9fbfb441c0d3a8725c11a2422f66bf2302aab4ee52e76d60fc2b1da29d5a5b32

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 12:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
Size

625KB
MD5

ec77104f38a4d015cdb12ada3ca41420
SHA1

3c5228ec0460f6837b690d9159f4f1c8251fbf11
SHA256

9fbfb441c0d3a8725c11a2422f66bf2302aab4ee52e76d60fc2b1da29d5a5b32
SHA512

e3a0cca137a770c557fdb1e4be636a15b9f4e9fff9a80b067067684456c875425a50681e5a1fa8ba0851475e20a94ddfe8e296b0368e0cd0d8b4501dacc73dd3
SSDEEP

12288:qBCUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:Iq8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1616	alg.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
4560	fxssvc.exe
4920	elevation_service.exe
2988	elevation_service.exe
2500	maintenanceservice.exe
4760	msdtc.exe
3640	OSE.EXE
4816	PerceptionSimulationService.exe
3048	perfhost.exe
3216	locator.exe
2208	SensorDataService.exe
1344	snmptrap.exe
2940	spectrum.exe
3768	ssh-agent.exe
4740	TieringEngineService.exe
1216	AgentService.exe
2344	vds.exe
1044	vssvc.exe
2712	wbengine.exe
3468	WmiApSrv.exe
3544	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a27db76c4a48edc7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085b7475656a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b8ce5756a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005577a95656a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff86bf5856a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbc1f55656a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e43b95756a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe
4920	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4120	ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
Token: SeAuditPrivilege	4560	fxssvc.exe
Token: SeRestorePrivilege	4740	TieringEngineService.exe
Token: SeManageVolumePrivilege	4740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1216	AgentService.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeBackupPrivilege	2712	wbengine.exe
Token: SeRestorePrivilege	2712	wbengine.exe
Token: SeSecurityPrivilege	2712	wbengine.exe
Token: 33	3544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3544	SearchIndexer.exe
Token: SeDebugPrivilege	2000	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4920	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3876	3544	SearchIndexer.exe	112
PID 3544 wrote to memory of 3876	3544	SearchIndexer.exe	112
PID 3544 wrote to memory of 4592	3544	SearchIndexer.exe	113
PID 3544 wrote to memory of 4592	3544	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ec77104f38a4d015cdb12ada3ca41420_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4440

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2940

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7c390ba4961465caf3a0f7d71ac9319f

SHA1
5ed0040bb6e63813029251503f91eed576173386

SHA256
0a5977a2c79fbb91b40d786e441c86515adc381d135a1b824d3990327f49412c

SHA512
eaff0320c71beabb3c20eaf2f38dc545e13a02255caeaeabe54855d51f6843115d318f3d9705690d00850053035111ce1733725452d79bee81e03e73e0b73ac7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6c5f59067c40392b97f978f4e7b6c879

SHA1
1a6620711baee670f9420566526cc5d8369e609a

SHA256
8feea50eb87e5ffd980ed0b1334182140f45818391ba8503b986dbe2489164b6

SHA512
5fb0e592337c021902201054ae0f4453dfa10a4640f8d94cf8314dd9347d9d601182e17121a42462228d09e45070c67a8bbe9263940dcb59bd4a7c0373572fe0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d732b220aee02774de6b601d421a422c

SHA1
7975a84963b17e9eebc665dd4358e2a088365ef1

SHA256
edb08e929459b8da67610c857ee430185e270160398828ca2d3f8973d5e99444

SHA512
9818c6dce64ec0f6b81e87b01db69b203f94be49cf712b5b801f6457507ee01a16b71670f0b4207e1388f1a68257ddf607bbb2189a0b13f176e7e302c09b5fd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
10074cdfb275065551f27c5018d5e414

SHA1
5244ec2b5860a046dd631e380b43cd6734da0556

SHA256
e25178cf5de3c5356977b50f655e9a495e928872b90a9866337ee0c4ff352eea

SHA512
348bd7fbb4a12457bee3964b5dd2c78a899a59a90ae5b1032ea6265b67347508e73d3cde3e8dfe634d92259199bbba9128bfd89d69421ac336ac06d80d2a7392

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ead6014dbe8c50584807d504ab74afe6

SHA1
cb96a98d83cccd4a144c8cf308c4ab3da3c89831

SHA256
e1ab1ad1db4a83fed7bab4e9196d7bb624c9be7d76791f44f05011eec9057604

SHA512
b0de23721d41894c7b1e3ffd48aff28cb60e4e23cfc0f6c7f3c49dc7cbab98a5e14cfa844fb5cc3145b24368aa1e9a05f58a10bc436e68ac4827416fda9473e7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e8ac16d0e1ef3265990ec34085210875

SHA1
e13b3833ccd6e9e8adcafd91f2c88cff4ba5f04e

SHA256
9da772a49678417f209f40f13441f8523b03c8f3378a8545a0c4507a8e1ce8ed

SHA512
590ca7ebe74c4e9049bd4dc2b014ed4d2b5ad8daaec263fa44bd49153abeae8f72ea07fa4eccbb50d1a5ea4ce184040ecbc610d8affe93933ee1020e69be9fb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
29d453575d528cc32c22e129ef0d14ce

SHA1
a8bb62c0e1cec0e9d93f7621e3cbdd4ed8b18273

SHA256
df312e36b3b40c8b3d82c1b6cfd60e6460a2436602fa691edef8f4d2b15bdf32

SHA512
9954c4756efae74f9b108eb0f5cabca11e53ea8f4247436d41cbe2de917a161cc7f06890f03a97faa620d22c72c663f57479c0b38174fe54374da7c41f740ff9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7862321764744df03cf3ef02554db743

SHA1
7b38b221d1c6896315f17695bf19acb869dcbc34

SHA256
cb19c5b169eb5df8deeb85716fe96170ab9cb2dbb5d762451c4f77ce23a295cc

SHA512
01710b5a91ace2286fa46e9579898a1f70111f155a9566a7c178c853707dc23b40b0198251f19aea7c530ebc02898509a6749cb4f0e605856934e4e3a95bdea6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b78dbccac14b618f55e047636500c6a7

SHA1
9ee57878a56f68bd5ba3837b73a1ef4a2affad4d

SHA256
42c008f07799e399cb0decdee96fab1ac4e8156bd1249fcda9303259c7ccc7fa

SHA512
32f320a46ed88a6693cf9dbe84d1166372cb71ec24b2f43291fff6f2ad84c5267c4240b494e166a6e03074dbe28dfa25a00a7e4d5e7913a9c05dcf0b5e657dfb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b065a05ccfd0f189ef7d92201840d81a

SHA1
b8548041e6774cf7873e16f7c5285f4dffd95e84

SHA256
0f19d2d396699038317edbce68ef4ab631fe475dde755e3b1dbb062c1e4ecd3d

SHA512
8147f681ce31fc9fb32ab38831aa6d8c38d3cd4b74fe919e78abbe95f9ff956cb706a7504180b262a0ec07ede827dafbdb48878ec123831fca601e94d01201c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6297a948c5d30fcda5df6998f4d202b6

SHA1
e423353e3bb8dd98ec322b8645978574c320714c

SHA256
8f748e80eec5155cf9fdb429b7c9de03f9e185c56c18c52ea4de93993da54894

SHA512
b14010cc1ba14db10c03f0031435e951b84c6ae1dc0105ab099d897f9516f2c5af03aac36fe407c9169b1378d10a85ac11a3161598014bd5fb486d3b4b60ab9b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cbe51e9838ad6e312e486afc4b2d83bf

SHA1
9d668d07b8b7e66431d3d38f63ec7a46c4d29ddc

SHA256
6b5df3fc7ed9a7bf0481655fc142fb21f5992d3643c529dbb423f62b530276b1

SHA512
3f67945809dadbc176179090ccfbb68a076c2b8bfdeb8f8525e9c1de77c02ae6e91b282f1fccb513c536ec3a8599c3522813259d381d67fb31108ede7aadb295

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
048a34845e404577a314cd46380a9fa1

SHA1
0a0a145bc72b83444001628de1dfeb78cfee01d3

SHA256
e6b9c5bc5ba2509e01d2115b478189a36215209339952d48fe7a2cdeb46aede0

SHA512
9aa87cfd631f118b15cf1d4c967051bced5f40639dec8e8d75adbe5e3ce77980fd703034b60e72553e7ea8a09129f81db79e032c8ebbb10383ab67f3ce6877aa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a7aa6b55a127a291fccbc5b0746d2c6d

SHA1
e2eadc95f24d5062551efb3b0df6a97fce6a27c0

SHA256
a5098f6cf3da06a1b3e5a5697d54bbe9830a8bd03ea330242a2ba47c05225acb

SHA512
5f705820a67a3c0fc7a890ec9c5bb2d38a22e28ef5b3c1ed7219172c1f1ba3913e669910896be506c03fd5e7b6a10daff73387e2c9c5482614e6c5a20f94cc2e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
35d5be452459181a8a2f07de6ec1b0e0

SHA1
c5d7d049c859f1242db1581abf70c02f35265ef4

SHA256
d65efe77aa8fb814a7155ca063394c048008517f24975f54f70b5dc1cf84ea61

SHA512
963c4048bf81832c0a445db8b65c37a8c15feeda4ce1bf23406ad41214ee6e51353974ec803844a8f46f8c2b654199b208ea7ed456d4bed79f14185fedd40ef6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7456fadd6330d128efa3087154c9a88b

SHA1
7b9147ba0fd0655314412d5db2a042d76ee6b87d

SHA256
07689c01331ce320805852c99cf15afd8844fbcb596a7c757c24e3300467abc1

SHA512
28d198665bb195e9f1c51132a1c583c8f25962a9c71550aab293fe748ecd1e8c6dd5014c7d53ce65d31a729d2d68e0276dc9f00812c35f2104ba56cb9b58e96c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4f2f098bd5f39b7215635289e9cf0253

SHA1
5e59ea7a3ee7cb3a8f2512cbf91922e8ed344811

SHA256
f2552ef3e75b07c80eef4a84970dbb4a904d0073a1d06ef3d0fe6e25fa7d6e44

SHA512
26e7afb55710acee435c021bc3c8d2a17eed40253ff056f110afb6a9c0f8083fbe24542a8ba318b8e0cc2298274806a1ea63318ee941bf481bbb4c88ebd0dad1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eb4b2ce3a675051c151378763f7ed4a0

SHA1
a35c3dafb676f4d51029da0cf77dcd88b968e98c

SHA256
51341828ec600c331013cb42c1caf907bc03a0ae304c02fab5345bebe182446f

SHA512
97610a91f69fd0ef720a0bace4262dc50eb335ee6043b84ae7eae36f2ccaa7c4b5febd1a0d795b4856992b7456d9cc84d09dbd66dac336e4de5ee014900e0f6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8b875b5872297bb3cc41c1f6abbd3350

SHA1
00045673419d289e86f62a9d95dcc35de7f4048c

SHA256
fa6ed18da3761198a8cae44a7d6ab537f6ffa4257a2ec479c285133e5e1346b7

SHA512
00f7045904f2021af03b551d7227650c1b2f440e37648318b3225713a6e3f9e81309816b53fee22b8d2452c13e8f42f901b047ab1e5848383712f29b3494ff54

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4b55d324d0cbae3d6dd6391361c7cdd9

SHA1
9b220bb4e7d5e2edeb2a3f3c7f1c6eccbe9d68c9

SHA256
edb2d34029994cd8e8e2c95cbf7da710272f467d52658c15f85e6f59d3f573ab

SHA512
687a10680dc04de1e24b9040f7681ec6098722e51416b335efd1003acdc9cb2ae4f6bf85e7e0e5194273425f7ec781e932eecbc9a544cea1afab6f169c6c112b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2516a01c0e55b17fba5dc23b23ab8235

SHA1
e7bc980a174e2d7c59d321005ef9d656789d50a1

SHA256
6aab8989276b5d36fe1a641e1ec5d3ff1dbec3c7c8a4a3865e7aa8c961b37d47

SHA512
ac0b1acee68dae1a539df1fa235a4051c1521a0189ee6a2abdef25dd1dd61a3046494b5ede52a2f290c7a9908598b2a9d02b74cecacc6180d39c65806deadd3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8590993b922e15662070996d1ffc3bbb

SHA1
22109e77403079537072b0e39cb18f035b6006b2

SHA256
5c2fd0bb16e3c14b5bca56f7fe8d1c4a875c978792acfcf0fc859a55abb68c0b

SHA512
c2c32d837fb8460a1b1da5969960aec5c78fe320b01480b695a932fa41cab9c4762fb10be7f90442c8c85a583bddd497a8ef0a9119dd1133562dfc1f5ba0434c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
19211ade58d4786cf7ab880646c4ac9e

SHA1
562ef65cb195a2c0cf2e7b77d8d1be5ad3c0a5d4

SHA256
560338091c7ff615910667bb7a0b7be168aa48a9bfcb6c95b0f8d44ea54f813f

SHA512
8a1c1fa447cb5e5a3c3c88408c9352ecbd9d47dfe17ebe5797bbccbe873f2955cd3c97297c1cd2951ce6ed92830192fd27b657d5ee09140ab8580727ae17db1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
937b4ab424bb4e5029591e9ed8fd6f05

SHA1
41ed4f3a845b5bea622a3b3662b3a60bf713edc7

SHA256
078766f3a088b968c46d6b33a30d721eaf351f4e41cb1e00c1dbb1bf72978bdb

SHA512
d927bcccc4aa787d12d86432e13a4bb13356771c760abe1a762fafca94f9613eb2d4a8c71c206084960c0204e100b48d53d5806fa4104da52967dc4444c50630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
538b3736946f2d66b702dcfe0ecbe900

SHA1
a223b420b7143398819489060a35ecc5d09882a6

SHA256
89fdca280d57fadbbf781bbf0421fe4082dedad6c65c113e259b31fe7c2082e5

SHA512
5983d1a01a17104fd33d543a035c493282cd0e5d6bfc365219f8196664da953eaa77d09167f91e5fe549866fc80a04b5cf002ac2ab76dc44c99002ae592c756f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0ff027c350031d9ed3130a8d9586b3eb

SHA1
8d26344511a1b1bd423d2d76a2d34e92caecf7c9

SHA256
4d259f9024981b9ff973182cbf3cf12bb7ceb6d6f924afbb00eca9f2195aa695

SHA512
d77cf726bae9e0be374a438b838cd3abdb15aea81b5c2ad8210b2a347771fb65729110ef68b415b73e98cf34eb8779179ca7658ac19c3132742c6a6c8cd3fb5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5ebd9a77b44a1bf2e19626ef98e6b601

SHA1
3220e4d3ccf6df607ff511b1b9c822b4d6cda245

SHA256
0151bc32ab4dc6915d180e956931a63da8114d8e166efa5645acef6fbf769044

SHA512
73ce8bbd4ee30f830c9131b89c924d7edc512bc00eaaf1abcae72d40bb14016a9cd4eb71c0144638522b756dc45f4ac07d05f67b02f69938af0317741f09e04f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5e2a94329c91b0e66302377cc002d018

SHA1
d4b9225a77944b3f099b509418ad783277fb6755

SHA256
6d9cca7b64f53d52ceecf1e7b6514e8b8cd2e7f51a7de7ecf36e7e557e167d26

SHA512
2ece9cf74eb834c8c28aafe842f757e16bb1d0cd2c82c2a11abf8476138511b924350243a77ed86910768609aff2f679a5b9d1359c749e6b5d4fef3f86e260b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0d4c376878bc7b6bf32c7af73535340c

SHA1
f9aa546e6852a1b99c80124b83013fa272a7a418

SHA256
313f4db79788688e4bc10a709b0360b6c672a0ffe6fa3540eedb393646f24bc1

SHA512
b576a080daad4490f81155440795ee7c4f5ea80d1be77ff269dd9a232f35a590e43097d325ac2c2225df9ef16852b5614bc73a9e8549617dd666038cc1db96c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a74aae41518d83c4b6de6b11c513fc1

SHA1
b4f136a254ee04475f0ecbc0b066cca44d975ad2

SHA256
ea60e53d2df30c800bd82e2c61a89e9a7eeb9feeba63844111786360b9ed5ae6

SHA512
87d8ff3f4212c20a52c243e19c188c660a7255c798a47c449025c691faad3d41025dc05aa29cae9e19f4ea8ea546ee9bea3383f5a560f8d413f47b5661d45717

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a9202bbd5605e6cec9e4fa2ef4519c7f

SHA1
7defc410934a1b6da3a271bf1465a5d8e632ee5e

SHA256
49365f56c1e97ccfa6d1ca6bd33a1ddfe9553cfa8aa943a69e6c0348524a7fa4

SHA512
6e7a0e35a140e352d53574f9db63a1227af2dc3144805fbdc7331eba8c873a80ff58fbebe0100223d20b1baf2c9670e7baaa1c3c5c2b2c83e41ac6df3a502091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
55a5e60ab7ff0ee99aa75b5e230d2328

SHA1
d3a0794b027827a542494633adb63bad765be7d5

SHA256
480ac815b3f6177da02223ab63604afab81163d078560ba3fcb7fed8ba98185b

SHA512
6eb0bc09df686d32b5af152eec90253bbbbfdbfd6b12b9f76f7e7780f53a5309832a8292f0049b99591183f4148cec9fbfdc65b5b0c0681ebf137ad78a368260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ad56143602f3ebb201f6a124f8fe2449

SHA1
75b08fd3ab2145d092238ee4d20aaa3dfe7b6334

SHA256
d47158bfeed8654edb5b5b18fbc2369bcb64548293c61472c1fbe3ce2fc08fbd

SHA512
ebbeba633e6aaca39063f06d66aaee8aab172919736caadf2391d5626b1532ce4730ba3a12d1641a4a2fe0c7bcea2e1ae3a8f5739b71b00a96952732d351ad1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
104fbd3bf0cb45f5c27b14934c8af577

SHA1
031fa07d06909f4b460f3adbebc33e7d09c244c0

SHA256
959120a7d38739bc2e1eabf2bf5c9134840796232c36b0eda1cc74a33b1e27fe

SHA512
262a02d4227660f68b279d45178acecc26e106d25f1e9e0795403a283046ac72c3c044931659768f11ca1f0ea7d8010a32b2a2ac957ea7b6c67a7dc370e31737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
417d5ec46634461b1a7ff7fd8e60ce15

SHA1
c0744f3570acfa201c7e9826f1c932688a95a390

SHA256
4ff3a202ef51d6f2a101073d173f2984b548e2711bb925ca54110f19ec1b880d

SHA512
63e3b4118f76a78c6ed000bbee7174bcb4f2ce0f76487f1049ab9f090bc39d35a6bb01b2a4d10f6214e8280a00e3c6e9de4f30652e077ad4d83eaf03f7d919d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
81c3ef03dd0c7ccd455f59e41176b234

SHA1
f81a55265ce464b97f8f9e483f166b186576632a

SHA256
4919a7f122d9547d06476d09a38e8409910e04170b9cddeb0cd7b280dbe1a23a

SHA512
fb091ae5111de1343cf38f05f2c76187cc550cdbe65bbfbe4fc4d133e03cea783df73225cd12ab73f9da0579b9b4785e8df626118aeaaca38cb98f0540c9dbf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
744efdd9feee38a098d38dcbd2fa7941

SHA1
ac47deee792911c75aab0e08b60d1350aaa5f612

SHA256
b86c81a084381520d274b7ee4d4b7dc46e60f6b94ec6a56f96bd7beb72b94b04

SHA512
3bf774edba92d733bc7ac10fcc79fda124e6b5546f0ccb453bdf9b83b156d277c84213e50c7ad9aed574a68cf6127c79c220074b63506074aaca5489fde1f95c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
42a00b08401c6302f3e39cb4e5c486cf

SHA1
1fb9ff00c7b7eaf971e121539c8c60276c306126

SHA256
a2a613361d8e7fad3612b2d2bb7ad52715586063b4678adf6488f010c8a0e9e4

SHA512
969524c1a42b99371f2d1ff28c7a489adc21b6652453cdd5636ee02c687d2552007207a0e381db1f5165413018e02e81dd690db82818bb0b2d4601b785e65b9a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a7ba4c3af7bb2c456988f4c8d167bc51

SHA1
14c3d17f962a7cda857d533a0905463045b040a1

SHA256
79e76ff163dc56c234729a2e405747d567a28b2401b7e080fd5b3f23d0c95ac1

SHA512
fc3d1055c137954e5727cef965adac5bd2110b2df45e69f45956a2f4ea95fe8176702e7a838034e3a3bf5cdf7a80b1a2f3e773b80950c014e2368af26969aa54

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cb22662b0027e4783b5344d1e60e9299

SHA1
ec83c42f66a9f76a38f9208df5f40678316d70a1

SHA256
fa4e8556b33cba7971c304fab4c33f898105bf8138afc448a72d4fe02fa2905c

SHA512
7788e83a982b27cb26a520143befa9b4c7b82137991969bf01285b0e13d0402945783c249b37e20e53d355771fce66afedb7b4119baf69209e02ecdd0f464203

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da85e7984996b34d12f40d8c2eeeb2c5

SHA1
f002c490f76a19ea802783131f54030d9a71056d

SHA256
4d7aa958358e4132007c006228e3c4d76a936c6981df894f1b3792ff821693a2

SHA512
346de4da948b5e214738a2b8610726a047d6c1b8b3bfaf9252263d362e39d67a9764bc9c600d8ac931c8dd1e16c172c27e6e6f5f524d72ed65ec2d2ec63f4ed7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
74c40b792e3c41935a7ea9c096858071

SHA1
0c81d50042469bf8329502b5a646cc7edb215f94

SHA256
08bda13c0c7bd5f1789f2f7aa35d71a1f3b3d9fc01b6ac5f8e0d4aba77db9f7d

SHA512
1aeb7e931acc2b466508a1dccab4205fa8d5efbbdef70ff01486091eb7da50052bae6656d969f68d114007978b16f18ce8079700f9dd89fbac0506b09a86eee5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2322e63a4b0b192bd1936ef6e20ee446

SHA1
817a339b8ae4f400cec88c388f8b6117d1f165a8

SHA256
7736f0b6477f271442147722b42dc039f0e0bfc46caf4a2fa65ed7bfb8b20a72

SHA512
33e5a2e9474acf4c07cd5df88c2a6382d69bcbaeb19a0f9c22d4e47a5dd3cb237d14e9ce83fc942ebe68fdf42f83ffafda1000e1c531e12023be51299afa5187

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7ccc727a98837100b8271c384acea3a5

SHA1
0e3445a1d6c6171b6f175cea922d7e9e8752394c

SHA256
da8cfdb48a73c2695557c7c2cacca8d763cf86ac9d2d248574eb290c3eb2cadc

SHA512
f19a64e67b64003a939ac40c9e989e6e39d09489595c14bd6c291eb29d9845afd076fbddb25d26358ad8f3252a24aaab4b570423ff6694b31c63ec54df324f61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
83bc86620f656b3a00c42d1d2dbcdb79

SHA1
e958042933dd5143198c5f2320cb2ab00f923c8d

SHA256
0aa96844938dffe486c39a3d8cd89419e4f1164f3d620a4aef1ff2f12284fcde

SHA512
ffe2157d03aaa67eef398ff5dca4ec410714cb6f549f3fbf3be22e358e3736e23b3e2cd358a6c818b703d81e2e67016c6a6c6d88fd8582b891ac79e9a008f4b3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b56acab4c7c2513ce74622e66f18024b

SHA1
3e99421cbd80968e066f71a1570212da3b72cfe0

SHA256
61e4520e42c44cd52daa653fbb7ee5d04f84a2acb4151378119bd8e6884c0494

SHA512
d57bc9ead7f9fd5e7d83382e31e6e8b280bf06d1e363e3fa1e2c08432492fc975b320fa8c78f14d12bc0cf285b7e6d4f375c97afa4c769c1003577fbb5ab3aab

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5354f900fa115007ff736ce64c64b010

SHA1
fd9e21cff8f3d97358a5c792c9e79136849b0c27

SHA256
0f9ab3eb2bd4584cba76c82cfd8ffbe3e374cd704ec18777bac3f91cec63eac0

SHA512
8a3cc54381e8dd83b22bf32692da7d33b210e631894b626ec886ac39f16df0f83d0eab39bee15c0dc3649d467a6a2712965c5a3a2241ff438e2da978bc913ab3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
549aad9357cde54603166d409d9f8031

SHA1
91d6d0bc1728dc4d3649b2424077c397d0785791

SHA256
222d0f843d3e22e619251b0cb49a50fde40fe2aeb8eb726c06b78c3c18c17e82

SHA512
d07a4dd60a3350b55f3897461e97b82f5da334829e59350816840ea26b83e22db80ab7a73654abbe296359367071924e2ba401dc3e8380555037b4eebf582d99

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2be370ae3f51265268027c6b3151a9b2

SHA1
befd91594a280744fef4dd351e23b42016bbfa50

SHA256
b96ffde453742609a578972ae6d14aa7f80b6f6d8263c39bfc8a04df1cf9e896

SHA512
39cc9d9ca1c2c634fd3554f26c4f4f254e5cbcb3fa6620b47ec946fc88fb5480c9d9f7e96f7741929c646102438f442d0f91276029797e9070322eb97b72a011

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
511ec4b000afb68d13ca2a945a1916df

SHA1
5f685133a358a8dd0701653039d66373bb9e3eb4

SHA256
6d313f6aa412bdae0d2dfa6570b3aeaa2ed6c69223fcee0adef9a7993690f3dd

SHA512
6b0911d5e4fc463f17a4149c7456816215c56bebec414476bce1b05c8c818bbf4b98d1f252d2a183265292f94ca12f70b51cefd6ed1b409d250ea5b7c74d9dec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
32601a40cee3bc365e7f77132f5f7a7c

SHA1
dc33dd0149bec0f3bee6b32f3903d984f3b5266a

SHA256
f2176631cc8d4b366699a132168300a12de3acf175f9c6fce2e58ca77049dcaf

SHA512
5e25276d196f61bb3ec5ccd6716caa55a85454039687681921f19163e9d7335c3a0a67a80c4d583ce285705408338b3f94e319227f262e1ef77044f45d5dee30

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b2f74a064cedb10d11dd808da59f6f1e

SHA1
84395346ae3b4bc667a55357dc80daf33c3963d1

SHA256
5062186a19bc55f1ccf7571a8e806d5d1cd1c7854067bb54def709fa8edbf187

SHA512
b2245cbe0b624e0cec73a5629937b797bd1f121c511359c3393aee650a6596ee5d8e8a67724cbaf96720204bf098e08cec33c6436cb88c680a5f0ed4631c9da9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ceb159ac51d41deffc1ddb364520e2d3

SHA1
e9b1234b9680a602c8ff19051a4528891455ad8b

SHA256
acbb2933fd621ad74720d6b9047b213c0f6382537cf0f3d38b18b8d9d6078612

SHA512
eca794dec3cba28652951f64da7b710992de1a0e0526ba74788b7365258ea262601f990e157d8bc684334e6c0d6bb28ba4a7c8f0858a838279aa82253fbf9c24

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b72b4cddcc8db3633b308dce63843326

SHA1
265037aa4dff883c9d40920e5088be37c007bf47

SHA256
62fa93d6b2ccb9abb35b965defb531b48ac9e2c9e5b147a2b99c9ac262ea60fc

SHA512
0d07975cf0ac42b014414e04a535ee4d09ac3157e7c54745b0f903967cca6ff86f6d856304f707711f86129e4f2711038f8feed81cae4be292b2fdd201d05132

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b56a2bad1d83915000973646a692030

SHA1
ab0f9e9f15b275903ee25be07216f88e1c6b9409

SHA256
ed01a359e1b81865e2cbdba37e6a4d08ae04b9e825137fb43889281da0d8af0a

SHA512
2c73734abc0c3c2068f0d2d69e04ca87062c96727587b6957dd043510d0e5d8f1e78fd06273842199cd5fe7107d07c99687d9dc9f326e8f972209cf00ae3b7fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c4fb3d587c1c02ca9b64c11194958917

SHA1
e40a466721da696c46a137a25d27784979ef9fb4

SHA256
9b59905b248d2d8390db6613e047d290ba94343861dfdbb5ae770937f9a59835

SHA512
d3997928f35dc9a6ce06809ad37e2fca0ada2b436c929a121efad394e48b659cbcd88a9eab274f3904afdc3ad6eaa4ec00faacbb53f7501d7ac71d31267cd2d9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
346e6e1839bf9ebc0a34c42b5a784918

SHA1
981d05f92849aee161dadbb166a1413548493c58

SHA256
12a1ddcf10d3eb621d330d5342cad64c435bfb98e7afb8ccc8d8a7150e025461

SHA512
651f0d81b9c6d75eb391c9103c6a5a0210d0bf73c9e05b6ce55c50644dcfa9178da105c214dff9c67c6cc3c98fa834f33df210daab1444f9f00b94066594157c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dc383eca5e24d92ed411a964ef2113a7

SHA1
9b03bff6ef296a05c25a580d7ed67e3c9a010bc8

SHA256
7ff80e4beead270ac713528e88be56d2d028728d272eac5debf5b5bfa9143732

SHA512
9519d412fd95722f6fc79e557ed43bbc4bba3f6fbf0519b7b5d3d28663084f0bbd7391a08ef9a9d06649966355f852180d18bea14ae0782abed903c05a87728b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5418384733ef69d507895fbc6dda3af9

SHA1
fbcf94726b1630014d03b140d5c87c1018f27f1b

SHA256
6377f0e960c4539d118e71627e52b65452fe9d7b1f03b4d1a51151ad88c4b6dd

SHA512
715d7c57ce7f0d04fa4b3f66dd7ce800c2ed9cfdbcb257b60f996c1a38b876ab4416366ffe817fdebeefcb247c43ed850ad38f91c4739b828a3bd565217f32ff

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4512f970ae4ef4bf9fb372fa0d1036e9

SHA1
a48171fe7dab988e9c4b29b02183bcbe04149970

SHA256
1969d41ac622a698035d92ca095ae421ae2c5f31c45e7b31b5b90b0eb56d5fca

SHA512
c6e5d97fb92060dfad4e22349d404da6fd3ff60a42b78960cbc0b746698bdca94a45bc20fb2aa60365a9ada3ec3fc1b582d42f3290e2fa74af0f7ec74742890e

Download Submit
memory/1044-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1044-575-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1216-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1216-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1616-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1616-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2000-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2000-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2000-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2208-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2344-574-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2500-53-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2500-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2500-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2500-63-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2500-59-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2712-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2712-578-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2940-119-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2940-380-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2988-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2988-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2988-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2988-143-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3048-104-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/3048-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3048-99-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/3048-98-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3216-108-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3468-580-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3468-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3544-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3544-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3640-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3640-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3640-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3640-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3768-140-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3768-570-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4120-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4120-97-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4120-450-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4120-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4120-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4560-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4740-572-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4740-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4760-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4816-93-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4816-86-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4816-87-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4816-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4920-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4920-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4920-31-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4920-139-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download