1b2efb63c85592c776a4cd6950d592ec72b6ebfe

SHA256
51639f8bdb4d948db41a59be79109f4915bfb38eb3c6d93d7721f135e62cf064

SHA512
c5848c942dddb763959fe2e74389600e5c9013de1667b87f8b30d3b049b9c5a1d77bb85d586a6ea6155ebb45a815a42153a7932d494b952fb9a77f4f4d10346a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
72f61d15f1a1a380e46367ec0de463b3

SHA1
a1f7aa0d24472206571a1cd8244603a0ac7ad2cc

SHA256
1884c3adda7b994c7fc4c617122af55f6ac10ce9edff42f45e257bf042f2fd2c

SHA512
e483012ceb210352300f70d276ef788e42dd5116e65d2164115102c9d3e9990bc423c1eac1cf3fa238ccba6f2bec10cd71c90bb4d8f0b82f7573c113d3395f72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
12b9cfc2ff610ef7e3f6b4c718380412

SHA1
f87a87d6fdbc7da7ba4571b758686c157445f00b

SHA256
0eb80c7b2e7bf50e67417b4bcd070383b0bf54bb78cdc4b52204f99915c988b5

SHA512
79b0c25b815d78a897ad0e5465d7a43eb9e6030adaa248dca1ad64c20a0a44815329125a370e65260989d96c30908329937aa759618cd8ebab90332a9a9586ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
15812615ca6c843efa6b0c65ce243a11

SHA1
f8ec5ff8b109fd6cfa0cb111901bbd843a0ddf98

SHA256
5b313267bf1e3e0ab168544a14bd52565b84308df0273ca2cbf74ec02d9c6ecb

SHA512
29f4fd4a89a9b2b884246660f56b4433ac07b55a8ab537aaa0829bbf56ac91e6c4d994cb51213fb36f14b1aaf8798bd64e297c5dab701392cd0d605c87dd6b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
93902ecb793ae58bcf8ad12ef8f0cc7a

SHA1
21ebc1d7fbb822ae91577526b0ba239b5f2b0103

SHA256
83ab211ee1da442bb9b25292a317d3623a11dc7aa08649d5fb9922e3dc92092c

SHA512
ef4b5974b19e18a4e0bb3267aef92b285ae1463f6a8e1d35e2712bfbf75b1aa1e4f00f271bac9d609b7282da58e4568f6ff597e8f8e6dfc788539afe00f0aa36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b258b760a8e6edbaebc4f06e04379bc1

SHA1
d0380ff9b9cfcbe71a6f7ef3d0f6c8a53ddda3b1

SHA256
a3077bdf40b1189c60f83d713bcb1c38b1bedf878c59ca33dcec81a7b216cb8c

SHA512
ae03e95eb474c4f9c2cff20a4f683caaf507a3186f10348556753291a32c5ca67849095d54498e08000d679f8484623276c9c1ecd72bd06dad2a49288360f13a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b191700cb7c01d537a9ec5c35ddc9568

SHA1
0df7eb2e66e85df3065078e4517cc42ed2c21729

SHA256
1dacc7972f6e6d7536223ab0370feaac55b8090592843e227752ca2dab538c4c

SHA512
c2f3ef7d1b1654eb3db1655f6ebfbfc7912f7b36dcc990525496e4104399e3b719a0d00729ac96e454626b1c93ad5b7a1dfec34ad17679c10447b0228ebd2437

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
532a67fed92e2eaea67dc771d1fb08b5

SHA1
68879a04d65e1af863c1791c74cfd222aaca8605

SHA256
4d1d98b6587b543f8f47b023bcce8f1a42bbc13eebdc8dc4e432b37c113c324f

SHA512
1f4861d33673aca856afef927e17beca9640d8e7c6bb22b4c95870754a89b69bfdb83ba8788b7a42d144f5e9d0e41ef8d08a3789d6c44a9e43044987699d2cc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5117e8b51d601602cbb4f49277d2e33d

SHA1
0ab5d4c24840e3167b52cd76d8a8178c3e28f6e7

SHA256
347f0f625767e7f94e50ac25aed6cdb90c9e3967269c0929d609be2727688d91

SHA512
16478a35124cde683742c78d2c4c1e1aa75663f9e86056a6aee0a62650acaa614dd34e66f75bd4c444e0830483e9cc6939a7fb7a9cf6703e32d4555370198508

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
aac1fe6582461ef013adc2cdf744c885

SHA1
1a421d18cf7a2e7e8ebc6a775ec0cdf5969d4746

SHA256
f2a85923ae0832a6e1f787d72f4ad8897ec1f23ec08f30f74583c5f9661e66c7

SHA512
891339ff2d0f27b491c1de59c5533a9beea41c4ac29b56aa6d364ea11f8e85cfdcc63a0c76badf148c111d4efe52dc68f991b90f4eb85fbe2a48cf242e37fedb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
80e91c14acc65d2819d04a95924fc1d3

SHA1
0773fe1cbabfbe5ec01dd2c4b710d161da027390

SHA256
127e68cca3b17a654c2ee63a26aa01c59043e2881a873b1aa4a28fcee97d162c

SHA512
6133156f2e105eacf47a7b24bcee11d45a897a875bce07c5c046a5d35ad00e4df642286e39bb13a4ddefd56ebaf89f04ed2f0a9fd086119db3642bf701010b97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ab047b65aa5283b3f344612d7000af15

SHA1
74145c1d6405d979501827ea9441fe7a877d9781

SHA256
8d2cb9d6e8645b2048d1e202e647358ebdc69dc93d874ae0df41f9e539948b09

SHA512
ea742529bfbe551368bfd46205cd1d893c2fb904a12121227ea3bec9ac22b8c31431d4698cd7dbb312af1e03c5dd2e83d3168c1079b1c8d467593c2e6ccbe584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f2766b8fb2962a74b4f6c3697a8be57d

SHA1
93273b7ccc7ff9e01bb142308daa8c8a5f562813

SHA256
ae346173574b295ac54381f51af55182f888410c85aa4629c6297612b338a46f

SHA512
f76ad986651d17ab2fb5e43c9b69987adee8bd371092f51b59624caa4469c738ec3912e7766a7bb2ef17452c3ce9f7fad20522f85d47ae6bedbf932adac7c478

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1ff73eef190594667d6bb4ad1239d6c4

SHA1
a07732d47879cef6683ffd6d82afc88e77e00fb5

SHA256
0f0bc79c1848813152dafef3063c75c4e12c4afd7109dffae9778d84275872cb

SHA512
1478c84e9e856443949560fbf66a42dacf0e44c5d1d19810b664814c64e00217266bab2cb1c23ef5afadf4f17b6dd70281d19af31944784c1b413c859592c8b4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8f6248e42640dc6ffef100cf1ba315bd

SHA1
312091c3d3733da9b675e1a936f2fe242a3e6701

SHA256
c9c80b284f44ac03fe56abab5cc81216e0958edfbea0f0596fc10d1f28f0dba0

SHA512
4a9940aa1f35ff06e6557b7ee17f896e1d1956058bcf3db0d7191babd1183ea1d59bd73d0e446231956a9ed3fac6646d8bd1e63cf0b82cacf43a43d516959be2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6439fdb1d988f327c69635b7aaf6a650

SHA1
8fb4f6a4ffc39c879e23e2279f12e3ae65067236

SHA256
547b5a09fac2474e662dfedab5e09d1e4b2faa5185708c2b2ba2f7adf4b77349

SHA512
2ee8e714aed8f385b1b9371ff98f4c015d01bc4414fc0f1058298063a4079bdc035471c7851070730e2a7d9eb3a180f7a6f9c08370cbf3a4332df99a9c491e3e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d14744f2d66e98a117d87a7d78bddb7f

SHA1
c8c54a527b40e3e68209283ec15069e98892ea1b

SHA256
6846df62277f159644d80294318bb251b0a2b15819cf3b79a72d8d039cefb50a

SHA512
bf564133eeb644a86461aa661ca64eee29fa6cc430f32aace3b8dc027b37dd34fd105eb71026cb98094a5ac8d7cd5e7709cd2fa5053867978e7c4abf8c5fab9d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
92be848577404eb1fa19b932e45f27f4

SHA1
8e27e263a14c970896ba6e2c2009a6001074921e

SHA256
b728001bc69bee48a20739d7d8299f9dbfbe6a7ba3bf9e10f33ad9b9bb879d25

SHA512
2bf98f43bb2c65d85a8565984107d39707ff505479d4a33e8af791288d2ddb6fb3bae2360e13dd951545ca74e42f602185c7cf3c513e89e685dcbc2cb708a1c8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
80cb12a99af0d875304a5d3ebee1b220

SHA1
88192c1f4135cfcccbd785c7d89436f83cf66ac5

SHA256
b847e0c766b50d88e767c3ce1384702a9f970c7e918d0b000b31c90e2dfcf6bc

SHA512
d17299293d7d69457ddfd2e445f8314ebb95adbc4cd7482595bce8d230ff9129dadec8e1d4749fb0e3a2540909c91f529687844d9aa51a0d7bc68d4de3b19de8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c7cee8c6f1845a5cf716ea620e5773aa

SHA1
79b1aa73c4876f824538a3d5cd69b6ed13b0aac6

SHA256
4d7f9004438d6055ad8d787e4f6d0461ffb1648560cb9eaab804a51df2893de6

SHA512
aabe23ad1640c6534f5916aea708bed18d5390bf6f12732dbd31ebc63c26f74788ea58fceeb22e7c21692bd5e856cfd9e7bcd83cc775eec09a5cec21a911aaf4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
38c1f7939d5a14218bc695304a0ceb69

SHA1
ec34e3267e4b2dadf7142e39d07acad204bcb5e7

SHA256
b290b0f39826614c0c7befe5cbe463f38c55c2feb404b616d1169926944dccc0

SHA512
985bc22c2ee5b25f286c35c3aea4b4e1d84ccd4257d86fd53d0277171435f40386064e5cee8dc3680fa8ead5129b25ab33c67eb9d48a2162b424474772f0348e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5eea09138ae67de68213c2e7e7f97f3b

SHA1
5dea96e85f0a0a23824ac0f06c34447a707f2c6b

SHA256
37760e4812b3541afdea521a17161b42e30b3201869e04e1f8413c27cc782918

SHA512
b1c591303a2de38592a339fa4cc1edaab7b35ca617c29b8fb17037b3123949dc6bfe562ae54e5aa70604acc96e326168b6f3d0551f33ad5f075aee9674afd5d6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
62d669e0dd96b50763417fdbd6d21da8

SHA1
64179d72811048b605112c70d839cf2669d7e36a

SHA256
96b1582300fd0ec1609465c68f600a6aadbce6d75f1b4a459deb5c09913e391a

SHA512
d65b8123fa9f8f50ea8e1b520d61535ce627c1d5b0d34cf24e32c15cbfa4d1f035f9cb2238fd9a3ff0c86c30ee54592e637e22f6215ecceceb8ef318918f7788

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
83ea91c3bafafaf9b3dd272dcc868b5d

SHA1
ea0154c4e8d95005e4e990867624c6d33d45b368

SHA256
b63fcad601674307a1f21a171440ea2a95c82319db7836eeeb29318f554dabba

SHA512
8414c5af93070ad163639307477e1fff34e3907a1022f17a8c823a67c93cde491b14549076feeb626dd98ee25453bddd22401a0909eb94c39eb145afd989ced9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ff0af5eeda871cf0d1d4db6702fe6460

SHA1
bff88d58eaec92fd6c2074ac9c7d5a870023e4fb

SHA256
4274f6fa3b08f4a6f1d8b91bcee8620b9c4d3a53f2356dae161178ae5f31c425

SHA512
77a1f2d8cf9b2a9a017e6a818ee64433280115d54af7e0f66c44b0c6dfc928e28c491aa572d06cb89967294e153f7e4e5e7c06d5f6aca81409f111fa517f27a7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ca95021098fbebdc9a03634330ee0e40

SHA1
4737268f5d1ae1eb03e80f860e597d988642d2bb

SHA256
3265686940bf5cfd68291c6211a48c4e776ce0fb550a429f2c3f4855e81a8186

SHA512
bebea685c60e560f66bd5bf59165df53c4a757753859d4b0becb2ee9524b3acb9256db877c93c07d79c656b2e5e8567dd1619137f03bd3b0799a010912d5869f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6b7dd3cdc2802076a10d74e3975b22f2

SHA1
a42a9045c0ccfe6133e2845e067d63db7e144b66

SHA256
d0f47b537e25138b03dbe03b367129e896aa3a5ed1aef5b232ee2bcc5191aa49

SHA512
43b8a13ce32cdac1c1f6fb03cd2a25c54eebb99837dd4c518cc93ec890e993ae2b65e3cac07f07fea884ae6cc369846d020b6399aacdeb1f2aa87dfedfc78d66

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ffa2db2b3b62603d45551b09772f5c66

SHA1
2f4321c4d6ca884ba2eba30f51e4f3612bf674df

SHA256
0be5d5fa89c4aafae7c76e21012148eb80386fe1a999548e4771960cf4cbfa73

SHA512
dac38b92e66994479155f621213ea0e39ac1cef875eb66febe64ec22c6853c8f99be1f252ea7da171fbdc89b77f72a915205fc0f6c490dcf53a0cc46310723d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a070e7a11b372ed4fda3819916ff0aef

SHA1
e64cfc5f3743a95d5b473fa2ba4d376c2c6a8c48

SHA256
f4716e2ceb1083f6ee52a62ac181f18a8e61df22510441dff681725cd1d324a5

SHA512
bb21869ca9eb4ac283143fb000275caaf78e9ee6195b752cc6f51351ff96ece1f1b18b988fd1e2231a60f4e41126913f2bf100fa63ea8ff7d816526e5a787f84

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c0679b032174106dce7298ee5d64e58c

SHA1
a459152dbaa37b6e1f76e0f6ab62fc99a4e2df21

SHA256
e95428e15e3447518baa5ab9b8032de1c671e66a8a11512eadfdd34a88f0d670

SHA512
30643fa0a28318412f9011aeef036f48aaa2a0c3bfcf637f1171c697653e8f80939edb2e0acee55110125f4e78a2db6c9504a988433bf413de50b27dd30abcbb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
167dea561eff329876893c1379279f1a

SHA1
9956ff7180c1651e27a6c0c840bbdbe4bca280d1

SHA256
037ff5b8a9055f8c36de9a7467ff11f39a98b58ee7e9a2788f74a89241ed1a9e

SHA512
285e9926e8d4ffb1e123fd77dba7c88b79b3fc78d6c40de7f95c145a8d93391ac7aef21c9779dbaae2452e1a0a979e25caccd41ddae13ecce0181f70a2d0fc52

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f4c30919607ce067d313839c60d537f5

SHA1
61d2528b9bf9edb659dffd146b78b0df2acbca43

SHA256
ccbcd407c47fb13469770d49bd60f1a7b668c96103a5a33755a36ff231c6a935

SHA512
af2197fbfccc0b9e12682ca5af1302a21d54c25033cea35fa3b1f56a523b6fc2785e2a7c254f8d03ac0912218e6b5427f14b43cd273b9373268485bce2845571

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5c6eacf05f6c4442bf1077c2911d0c79

SHA1
103bfdf52b759c22222d852e303a115379568d74

SHA256
6e497c0241a244d85ada1c199fa7d313a9fde37f2560f327854bceea3460be50

SHA512
db269ec37a35d49f44f92c394a28feb8bdd63c9b0499ada355af80b9b4c9e62b6ed776a6b6ec4fa35464ef0f13cd252d8a8251392b3e2df4003a28329f96dffe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
32d2f23f015eab9e64eb4158f7dc9155

SHA1
ee27a253bba2ccd6e208a1e00be3d9d06d4a0ca0

SHA256
64d3cd61d5c794f04e215be305c142b0747e565e45b50119e2dd3deea9f76144

SHA512
3f2bdb65d090029a1c73d73bc33a731e3e81361977115c7f5d698f120fa80366a2c00a8d8df9ab13e825af07897760afe36cd8514ee60b81a4ff56b8b4cded47

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
124e1a57a53bc77ba7e925edcb36518d

SHA1
98e60a66374810002dfe06efbb464b8cc8f03126

SHA256
8997876446575627685cbe70bc7a5dfb20a5099a5d8504c930beafa67ed5298f

SHA512
1b6cf6600945b3f590992b91a8bb3c4b8564da52889b8986bc96859353bf32b73e7fee75091399d8283e30294271bb7fab78522854dd3ed7293058568ac74b8e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b82d5068ab56ecc5ebd41200d9faf1f9

SHA1
360dd60721e312031e8c0ad7150c74cf7264cdf0

SHA256
554a5cfc1c25ee1d1e5f5356552ea5829b6fee303e89059431cb9213d206f453

SHA512
d15dd69ce3bd3880af109926ee4aac07b875e12baaea962a97b7e72e7f39810a8261b5a9128f33c0b8da62769665d9f9ce63edbc89c1527be1d2e0a2fad0c482

Download Submit
memory/464-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/464-583-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/976-582-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1292-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1292-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1612-132-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1612-368-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1792-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1792-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1920-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1920-578-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2448-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2448-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2720-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2720-81-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2720-73-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2720-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2968-347-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2968-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3036-574-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3036-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3132-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3132-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3132-23-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3132-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3136-576-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3136-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3164-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3476-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3476-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3528-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3528-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3528-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3528-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3688-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3688-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3716-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-100-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/3716-105-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-106-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/3728-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3728-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3780-7-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/3780-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3780-6-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/3780-476-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3780-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3780-1-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/4028-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4028-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4028-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4028-55-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4028-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4056-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4056-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4480-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4660-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4660-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4660-89-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4660-95-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download