35465aee7014c058f5f214f02151db427a7959520059735b0d3bdab2a6eb28ba

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
Size

1001KB
MD5

1f0eddd4b0780161f15abb19854525c0
SHA1

876dfc01dab77435f97237d1b67ff0f6bba792e9
SHA256

35465aee7014c058f5f214f02151db427a7959520059735b0d3bdab2a6eb28ba
SHA512

2caaa9c3ac43b44d2e442cc4559d25c54df48b22ffd0b3f8dff6a4c3afcc288aff600c058f36c167808e9ce4ab618d94e1ca859afe106dda68a92e38685a3148
SSDEEP

24576:pDMS76huDyq0et/HU9zPjeidP1Yi/dGyA:pDMi6tsUpLei7dGy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2072	alg.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
2180	fxssvc.exe
668	elevation_service.exe
2404	elevation_service.exe
2864	maintenanceservice.exe
2236	msdtc.exe
2084	OSE.EXE
1544	PerceptionSimulationService.exe
3040	perfhost.exe
4536	locator.exe
4888	SensorDataService.exe
4600	snmptrap.exe
4504	spectrum.exe
1972	ssh-agent.exe
3632	TieringEngineService.exe
3540	AgentService.exe
3576	vds.exe
3488	vssvc.exe
4580	wbengine.exe
2448	WmiApSrv.exe
1592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f32d60c1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5276a0320aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec1b190b20aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008086610a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f467ae0420aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef64460320aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edbdb90a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000660e8a0a20aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
748	javaws.exe
748	javaws.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
3116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2180	fxssvc.exe
Token: SeRestorePrivilege	3632	TieringEngineService.exe
Token: SeManageVolumePrivilege	3632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3540	AgentService.exe
Token: SeBackupPrivilege	3488	vssvc.exe
Token: SeRestorePrivilege	3488	vssvc.exe
Token: SeAuditPrivilege	3488	vssvc.exe
Token: SeBackupPrivilege	4580	wbengine.exe
Token: SeRestorePrivilege	4580	wbengine.exe
Token: SeSecurityPrivilege	4580	wbengine.exe
Token: 33	1592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1592	SearchIndexer.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	2072	alg.exe
Token: SeDebugPrivilege	3116	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 748	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe	82
PID 820 wrote to memory of 748	820	1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe	82
PID 1592 wrote to memory of 3888	1592	SearchIndexer.exe	109
PID 1592 wrote to memory of 3888	1592	SearchIndexer.exe	109
PID 1592 wrote to memory of 4648	1592	SearchIndexer.exe	110
PID 1592 wrote to memory of 4648	1592	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\1f0eddd4b0780161f15abb19854525c0_NeikiAnalytics.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
217f565d8300d1e1e398bbcd8cf78796

SHA1
75248defa1659eac51c46958fa2114d5d106d1b8

SHA256
2ea184718aef9f2adc0495b77de54d9a4c6b18db924b561da37b930945c8cb3a

SHA512
d8b57063afe0a8d7ea5d36d26852cef93d38ce1a26dfeb7b361d78c9026e1e362aa450626c019ff977598b5f29297f766b422b6d8a3a0243a63d3cde269d3481

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f2d16e53e260755f5e6703c750cae4ac

SHA1
ed31bc599727b4f6a1b6c8d4f085a88f1323d39f

SHA256
88b387f1092299fbce81a821c3d8cd6edf788e458261ce6d69b5e2aa2795a28d

SHA512
79c891bcd8291195c67af0dadf5c8d898e6bd334f5c8e8182e0003edfba5eaed856b5b2f55a0da151bec00b3ba81ff15bcbfc891f5947dd2e6d18f9ef4324f20

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
55342d112552ea78af5d97a526dc7d4a

SHA1
a4b178c91b949a84b3d5a7812bdbaf316da0028a

SHA256
a4a918bd8075de350fba5614b2d5b458ed4b9fd39cfe9b8e8f567728e65cb57c

SHA512
f1bbbafa5b1ff28553311b527ff0e9718e71dae10ab8f7b885734ff31104f34f89c0e91833698dc5f30a11a6f912adb05c74466dd88da4ed96ffb22bd180777d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d941aaeaa991109ee80a01fea76dc81

SHA1
1fbff8fccddd31c67a1c88d3eb39d2d921e7f300

SHA256
acbdc5232e0142061a9a991ad07d6c4191e8307d593ac41e0149f54b8c047b3d

SHA512
416ce9ae89de191a11fca3485ef300b0a7822469d523f9f8428e394f768b321f9fe9037ab3db8d8788c60af807dce94996604b989607537e5c0d665641684f18

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cb156bc1a4245a9fbc2d456ceb319dbd

SHA1
f62c2cfea13577a140e7a9fda0ad22f885e0441a

SHA256
9b2d502929f7a581cc9c2f1fdaa9cfd2b6fcb782d09df28743572da9a1ffbdf8

SHA512
b1b07172315f22942efdee7e0ef6cb321d201a8b98f4a97d4e1c9ea71f5227d3e5c68c97f69a2d0c75efda72eabc3b75d11b14d0dc4cce30ee492cefa327dfd7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1746d8e1efb9caa0742a1ee6df2b8bb1

SHA1
04f7bdae597f2e46e89cf0d85002d97bfa8f12dd

SHA256
f9ea1f173cf8da34fcd4eefc38c0dd9baf8a222c910cca7b5fddf6b7dfd0d592

SHA512
4f60d0c3f8caea12d1e52cbe784090246873dbf3c1676161ce86bf6a16ab92301c8cdd9093f24c067b0893dc7e2429670d261b3636b18475d4d50092e19cd032

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5d3742bf9cc70a23c266293ca8cd48ce

SHA1
55ce2464aae2a95ae868356ed6a47cf5bc8b03f2

SHA256
135710828e8d017a31a28f17b751238316e311bfbfd30a3e7d87c9e972f9a96d

SHA512
50439578310d4fdcb52a40945507a31dfd75d6cf84e9cc51bddf6090ef66dd8fa4d45595b17e1be9056cb9132b4df61a9c4d1e07650b6916fc30a72503508191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a64d0aae601e9b282e211dcc503edce5

SHA1
2210284e5441445a03293f1eb551607f574aefdf

SHA256
2bf55bbd74dd4ae8d7793af78882b98846396df0e8e73d689fba05419eb55949

SHA512
3675b9720a7779504d7e69d029147b5916dbc0d1ecb71b88c2fe6f854afb34284e1f431bb37dbd8869d5a187cb5a04e6127691422613505917b1bdf373a05ec6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
567fcea1b0da116dc03be62c267f4b66

SHA1
477188b1386787a34f488f60b3f4c4502d438777

SHA256
278d1beffdf37f9295c0eef067b4770cb2b5dcc376c43e45de3b026a3a2ddb28

SHA512
a1b8630420b7d9a2707b2d23e2d9eee5d378f5a90d0c6bea391b08bca40c7e161a50d8a874a897fc2c45047e11df6047b977778b5c40389a46d5dceefb94c77a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
98ee563cc08bbe3a0f60abfd001f5fc0

SHA1
3b88199f6423c9112d1175a19c75eaa69cc3277c

SHA256
1663ef7d4a63813536d9e6f9ddec81b908db99ef88c8e1a5e041ab109c051e8e

SHA512
f88657bf925d767cb8f3e766ccd779050426f4c943e89f2a460942d98cdeedae777cac19ca0fc04394e0a43925c18d81d0603f67d87e69e8110e3ba594b1596e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
349a428ace78102f9647ea0c86bc147a

SHA1
fcf49c49165e60495e96e0fcd8170a778f6e7c41

SHA256
9d5f9836107d31879b966cb579d07b099cf1bee083be9f9f3bfbd8812129a2bf

SHA512
d02cdca40dbd1b41adbb46e833f4907e5eac6361950062f9cfae8aef423b3cc1f94d40b9b3f302909b273ca241a3ec8ff416536de91d864d39b544bbaf7816a9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
68ceb13af6c45018a19f34a010b7a299

SHA1
97276f96c51f3fbfa3f4ee8716c05bcb67ae0bbd

SHA256
a9294db20499728a5ac3dd4b8d6ca871ab1fb8dd94771092b121ab2db307bfe8

SHA512
225ed22d465ad5bcb8fa2f84cf091f38bda6a7b4a184a54a2ff432311e940b2b6fe5527958493ee15e5679621120963e1111ce8826786610a5073fe40ed0aa61

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
38d609f3a9f80bd2c661801ab602ad83

SHA1
4f3cd766381ee80a5ebe1e7b6344b3ab99e83eaa

SHA256
8e3a2073b9c18525dfc3374178650b1861074efc5f5a28820abf549d6478efd9

SHA512
e926fd592c1d801182a5b371cc98780b3815840d8ad568d7475d7a039a80dbce3a470c0bc8a14686586d0d4c5b110e373986b0e237b800381e794e351e97a784

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8470675d5cdd693034161b4399066336

SHA1
3e555dd0ea353dc985dc38a2b9852ae1b3720a58

SHA256
9d05ea0bdff74f4524ec28083de5113e6add331fdc2fce193b37d82b10d64bdd

SHA512
6a058c7d132ae9f2b82c8377b611fb0c78f47df2b3e5ae78f61af6617bca9c6d0c1b9508406d0c42bbb903005b4b255b97127c39cd78f0b96f2bbf199a1c8457

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2d01b536964cc6720588f86ca37d4cfa

SHA1
6d07c7aa4144ad191d62c83837a819ea5e562ef0

SHA256
014d016c8cef080bfd123128b57a14bdc3c6a49d26f40ee6b004a4fc63d9fe5d

SHA512
2dc4c3b5ac0c14ce4ed311b504750b6ce528d55452c91dca8fe72e390ec82b390fee7db43ef622a9c14248f6bde94c46e8f6a08ba4ab069cd7b495a3278b7d50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4c4bbb2887d62ec111e9ec5b156633f

SHA1
2d7f7b438c747b62464fa5194375f0d7fc064e9a

SHA256
d91fe05ed79172af2bb57f99f2d96e9cf91906a4d4a04b0f26975c2932e77817

SHA512
277134d9bc0eb619eed8d026d996e3c788e818b9ad45676fcbeefc502e069d6b3e59a687e3cf8d33dbb0223829cb510be232d642b0d4121fa1fdac6aae4dc619

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b42b382831e2375d00809a49261b9ec3

SHA1
b9261b5cef1361259a0d3716636e78fbf7e195aa

SHA256
f44e8693db4ccb26548a0251d83509d3f432b06aad1be00f6864139ab27bce15

SHA512
8d1cf1dfe86da8b8b6781511a888a922da659b892eb5e48f1e1913d285f02d200e19019e4c8bad85bb0edaa50c2f93bccb9a91073d767c303f5c7545ace5ee07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ff2d051efd091b11217ca67d9e3cd5ad

SHA1
bae905ea53b6fdf2160d2e4aac800326f746938e

SHA256
9b0293b7855c00994e45273866e2864470700d27bf83b509c2ce8bbe98444b1f

SHA512
bd43f8d08ed55e32f31eb6478453c928208ed36288f19d0ac27a8b169099886fad30831612874d5dff689c2c6e6049d055497a0e260b6210cbcc6d7c49b71b31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4028a872aa3b4b144d9c885864830e6e

SHA1
5c6fa958b0e2d4c7c855995b5dda2db3e92e8d34

SHA256
317547710950c37c335a1703dee331107ff51a06dab4a8907934c0c570c5acab

SHA512
a6e8d60e673a6ef32bea74111e517bdb85dc2a734e902dd7e9b23e1ae8ef5bffc668c2bc139701e1c6889ade4e83b89c7c1031d441242ced8c5b5ae4d1cf48d9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0a98cc69870fa44e242f02cd9c27c81c

SHA1
63a71315d472eb3891b0129e1cc65f08c4b2bfdc

SHA256
c4f3a89b279505a85e4d2bc68434230e654bde9ecbb84d8431b51cd012d3c4c9

SHA512
1dac201fb1d9418035307acdda12b6d5961b41b66f9ec04de59461fd7eab7f62f22a00f8f3255df3d61ca5f8926df964e4896b0a2d55e74207890f37df3c193c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a3f1f2d6a32bc6b6c352a44db14d587

SHA1
fbc49d33778d9b283d3b2f656826435a5ffb7b89

SHA256
0068b27d05c4c7ac246a66b5b63f0a48635910d7baa11b21d5bd99fd6c6c39a1

SHA512
035f76d5b9b8140638ea5019008abd0e4d285d29bebd7bda4c1227ef7c93f14d2843ec90062f616c02d2297ef97428a2239a668a13ad52eab781080db9ff3d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4ea4881bcdba4cd4b9eac4cfdca25e7c

SHA1
0da881d0ccc030192f0575f0831c0aa54a773695

SHA256
b1f38fa8569f249ed6bb9074920d4e039122b568320f45eaefdac0e8874199b6

SHA512
8944da9c5c24b8fb049a8692e5a10e34a7526430d1b96056134eed9c5521508fdad0e21ed10820db0385a8fbb1d2e432ac40fe6ced1dd03c4eb4212270b9bba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6b0e1bb8e5b2116c0cabf7dddce0813b

SHA1
c1dd7ca75c18df569ad47f9166fbafef998c882f

SHA256
a7fcb1adf53e9343d13485621de72fb18f5dd28de9c4a31175e74c69645e9e76

SHA512
bcda85230750750d6ecc580cb5e83b4fd6188a77d7a8e583a2bf0b0a5e681ded79ef655d59db9291018e419cbf51b66fa727f5932e94d7ac51b616e83b17bd68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
06b391b39a85e8b773263a4a8ac64c7a

SHA1
66a54ae39e85cce143ce37e006d671662d7cc4a6

SHA256
e990baed7acbc201e8264d5e0a00422d6bec4eb1cc263eb2f52e8ccfe50a8f5d

SHA512
79376f180035c6f778faa333da9f484b51cef43b1ad0bcf5f978d939dd2357d1eda337dade36e62d1675c23339229886eb8318cd5891857a2a50af0223bf799a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
202eb548cada41c80d8706d54d38daab

SHA1
886f389e4215648d8bc6e1e4936233524b05d616

SHA256
2f1f555cd0b6cb94f03c027d57153cd5fe1146178cfffa3297467357c9ab7a2a

SHA512
1099c62ff8b4afd2bb7de01c6e39111350070b240cbd58c60baad62def1ae459040e88e699ab086e4b8c5daeea3722046867951a4238ec0d8cda4690705f41c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bef75bd81e12f317677233521af50ad5

SHA1
6f7042a6a29a7a507b4a543ded063364ecde7346

SHA256
f434e235efcefd3eb9b3f74d1e2a44c5a2cf30430cb1b32ee824229360eec105

SHA512
f8a93d0c7d87792cb5499cc88aaa3844fdf15da7fced0e3c94845c27c0e8f29d36b081136110526a3e5d1a38b1dbe523ac66a999fea501f7ccbd430ac8d606bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f7f5f761ea99c44431171d8fbc3481aa

SHA1
06906202b4a55cc196db139a7833a4560648ca7e

SHA256
f3b5e46a9be0602429e7dd675068ac2363476a89a48ab1ca0dd3dc60979c9120

SHA512
5249a91b38b36272056cadecbc8a4cf291d3255c8e003d5f82597c910ed1b6392f45bf3be8e9dc95baa8ea68a54ece21d1fb775704bb9e3e0dcac98e5348ea3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
301c5203792405400dbf7c954891b522

SHA1
a1ed841226e474e2020e651f0f160e428ceedfd5

SHA256
b11f33d3600f984c6f1bd120ac3085061d75cb95b4d1752bd976a0bd8f5e53fc

SHA512
ab895e2b1fb6b71d96da5e2868a80a5ec138940e774d7fe2bf03ef6b8380ed7788768430ebdc8e20e76599755f832a2d87883bb08541b38129d523d6bfbdea0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dceb0936398e224b710c97b56877345c

SHA1
ffcd8daceda58dc6bd8d3e46870af3f7a4012eb4

SHA256
f92275fefc11a1c635f0049ced36459fbf1836534416a48760c74c8f26ee051e

SHA512
3207f9c8d541c7dba4c57f4d43f1628be1668ac036da497588d5470dcd76d0fbc82d5acd472837a6541bba1b561a32fe96e2df0968bef724b907856e60ecaa79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ca5672899a7a1bd88abc5ce51a6f1fca

SHA1
e3b76e5578a466542c1dce5ab6631c7e4e5c1ece

SHA256
b3998c6e6fe84699a85fc6176e15ac866571925295569f0800825b2f7b317926

SHA512
be83d771e7ef710fe7c597b6373f0bb4e7b21e077c3d3ad13b1f4386a46c9b1d9ed991a5510f500df4d65f761c71a3521c74b893dbf184fefde138e9edc54f2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c2ecac0532cb8eb41444d88bbd3ed554

SHA1
2bd127cb3a3767f58d51a25ccb20000690392dab

SHA256
325067543a4fe9b0d32ac53fcd1a30c4df58f48a6454c8c77a2412e32adb4355

SHA512
388f7ff4ecf76543d0b7a6ac856ca1217af8212c394a9a869db7a585dfb66d76340d089bf8ca9f428f6c694e61048eb2f1af474b4bfe34f52a4e2c2514a8cd48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9e2ba564891a4fd17122dea1285ed3d5

SHA1
dd68e8f24dadfe2ea062835956d9f0f56a5f7180

SHA256
7fbc7ba70bd106d5760c619da358a255aa41fb63d57e17f81d05efc679efa970

SHA512
ac518cba1b4987412df8fc71c437f14bc877f29388237252a6dc443a47c0e731cd618d1ae3704404d130e2e791df6b4fe4d24d2e8d28ceaadd5b82fde1ba3ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9758cdb7d09d255b80e9d4c8f58b8645

SHA1
c50517b493cfd2118ee73748922591f73afd987d

SHA256
15035d6a88c8dbfb2ecc2aa19eed9a36de443c85876dde84855c5311c2cb3c8b

SHA512
717760f2e5d7efad211e72b0bbdbfd20f62a34162fd40087ecb72b3adb6f202ec4b0bbcfd54c834847db2d48fcc40d186cd759a72528b463985135783edfbcb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0b6223f9ac37432bd44c95de80d81137

SHA1
de899d344eb32f1bc3c50aac4c8256337149da22

SHA256
185dfdd225547cd9c87053fae31ca6030d7cd901b328795a47ee99d7f0e00e73

SHA512
d3aa62ec77b40397c64b1efdac845a7b3da52456441d24425a1224652bb2f86fe03e4e536b7d226e4e33ed03fc60035d6dbf691a0c9a40601d1e0b0f7bd6194a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5edab9b956cce8c9cb22f8f367f56f30

SHA1
ff1313122f49f9c06070f81df12ef874ec5910b9

SHA256
843d71eb8921eee5865593faeb6feb5eb51d596ea859ea68a0ad0421b9b2ef8a

SHA512
1f81dde6fdb797c4f55da5efd3d9d4e2501d80bc07ad1f4e61ebd236ba5b9869645bae30ca4ff9e69efd0cd4aaa92ecf84379b1a6e47ca81aad7a703db5ed566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
64037d29e91dd6db26c49f693fba343e

SHA1
af06c62ea5d9cad32a15ccf0fa877762eb137f29

SHA256
72829bc1c21f0ba09a1b2e0f4bb3f6913f3ff1e93ea4444838ddecf694cd1894

SHA512
015680c089cf4d08038ae2967b90e8e26caf5c8362085f378832eaeaaa996d9783bcda5c614279da2dc6634e5dd7481687922006079b1db60c683233c2f0e503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
12a0723093241521c16271ebe49bc126

SHA1
ec2f06e0f4eef9657e68abd9eef72a9e4c3ed85a

SHA256
e7d904628c257cc5231afcc5e8b18613da18d74405cabdcdeeca3207a593ae73

SHA512
ac777f6d7412bd2ba1f00d3c3eae154dff6d45c5a8a352e7b1cf080b8f780a2fc830413d62932a111cff18147b74dd8a9c5d169516307c994f2975dad15462e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
daa8ceef8c794f1e32e781458510101a

SHA1
2c8f0c288e631ccfd92371512e9345819b5a9a54

SHA256
e8234efd7b55c10d2c665b2b449f026d555f9f38bfd98abea21633b054a1778b

SHA512
7e605eba12f0210959cb71c9a029ed1a2f15fa22210ad805ce2af0161e939e6fdfdf1b2374482454e0bcbb220ee5595d63cbde1cdd633f12d0cb31d5af73754a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c2f16b30318264cff5456eff461edea8

SHA1
cce6d78dfc486c96f324ee3b5c0d12e081ac2d63

SHA256
f399515aa9c51a63f6d03789c089cc01f15353574142988a6ab96a018d9e3fcd

SHA512
12d8c517e448c849475a1035e8a873b07e4c872daa23668b53b666ff5edd3307e32c39ce2ec5fad6f387c1b8c422bf5f7220804de3e6bf564be465c1d9bd2536

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
88cb8451784826cf2de663532e6f22d0

SHA1
8da0515dea0b0a7ebfa1c40d6e94e2fd97b3023a

SHA256
74a02c529b1e536184fd02f770e70b66bd8b0d463304c05007d8366dc000465b

SHA512
54173cab61f6e0d8383dacd57c63c1b1a65bdaf5a0be949521e4efe79124123dc3653e7d544d1febe674d68ac976e44b05b33bfbea1f46ff4f40e8df975e8e44

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
15219ff72b4222bb16c3615a98f85947

SHA1
6981e6bb53e460aa7f78d27d997f27cbb7060951

SHA256
13bc2035ef46836599db666dd460b43c924e9eaaceae0c8eb547b8297b9982e8

SHA512
f48d0ca7cc060cd08e229b63b1ddc03d6c08b5a607f983e7e7f78d2069c0bd917e28a6b7c80d8a9eea70c0dba3a1d68a67c6c4404c8e6f7735260d36c1039111

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d62a9b7628a40944ab6eb1036b4a21db

SHA1
61718ab049225cc1969975b0d04f49b0e2c611b9

SHA256
4b60d9fc283f67e30e835237196315657683ad4e12d40d276b11d72895dfc164

SHA512
84a791cc6379c18f28792e9abf45f0f446edff3498203fe9a67e631e495d259681e5e6fbb9fc064b37504b89c7b48a46d408bd9aff0b171ba600468a43dd95ef

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ba6c88a6bac70b4e5ccdeac31ffa9807

SHA1
b912c64c72fb2e44043af22e70142ed4607a4c94

SHA256
d6f698d7157d9dd0008c95dc8eeb1c579b0aecbb9a1bd35bf43cff72bf6f3dfa

SHA512
64b20d9671e08ff2366c07633f1c7428ef912f15b5428feefbf3c4cfdedcfa4afffdb9026276208c4db27cd69b7153de12ec572f04467bb2b1e9cb76caa54768

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e745d11395bff27fb9918636a48967a6

SHA1
54d7fda24b121389832d11f36624380c59998216

SHA256
e7efcad6b8b7760ea72084db4a157c8e3cc2bb3da447ab47604bccee22a9e4be

SHA512
9342bbc04377525ba605d272564b1a4efd6135c9a6f4da09f12e9f30b0a3363168cf5da43ac382decc703fc93769f332b78033179c4abed37a70556bac54828d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
819e65ac47fb0a0d8999d6a8bbed7896

SHA1
f53315dddb67bcf015958a4dae7c8fef3de576d0

SHA256
c74dfb66a5f9879d93f22f1e3675bff5a5fdefe794de200f4f75d382bc1a13a7

SHA512
2766b60872fe75e80b5a6a890cf4606d8031adc82774a43edb48254f86511c3c54a7ceba191586f05faa404055c6925c6d2d03c67ee3d5ae95eb0d72662045d4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fedee534c7831d07031874b71cbd21a3

SHA1
64f4318ec3b820f87ae623244e5b878e0b28d620

SHA256
e75658560f0661b978c7afc7684b00b3fe1d12089911af19f3ded7528bb64917

SHA512
3831bdb1ce99d1fe2f131383a229d44543bebf4a8780347909de14a2faf34e1dad50d39860059b9f9ba8f20d760ed64e30943a5b5039c1f07f395c998cd113ed

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aa99f92065fe5d35121510e4f0269365

SHA1
3f08e604d2346c5259f0c704e477386d7b285808

SHA256
6d6c8802f736037dd24fa9b3b26793adb905d505b5b01933717471b4ff9df983

SHA512
748c8da18e86a91ab57d2d42c115cafabd13862b35d531eaf177201091a253bb2905683c9c316e037c89847f54c41d95ca5078a2716d60c2ff48620c616fdddb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
621a1488e9dac21f513edf80d17e81ab

SHA1
17f3962739e11904d2ea8c9b05c9007ae4da710e

SHA256
50ab69484f68e2e081457f2549592034e1ea66ccb2ba08c20b1157aba954b4a4

SHA512
95c9ffed42e544bb07414c22bab45e96032833c0a65c50aecb06861342c1981a9b76d72aa7147a817581ea6c618516929ddb23a03bda3b23dd6f8f61a2951b02

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cb3538b2b9733f5fd3cd6ebf7eb0c536

SHA1
d0cd299968b7d379280ad85e749f23178b6b7ced

SHA256
a5f5dd72c90b85254c1a037c1744e387360b184d01df0ef11ed74d28b874abac

SHA512
dfb56c7f9331e034ade280a5f169efec17f06fe79ddbca184d082ef97854a56cbd7e02d7af0aa603aa11d0b6b601449859912c4af26f09279fe457b88e68e0ad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9f1b5a88f90eeda6cd830a1ee3b7e484

SHA1
45c331459b008460a6545029129de205f8b68bdd

SHA256
bb99ea6a852c6343856dc574af03e88f859ffbee3c2e9d6d6bc352659386547e

SHA512
dcbbb3c6e67bb6fc4817fa2876cdb1d14bba4cc058fed7330e1c50fbf83b359cd69484d76d8fb51bf5a5f70e32a5f0abf13f022b99cf1008b0f58f260a859136

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
13a9580db85c8adb79d946ad389fc21b

SHA1
ca855ef1547516a0118d3eb9563c0e3cce1a9bc6

SHA256
d48be22e11ed38c8a39601f21203aa88f3e43e49d041d803700b7772db9a0d7a

SHA512
8a3ed2ab94d7f6fe2cd545a917dd6cc7c62a0309bc56c0637af2157fadca13cde51c0253636644fb48386a45a7339112eb0e6d4e41226fc5e4123e3d1436d2cf

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8a9ec0fcd8c386ef6d5100489a84fd52

SHA1
4b92de30e22561e6f8d14515c7615b5124d572bb

SHA256
8e0805393e991cbd26756d686a9b4362a9ff5fd4b1faf0f0396fa0789f5799ca

SHA512
a9742e0fc6717a3bf782ba0c2a63c650fdd3ae62292d4b0dfff93702b80f700bb65b1b19d711f08ccfe1dffc106122b4b9c5026be217219a050d4812fee29b32

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0a50dcefa1d69cf2fa6e43421fdea790

SHA1
10c86ce5fbc143b73af8e359a5cfda1bb7d73c90

SHA256
96b6f69b3c7bebef3058f5c00f8d5b371f70cb609275c6a69e00744acb2a4789

SHA512
5a896a8235f6bedb3df802535837f777e799f3a2d1efc85d5d9c932c8f8b257c5421e18ba5d7cfa6b8684f161a61e09538d4ba06c6e8366e91429388c1d8f926

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c868a8170d4bcbf6153fbf58e81d7b94

SHA1
4a52c7c70ec661e2c09871965a8934c605402331

SHA256
593391db1c08b9aca1def2597586ddc393565db5c69d4df22d41ba4308ba8978

SHA512
c39f38462938216ce9202dbc727271df3e332a68f11e9a299463e43b505f6c24953a1bef7597d9fe7cfdf54aada750cfc33e4eff92f40897cdd5673d53e35f53

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9e7e6e96826fd66e32525fdbc3ec6980

SHA1
12b269394e784ad5888d61c951b2335edacd1fab

SHA256
4768fc283e71330efe8e0fc9556903a73681a42743f74adb48eb4a836c8e2635

SHA512
dda4e3ac90b3b35ac120020b906a6717ce049db5c78cd36691008994695fe0de3b07d4a02e4adc4ab805eddb8a4feaef8c8adfb9da0ee0c86a47b798e21929f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
df7be1082c260db13266a0d77202063d

SHA1
7211924e300b4c047969c50811287c252c0014f3

SHA256
975941d52e14835cfc89ca97a443118471fb107b1b5f0eea9eb0c3e3acd8d1b3

SHA512
5fb3b020fec04fd4e22acbe8d92ba2055d88799d4547129f063fa341b4e7e6572c8fd2ec54eac3fc0ee8a3701ec1561e7da5994db67ba1b07b3043e7b95f4fa5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
19cc3072344fb2ebab5cc37728f91add

SHA1
72ea1b59e3c971103d64b98ed61de546e2a0c26a

SHA256
b17062d6ea63fbb7bde20659fdfee187b37d2558dceda62fb4780bf39e30ff3e

SHA512
d8cd119f9040d7556ff3d8ad33b4bdc452cad6eb55752374169bba2f2b600a7717d4c548c060997fb5cfe1ac409aaad7d7924f7656a649aa49e522e7edc7607a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
486c6be99be46443211f5bbf6bf44baf

SHA1
cd099282eb73f1eda24f81914260da6dd7e57cfc

SHA256
3d333b096f7af7dd651c20b672621c14cbdec4286f064f68b4c64ddf6f3738e6

SHA512
f02ba20752509697e27ee963226648a38d934fa2fbed90c4e6887bca46e2281942b1d93bed392afaa240e6eab366959fb2ec4b4de40822abcb504e2732891d80

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
86425f9ecb6cb7cd0a36d047c6e7bcf9

SHA1
ca6aa84c674b59c70ecfa834eb2aace4f6acb451

SHA256
fb6faa3742161ee7f08deb2bb1743cda5462b9cdc66332a6cc9b7c0daab900ff

SHA512
a7a8b06ee30fc57b548aee46537f6441e44cb0d54d052f1f925eb1d4e66e764937fa30b9c7026d584361eaf30bfa2197768632606a0e24a80e2dff0c5c062e5e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e157fa3bca72a7f3a7a2cca8dde5498d

SHA1
542f6b1170df3bcd434e64cf763b5e7948e76cd5

SHA256
5f55f6b60cd6e2d0eb57558a981e2d92ecbfa3c7974be8fa4b6eaafbdb28fcd0

SHA512
e5ab074a633af6619cf95e0e921b305c439016a95478627ba181743608f42d4bceb60ef87c999643909f33a39f0d64dadcca751cb7a0c202d531c4a73bdd4f09

Download Submit
memory/668-49-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/668-601-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/668-55-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/668-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/820-471-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/820-467-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/820-8-0x0000000140000000-0x0000000140114000-memory.dmp

Filesize
1.1MB

Download
memory/820-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/820-1-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1544-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1592-312-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1592-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1972-306-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2072-580-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2072-13-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2072-19-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2072-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2084-260-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2180-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2180-44-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2180-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2180-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2236-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2236-259-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2404-258-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2404-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2404-602-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2448-603-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2448-311-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2864-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2864-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2864-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2864-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3040-262-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3116-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3116-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3116-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3116-599-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3116-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3488-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3576-308-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3632-307-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4504-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4580-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4600-299-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4888-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-298-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download