23adc67e4b0331df6f11b6d6f6c3979baddb0e4feca947e2688611ca40d314f6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
Size

1.2MB
MD5

410291084a7e87bf5dabc726ba77ef90
SHA1

9dea49c49f81968d64e83b7165f45581e9fa1146
SHA256

23adc67e4b0331df6f11b6d6f6c3979baddb0e4feca947e2688611ca40d314f6
SHA512

dc25b7dde17b33c04bb045b30fb895272a6155c949c647b9b36ef606808142a66af067d152b032abb43623c860e2b0ab11589c158240b3151bc4c46782887b9d
SSDEEP

24576:OKJu3qCEZ0ZIUUjVatr0zAiX90z/F0jsFB3SQkr:OVqCI9UUjVaB0zj0yjoB2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2208	alg.exe
644	DiagnosticsHub.StandardCollector.Service.exe
1300	fxssvc.exe
3168	elevation_service.exe
4288	elevation_service.exe
1132	maintenanceservice.exe
4948	msdtc.exe
2232	OSE.EXE
1812	PerceptionSimulationService.exe
1188	perfhost.exe
1472	locator.exe
1320	SensorDataService.exe
4492	snmptrap.exe
3028	spectrum.exe
4524	ssh-agent.exe
1620	TieringEngineService.exe
1880	AgentService.exe
3488	vds.exe
5012	vssvc.exe
1176	wbengine.exe
3644	WmiApSrv.exe
388	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exe410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de09dd411ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000861cfad9d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f31e9dd9d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a130cfd9d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d1fbcd9d2acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8f6b4d9d2acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe
644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	820	410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
Token: SeAuditPrivilege	1300	fxssvc.exe
Token: SeRestorePrivilege	1620	TieringEngineService.exe
Token: SeManageVolumePrivilege	1620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1880	AgentService.exe
Token: SeBackupPrivilege	5012	vssvc.exe
Token: SeRestorePrivilege	5012	vssvc.exe
Token: SeAuditPrivilege	5012	vssvc.exe
Token: SeBackupPrivilege	1176	wbengine.exe
Token: SeRestorePrivilege	1176	wbengine.exe
Token: SeSecurityPrivilege	1176	wbengine.exe
Token: 33	388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	644	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 388 wrote to memory of 1676	388	SearchIndexer.exe	SearchProtocolHost.exe
PID 388 wrote to memory of 1676	388	SearchIndexer.exe	SearchProtocolHost.exe
PID 388 wrote to memory of 4852	388	SearchIndexer.exe	SearchFilterHost.exe
PID 388 wrote to memory of 4852	388	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\410291084a7e87bf5dabc726ba77ef90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4948

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1676

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7442794126d8beb268eebac923c0f916

SHA1
54f2336ffda740675bd7396b630ae3c61c06dcb9

SHA256
ca03e6f72ddde78f6c4937046c3b0a4eadb6ba711c46e3e34279b7d99a31fdff

SHA512
f7f87f51e6015458df91918ad03c563ee1fad3413263692e7c04aea2963337bcae026d30f43096c5af82619cae41763bd2d513839626f4d408e14f98fce8865b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
3dd9845be888011d0ec735264ee680c8

SHA1
612383a5958bf2e970edce2094504b520c5189ab

SHA256
c0e5c4a2a0db61c0b18a7fd2ad02f8221079cd3fe713b7e712471a94c75b6014

SHA512
9e8a77a87018c6b59476ea36352cb955f23121df47db5d79e7b088c34f27d43c33b7a54c7d7e01385d349e7ea31accc4002993aaa6492a7e1c36999e18f08dc4

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
eeb654af670edf1d67cd5317f0014d7e

SHA1
5953274447dcc8ee8357aca350c5d7af9f863b95

SHA256
875749f1afcc9bd8eec0de5ecae797dd9558eb407bbb8f4cf0733938b82177ae

SHA512
5ed0942b1533c6166c2c0e4cfb5fced189f7ac8fda1962998e0234dd0f0eea794af234b15f9d4ce97b952f796b91058676c007a77cfd905bec920d1db4c053bf

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f40cc72d8e23697fa7ac7c8d55e760ec

SHA1
8ce755af106c1af79893d24a2521e0402e7252b3

SHA256
f2720c33327ec7a167a99ea2b8383f1ee52f06ce476497ff0c443757eb37ca37

SHA512
8e0081da6538bcd27e89b428243f485d5e49cc36180299b87068ab6c3f008a8f5a9022c3bd597053b4900f04bcedd667417ae4b346841260936b4a324644fbc5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
437f791ceef6c71483842af28c196ad1

SHA1
58cadcc9f33fd791b59ce7c47a8e0854def7953c

SHA256
768eb259e1b7c244ba08adee96f7c4465ca9b066d90d863f89e62edf5d20a84a

SHA512
855975a5182dd49222d4603a268f3f821ea7ffcd305ecfd8d4b7588d8acfef8e05ee1de26d60b8209b4826774e713e55b8a61d2b9cf780849ac270e5ceecfeca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
5747c10f0b73db213fcb935549425fba

SHA1
dc9c2b320141db698433a351a6c219abb167b5bb

SHA256
b12c30a95b819650ef6ea79e0664c992cdab2b77fe8fdf552c57367b04b4ad69

SHA512
12382a96761d28e688088a576908ab752b5876c9d8a9a66239b0b0aa692df55bbf1093fd752573bfd40a1bf7b3b82f7311d86e2cb9a656779077ec2df48a7e96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
68463107a64aee18a6d05256738847bc

SHA1
ea5abd168e6a6812664c146cedb3ac614312216b

SHA256
c256b53c1eb6a14e04e1821f6cbfe008e7534b88b9dd15296bbbdb4e3c7253b8

SHA512
95ce7937aa502c5f275afd9c4328b7c433fa1146e72013fb9eb69a821db9e0a4b1d550b4c4a273951df9ff693ad7936f0af44fd90a43588c9bd95e222e4e0f15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
22f7bfcbf3e1e20e8f7ad423d69fc406

SHA1
72cc0c1c9f280d31b26fe249ed360726721b9f43

SHA256
6468092445c3e776deacaac45b17d8090789a73f83e226cf28506c8cd30ed8f6

SHA512
0cbc1563dd4140e92dbdf43460efc9bf446cdd23b5d30832343c72189b83b4844ece3da0f004921be781b1de2d080625728d12c310a9e002d96fa36ac72f420a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
41ca8839ae2d5d36ab4a29dc64946bc0

SHA1
20a2a18110934fd0a040b4a5540d69e4839c7ead

SHA256
abcec4fc8ec44590e5037f2b49dceb80e257e896de5f969ecd8ef92b8a7b8319

SHA512
dd77b6e6c22acc61d39bc974a011841afe157341dee71234e7c7faec36ebc9944598495d4aff79fb3411f00f0fa1e5098e7a5fb7deed05e76b9757b24cd166c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f6938d06a2b75a827e339b4ed5704b0b

SHA1
be20d96b8364fa487c99c16a61c3c4d549cf0035

SHA256
385df035579404f1039de9e8e7d3d3221619e56f523c092cf000aabbd3b4ba2b

SHA512
f2add171da2c5eae7d4bb0290ee8c7b9fd32f2c04efbda8ce1ef603698a8bead03b238f6dee75c5659ee2a5859cc8dab3055320fe89b9067018b35af6b77035d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
7ae1b013bc2dfcb9b13a11ff0b3c9002

SHA1
106bc2c79658eeb0ef1d6ac5ff9da1f739de5438

SHA256
8c1295f864f76db6f5f4baa628059dfe01527ddcb8b42d577a7f2131cc6adc29

SHA512
2877f936b792cb45453d5f332ecde2d68fa22b3fb038e850ce2902d9e15196143aa11c6bd21592af5aa2b1ce6ce5ca6d975d6482b250180f8ca887b3df170e39

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
eb92b916403d33170a367e022dbcd625

SHA1
9fb873fe06c46c84ef75470eaf25adaafb6b7dd4

SHA256
55240361dcde97ff7b6ec971496e318ff87ddbeecc6c413cebd30c9126f10193

SHA512
5d4a6a68fb8a1e7af4550c715a5de55603f931e82090b247f48dc320b5d794aa562fc2c0b9b0f15dcfc2efdcdaea6959846285bd6fcc717f56c3f3a11c4fa10a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
017dd75894d9309135756a544449c538

SHA1
3e5bd417c5e5f3445694d0d9b134864d44df2b42

SHA256
0e37192aaabaef412a60f0c810da509b8702d3b15d0a4acac5a813c77f208467

SHA512
8eb45f4d56b72036255ad47776946abcdcac84531f655e7d248faaba4a058695ca38e885463810a7987d502ed1703e1e7cde33dffb3a85fb4c9db1e0aa15ceab

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
873c824ff94b2d503653710da86e5c82

SHA1
e5ba33ff2bc94796549f4035a6c0c44728f6415f

SHA256
140e509aea0878108441e5fbb66096b76da753d5ebaac598e68ed4a3b3f41e9b

SHA512
6d8aef1f48723b33aee833c7fabc1b011f78b595e2b59a53201f73a461a00f9eab1d7df296554b18270f8b077c245e4e3262e45be781c8d5dfa4949a59c3b6cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
1d09516b2931095583f005ea0d7e8d29

SHA1
efd152c5ae99b9a85452ad2e945827308d9913cf

SHA256
9b58b33fc7a1f66b38daae4345012b7a15cc0a891151e38eb891400c370f6077

SHA512
796c67293a4d390dd156917fbbf30caebc826d2ffeef28b43879ba5fc068e40c41f888cf6cea29d99ff07dabf50596c36bc403bcdcdad3916a60967b35c56b5b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
93471578fc76550b5fd78c7adf334177

SHA1
49f49ea92f1ce293b1a28c5c59a8d700ffb02177

SHA256
2f4d89c655501c5c2015d6ce12ebe35ef24de44d591cda1f3cb1985c8947cc25

SHA512
10d0bdfb33de55d3bb7b6b601b4174e010899cb578c9880c3e24b4aa249aab9984dbec1b10cc7057534b5425e48d35d25768f5a0ebc66eff619623a4ede5fd55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
40201460927d751a211c655b9f1902f0

SHA1
b5a2b8fc3d589403e2f7ee9b133106b2f01963b2

SHA256
1b04b1840e223f0c19dafa2abf578ebebadd005364f747afd58d11f3eda42a77

SHA512
cc5d19e93cd072feca04141c4633675b3992566045c1b9572ddfedd33233b110b0ef3bb27e397531c3c900295b2afc240b5634d80396d309362e64ef07e35099

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9596225ac55e372c7e99b69ce4c3fa01

SHA1
9c705cdf41d6743c53e29d8e30dc30b781064cc7

SHA256
3c1b10d74bb44b21880a8d31d83e23f46d4b24b0fe77c9d7075df20a0a5bd21e

SHA512
27be3703781db260e0fa3ab8f5a17cb43c569c17d523bab432244f53e32c41385a3036448d24ca585fcb2417bcf76a9b1c8ba4837a41205f75251941da7f0985

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
bba275a3026e234ae647f25539545920

SHA1
966bcf42e0f76e4974f03dc0a2d21f87a5256804

SHA256
26776f04a8e7c22ff7a66d58b8d88e5df37bddf90edc4fdb0d1c0bee7262a25c

SHA512
2360833f9d8fe29ec893c9143d7c3c7d0c153a0e76cbf01bc061ce2aff46d5af109d8d29517e5f5c5cb132aef1a25d8ef9be13a7e67dc20187f39f17c160b8ee

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
3818df3bbb5d5ccaa3b6f6f8877fd018

SHA1
97b1f2cea8eea85d99491a768e1f3662ba0420cf

SHA256
83be98eed167abd2dc35eec48bc1481b66034d36dbff7695533b1f05aa42ac0e

SHA512
5e312e95d4d14de026d6336b281dd8fa2d8c076ef03a40e2496beaab8ec0044a8402becb7d63ad074edcb34eb8976c9b22a5a948ee6851dce8050359773e9488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
8fad168be42a7b3520a72471d6514f1e

SHA1
2c52ac5c35ac06204b9d5b047bd0c4dd0d045b29

SHA256
2d03c3b6127969820915ced9baa1f4d8f06085802c51a6c8cfdd04966eab14b5

SHA512
5b9c2e447cda934e4dec5397a13da225d76cf6165c23d8e0e05019cfa59e38cd87f4078c03b9a4beb6c0a859e1d038f388a42f0f70f10da8ffc41930fc21d7ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
9bb0de9c620dda1b55a48aaa9d2a8f0a

SHA1
714715d13311aa6b7a1b1928986e6b03a601fa46

SHA256
3352ecb8f68bb58efdf46bc7406cbcf350a9656de891f8da796ff50f20d8f44b

SHA512
a329b407011a2906768425d356fac82b8ef834062f53ade4e82e46bfea0d979ddc6c85400c2b1d9bf274ae874e0e313204f1e52748e7045d1d01248e47ac9676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
49b755b81711ba696a28b0f8dd9e0585

SHA1
00f47bc7ebe1bf446acea141f481b2de66f74fd4

SHA256
b9bb506a78cb4c6eeb04df725404fef317a51a95e1d0e1bf254a564f1a016270

SHA512
f2065a16b94bec846da9a4bfc52df644997b25a8093164b617b231a5c54a5e6b5344469111bda161c5f249c57b2ad99a694e312ddaca3d4a8f912b2f89bee9be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
c5505ef91a7cc9f39a9783900e8901c5

SHA1
7d2784b923c9d81f5efc571d62b4570803e8688d

SHA256
8f79a122dd847fba59ab4b0950a49b99d7535629a84df7249cc933987abf0681

SHA512
ca9e7f32151d2ea35e0c4320793f85df24eadd8bcec049a331d3d7054cdc27b65316a179ac6cea679df2560cb733e127c00e3f6b56d5324078b8cc2eaf2c4a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
aa614f41382c0766e14c3c446328136a

SHA1
15901afbec38bdd4505bb2193dd351800e66679a

SHA256
92bc8c7a31f568b5ec922f40f77d0164170a83b7898f27aba61e851a9e5eb105

SHA512
165d0b989f5e60116e05b3c1491c2543c7d3cda06dd59735ee625c042ef737e851df93bcbfeaae03687b998487f22dffe907fea2fd81cb38f2b059a9f3168300

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
1aadb90ee992d907468be7b5df974259

SHA1
21a991922c15ddbf06657aa831c98d761b9aa0fc

SHA256
d745cd18c7ba983bd2612c5a55c591de4d41ac41c6e921c2fa3d73dab118f634

SHA512
626ca18d5ad542d4a490c605bc9a7eecc50ccd4b0587da696681d20c314ccfb6b422030ba1974dfc4a0d1eaec1bd63e9a6ed4f9cb9caffc3fbce9f076697e559

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
19145c0587289f5a1e571b8df0d2689f

SHA1
b7b78dd8865f5fbb163cebde92d134ac7825c104

SHA256
37749cd08a5a26ac99cf548a583fc6b167819c0068723c8e9e6454ff06c96611

SHA512
b4a2c9fdb5706bdd1d6c5415732ceef0dc36474ad54351d514385a216d66ad9887b0d07f91c1067216d4a2503f125cbeef04016953a65b67dab02cb39de4f92c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
ba9339db1c28f4edde5b75db86e40ce3

SHA1
efc7cafa1b74a16622ef3ee416b824a147d04d2c

SHA256
ae84a492999fbac5552ba242b3ebdb0b6bafb86ea0bb3973b230c22bc81668e3

SHA512
4d939c3b781822aab2620ce3e8576fb6d4179a40fca59c7310ba0193c506b0c74bdb9ae24ac1e28a5c77cd65604b2c748f15386f21e5e02dd24ab2f405db6214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
fd31d12d09b5e0ae8336ed906b112562

SHA1
bd2ce1784a8edc263a58b26122307751e98a8f2d

SHA256
586ee001c40a91067ce8414fcca6a7d71b65a414506d626c9f5ed4ff25861118

SHA512
8ccd7b35b2294a94612a8445928c4b7acaf54f33de65081d0102660e6cb498d9d08ea1722613fc22874d3737118b6ea82a47b161cd40c03b3230b879ea1560ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
34ee6aca90360ea604afd00d4bbf69c4

SHA1
c1d3d5c090ccdff7a9a037d18c69178cdae4ac8c

SHA256
388d1bd51c4c08d988f4130a22b669576dcf274fba7fe37dd7026982653562ea

SHA512
a5e11a8ca2ac271f05ab84337ad7cb2f121e5d331ddc7c073ebf3acace430c01520f78bee271138aa2ff6258f76414d8a9abf11f142913bdaffc4c8a87b80e2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
1cf1d9baa3e41131bc8e44dd7eb74ce9

SHA1
b97625fc5692fd5792c159b21aa0033e221c8949

SHA256
5573a8217f78c31c565118f4c409e13ff9f1ec64d8313130ca58628a450723f2

SHA512
b80b7a12cbef170de806fbc6838d0619b301a6ea920dda931560631314dc0a41c93f93b7f510a75456dfe2720186b4949fb0592b0ead26542fd49bc58f4c5332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5b8b4258910530f57334bf4585efcb58

SHA1
a18b9c0a6dc40f23f22688443f99a9ec3d3a8592

SHA256
d9fb8acffebed2c0185caa93caa47cb14e7e8829ddcbbcef01e7211f700a4e73

SHA512
174f45100d3ccaa68dc626d2e9cff60ccc26ce91e667805ccc4dfac3c59a645830c9d9a8000d7a7f91f6a46c15ef4b162cfd72d3cf36ccb9602a731690df3c7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
0a7eb5d99b18248731a7e85f84d985a7

SHA1
002e9c2650d8c9086f831b21acf700c89874e70b

SHA256
833ca38fb909bbfc02933dc3b7503d36aeb6f211cfff2b2373397d19c7536360

SHA512
b3da124ea1933b2edf609bc0974d1a38d23211e7c12ca96832e105e151e1eb3be1f99ef021a17ef0b059d948b181ba99624a9f3fc96c406f2d96630f6ba185ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
b99a048a8905db43ea35c9b1146e96c2

SHA1
98a85a65aabe7a80e577fd4d0194543e65c7d6a5

SHA256
8dfa8c0c805b4c63dc7bee848b14c71168df0fac98d7024e4466e68daf8df044

SHA512
726534296758dd052c5596fe33ec99d9f07c50d655a3a61ba50838dc47942c0e85a6a3b84ad40855b97e8eb6c8e78e3541c22caa8321379854d48fcffa50d021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
11958dfbfe5b9593cd6cc9166cac7bc6

SHA1
e1c5d0d2223b2af79eb63ec16096d26abd041c20

SHA256
bc7c871dd00d68730fd39a98c77d1e1ebdac91b064492a0d22cf4e984b12c94b

SHA512
8d85697350c43f5e025adb4f8257b885517ecf77d5553c8a605420b3a7fac0e47925f9b0cf9ff457e370621c29edf9d5361ce0741c1ebc0bb9862953c4f6557a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
c2ebd4b3b323ffbfd30aea104012e9d1

SHA1
766dfec983cd92233dffb08dbc0d01ea808b3dde

SHA256
aea985d0be934b88f2fc326e0d4e3cf6b57c5dcce33d6460611038b9c4dc7e10

SHA512
fa2f68f3b5adde8b911fd743dbe656f18e14e3a4cde8b3466d0b4c9d5a38b2bb3a8e2e81cd99e0fae0d1ca11aabbd7f3b0017d82e9b7c9817d86537917eebac7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
21b2eb9329d5ff83b53709c66b5bf4b1

SHA1
ae30e49449dd488753107dbb00fbd22b4368cfc5

SHA256
71227f4ff561d2ce045aa1e1d8c177509f8c88f08347c2ddcdead39acc20a40d

SHA512
e0c16f35e258c31e464a1b920abe734ccefb14bd05cfb8f61e5ef569e7b9965242f3014983556f7e2948cf4322f90b7e62f50e07fa47bf8a86f048ffc39358ea

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d4981592d9b6d5862a0d362ee1dc1c84

SHA1
9c6457d380cefda59c6bdc1872394b0c428f27df

SHA256
1e62bda18a37d51d181d21e8b059fe3a86b11c6d920f88c8ca9b09a7b6cd5507

SHA512
4f7fb1257b8632a4cf7d4cf38bc11c18415c9411893f7e23b412362d1cd18e41220f268acc8d5445ce5122cc75d5200305d85a2f7741128662ae01e41fd5fa3c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
0cc4722a7b50995f031f02e85d705f3b

SHA1
c8e1cd159861cd900f92c33e716295f5c840d1bc

SHA256
81573bf1865e284d6fc8374616ccd7d8adb2cab3a0b90774562874bbc70de047

SHA512
cfc1e7641597d5d7ced507441c304530e50e116444c571e2675573e6e97dd11fa3ae760ea3872341daad93353b5cbc2c61d3093f2769691ed63bc14646dbec00

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
c845351ed8f02ca36ac6701db79e9fc6

SHA1
8ea84934c0a0813974a2f6225de5f77afe928ae6

SHA256
d6d2a52633e2724229611873e4ffda20ec320b69147a1f0a3b7c1a7dd6110900

SHA512
a831f0c2141e137abc166fdf4c77d9bddc62d6f42987176072537a974766c9ba6d344267d29e8f895430f6c70254e8951cbe98086460db8c3b8fb16a7f0bd2fb

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
919f045c44e418e21a20f620b2d1be52

SHA1
77a234835281af748f84098394db3e405be0567c

SHA256
0b7729f068208ecdb63b1985f1390d5b46305c69b62bd82e56ddc0e3a4f589b9

SHA512
86a7a4e2aa495d602019f49d18673efa131025c8f63ed7a8c2746505cde1f44022e4584a22dca44eaa5f8725fde5c9193be599de5443f40c402d23a82e19301e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4fbb94568cc319690993f4e43fe4940e

SHA1
31534384a27e060d415665b57dcf30dde80da657

SHA256
67c3cdb40d62b9fae598e6e8fa4ae6746dcd84b456cc1bb5302acf7acf83284a

SHA512
3b5fd2cf36924f2dc660b0a6cbf1133a685eec1ba51d08269c68bcf200fd4b15ecb73cd5a4ac1eb2156863bf49ca20860ca4ae093c931b86f2d6ce43c3d64338

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b0725fb7bfb4a95c12ee9435832b9c87

SHA1
00dfda4023cbb506380b2ece6b8a4dd6b7244392

SHA256
669b4b4ee88f2967e94a64a64de5bdd77c90d1c48294754aa87b620840b7ac41

SHA512
a75ef3be270039ff76a8f9079253c4dbf3ea7d5f45c3ab701bcb419d0f0810878e0a1ac2c4435dcdab4d45c1d3fd9dc85efe88146d964bd79072c262793fb56f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
280525456d45bd1e59766eed941eca14

SHA1
d0f04f4a1cb66a64015829e9c104dd7caed5c7cf

SHA256
83f4f14398a8925f4e1b40dce2bf272f777da8dc00ed04d01689851053162125

SHA512
f56939f438440f2fdf666b93fe61c52dd17fdfcc455bf4cef49c38075de807756c2410b40c1bda61e2942c514a43205ed7528ac50a73b22bebb54a1619cadb32

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
68378e69367e6e2a4384d2343c629121

SHA1
b5c8f2ba7e0595bea8928311a5c442bdef77561f

SHA256
645149b7f2aeff6b352e2a601ac557d0f4b259ef21214f50a541294eab4946c4

SHA512
563ab53df901f660f6152055f1059015fc182e0940ba6ed880083ddbd4b8cb46457efc4129191a881840e7e7f3fced5930b4f6d08c3f853e39caf658a6d0f4c3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b9a4d9c57ae86f283624ff828166bfaf

SHA1
a6be3ae53dca2ceb0db811a92935fddcde68e9d7

SHA256
c6cac5ae7734e1893bf68b6e228389cd5980fa4d41ec187c1422e77eede1d5f5

SHA512
29d4fdfff41c1276a3bbd088f3a548d585bf8fafad0240193be8399431d58c73c95e67bbf72a5cff1be4107634ae8ecaaaa327be09ea4fc4cbb0a96e4da0de67

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
1fbe9da8b91940f6d2a638520f951b69

SHA1
bebccf78eb7888ed6f15be4c7a5157a0a6b8c8b6

SHA256
49808e5a3b268bd29e7f6ae986980edfec1cd8e9fb6346f384b563d0f3273f62

SHA512
4fa0e200fa260bb636d53a2b0eaf92dccee007f7c2ac6352ae851f2c543fcaf1b0ab203c064b4dcbb6b4dc57db5d515d6f4e7ea89ed51f0d137da5fb4225bb90

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
377b09e51a8b4395252b7ab2e117f0c9

SHA1
31f41f3701992f11ae77897e44adb2c80e7abe15

SHA256
2ec5f72dab947acfe0b6b3f39d536a103f8958d102ba8ef2fa574d6156e3e91c

SHA512
b4e78c9fc10bccdf2536261f8098699f40f3a683af4a9e59556c5d3a9ce4dd02ae8ddbb2fadd2396b77f3fd7844d99413dd2f61ad8dda038156adbcb30b847af

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
89fb551119374ef5c80eee65a1c3c61d

SHA1
ff334fa7f3cbb9cd49cb28fad401e82b058b77eb

SHA256
ab18040144a4a09d586b653b6d95b1a94feb6e5654dc12e50c9fd611f0f46a05

SHA512
de462c8f1b979ac76b71b178cbe7e0bebb76e023b5e0905d74cf2d8a6e138bd38791261da0c466b24ad87a82599ecf6ada3fc8bd22900fd9c6fa8972f344f3d2

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
f28ebf38da29a29fe16804b2995dc2d7

SHA1
c1606c8342fdda0c629c3411ed98ff0fa618bb8b

SHA256
1165195f6621269e81317c18c3001cd4ea5d7e5a2f4d29c435bd8fd633b31ba4

SHA512
eeacaa55b2e7b9df1e77be540380db39d8539678b657a356dbd18e8d64d889204e5ed6bd036bf5e1a78654844c19ac03594ed622c9c2c516e6527d52be477131

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
595e13c7922afef0b6504be12d959141

SHA1
e19aba7dcf3b0cf5693091d95244eed7fae5133f

SHA256
c7e5a666d6cad2b994f27ae6d4a57cd6a65bf166fafb9139f04095ae86c3a1c5

SHA512
5c9e1352a6ee25c30ec13738eeb010e7cf7f30bc3f9bdd5ca88f9de52a9f592537b3846727eb350bfacff2fa42f2e58e3ca355fa24545279910ecd8ec2b47bd0

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
65886fdb27afa6875e422cebe6d4ecd9

SHA1
667f4603333db65028156bd17c9d23a3d4510624

SHA256
c1455b9c2e8a18e38ecc1ea88c9479f980f2e4001ddab12edeb2d4714cdcfe66

SHA512
bfa35a3a70739766a7c3e73e552d89068266956d7fcd5908678074d94dcdf108b9e6ef10d03f4d98e01e474fb710f7c29dd59b5d48e4c4d41bc9de5c9813d083

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3e440c8c533e62efb7515c5503b254ab

SHA1
fd14f07d239430f180f478764c51466a3c126576

SHA256
36a1faf0eb9261f96eea5c2b94ec55a28e833f4d48957a904f7f24e01a4b9f36

SHA512
b3ba2415bd79982121e122c6eae0c39a459e33699111e1b957128042404db3ef16a32f6e2509c72bf98fbcefd4d00ed93fa4459fa8a7b5824ddb4625a01103d0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
fdfca689488a689d34318b4a6e19aad8

SHA1
31dc27f1644fcf0ff24b226fa354e4be61923db1

SHA256
bd32c3d41c75d6acdc30d3a030575963dcb118c7f550fbfe0908ed337e471229

SHA512
38953aaa313db5ef0bfd4400cf76cd88325aedeeb0783d92e36a9cc41ef4a3493640d75d42ddfa1bdb48598a881b298895cf5599cb48428e9c93575f9abad600

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8bf5bd0d4936baef634aaa66c5efead1

SHA1
9de8bb4b2a43e4372a704926765f65f54fb3685e

SHA256
dd1e34b82c161b38849e043da9a313059196188137de2417a54c5a6560c8cd52

SHA512
dae81a11502275e6fa14f509f3e8cf799610cc70ae5d4c1c678dd3296cfe1f1188ba972d6092f7431da86252aea2818854a185869f43bfaef37c6b0b430254c7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
eece81e0663635f6909e1661729ff6cb

SHA1
7b4d2e9ddf2ec80827ffaf90031b0e1756b16567

SHA256
d295f970060ddd1dace63eb7208e3fc3937182af7c25b447fce07fc0e97b6b5f

SHA512
f510f60264fe2955798b172929a9812c7e7c4a4070dd4edd57924bc52fc88d661f2564aa20cf9e3f1a8ae75bb53d954b8b695f06e1860076fc341967f3334d4b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
41ff044665d2eafd434ed746fb18cb0f

SHA1
69dfb9e362553dd60cf609080c631faaaa77f784

SHA256
12cd86c2dcc1d3695742f93548005873940098b970cc2d488de26994e3562ad3

SHA512
4ba5eb9c4a6d3733326fba2e203e4b12a1072911a6616a48fc4688f9d9db489353af986676245885af2db715ffbc0758384a815fdac68ea50479c2fd229e8a0b

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
accd03c1e87a5e9c8a73a02101ec7de3

SHA1
fd08539fab14515e2d9c4f0f46fc15db0a115f93

SHA256
e3680c7a3d4b36919e5e8ef4d79605ab88189920fac69adf4e4b277a50ce90fa

SHA512
debc44d608776c7ae2f0e7a34bc394d6aa69431d4c3ef860a9d2419e8ac8451d3bc7d05f2ce82e959c8b3453f3c804af2b7d954adc800e28908ecf4f0337e272

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
5116cb696875cd3bd33684988da38ff3

SHA1
df3bf8e0179a084b95b2d574a39e4ed64a29fa01

SHA256
e3ab9b3d9cb674b30a4f2836acac6398b1c2969624cd1b135572b20c102dcd2c

SHA512
d81a8ad21458823921c1b0924040f8119ccb9c730e50f7483639443baccea017559b55e0255e5ef4b972b911fe00c109e8c94f0d51cdaf6282bc11b9978dce5a

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
dc3a4f312af5d2e43e44faf769aff8b1

SHA1
f3c2d8cc04b72762868552fcf6c10a976da3ded3

SHA256
9026a6e6a52c20453fb86ba0a8e450b97b2b0937be7fab63b0fd4cc4408a89c9

SHA512
be8dd785a3a4bff20fba914237e6e65aceec2c2ea6e9eee77c11a1a1e09d7a53cc8149871aafe2fee89d0d177be6af5cf39f71a966c317cc4e5ce8c2b9aed1b2

Download Submit
memory/388-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/388-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/644-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/644-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/644-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/820-396-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/820-397-0x0000000001E30000-0x0000000001E90000-memory.dmp

Filesize
384KB

Download
memory/820-0-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/820-7-0x0000000001E30000-0x0000000001E90000-memory.dmp

Filesize
384KB

Download
memory/820-1-0x0000000001E30000-0x0000000001E90000-memory.dmp

Filesize
384KB

Download
memory/1132-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1132-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1132-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1132-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1132-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1176-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1188-253-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1300-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1300-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1300-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1300-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1300-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1320-256-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1320-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1472-254-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1620-263-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1812-252-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1880-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2208-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2208-589-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2208-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2208-13-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2232-251-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3168-594-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3168-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3168-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3168-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3488-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3644-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3644-596-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4288-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4288-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4288-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4288-595-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4492-258-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4524-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4948-90-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4948-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5012-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download