e22c00cbb7375ef336ca7cede02a1de10fd125b0c45f05adaf77026f9824d921

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
Size

1.6MB
MD5

1a805d8ac143fd060ee75147ab9aad70
SHA1

0d6937358154af28b6757fc776429948743288c1
SHA256

e22c00cbb7375ef336ca7cede02a1de10fd125b0c45f05adaf77026f9824d921
SHA512

bb365f0f84f0bf2b4ad38d6ca55aa67e40e1f76ac62471c23897ab89de823aa2f7b4fab7b2d762aca1365ecc39428818144b32232b4fe871ab47d688d928b51c
SSDEEP

24576:mvyHwOhTJ9BRXah1ADRoibTiCl45DWL8R5A3Jo:mgfhTr0GWaMWLWA3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2664	alg.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
536	fxssvc.exe
2996	elevation_service.exe
4368	elevation_service.exe
4872	maintenanceservice.exe
2608	msdtc.exe
3108	OSE.EXE
828	PerceptionSimulationService.exe
2888	perfhost.exe
1924	locator.exe
3560	SensorDataService.exe
1056	snmptrap.exe
4964	spectrum.exe
2968	ssh-agent.exe
2032	TieringEngineService.exe
3468	AgentService.exe
3244	vds.exe
3404	vssvc.exe
4080	wbengine.exe
3360	WmiApSrv.exe
3140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\94101a10293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cf1186479b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ef916279b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042a0486479b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f672e6479b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e65a76279b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ca9346579b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b3bde6279b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eec6a96279b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
1968	DiagnosticsHub.StandardCollector.Service.exe
2996	elevation_service.exe
2996	elevation_service.exe
2996	elevation_service.exe
2996	elevation_service.exe
2996	elevation_service.exe
2996	elevation_service.exe
2996	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1988	1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
Token: SeAuditPrivilege	536	fxssvc.exe
Token: SeRestorePrivilege	2032	TieringEngineService.exe
Token: SeManageVolumePrivilege	2032	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3468	AgentService.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe
Token: SeAuditPrivilege	3404	vssvc.exe
Token: SeBackupPrivilege	4080	wbengine.exe
Token: SeRestorePrivilege	4080	wbengine.exe
Token: SeSecurityPrivilege	4080	wbengine.exe
Token: 33	3140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeDebugPrivilege	1968	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2996	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4696	3140	SearchIndexer.exe	109
PID 3140 wrote to memory of 4696	3140	SearchIndexer.exe	109
PID 3140 wrote to memory of 2440	3140	SearchIndexer.exe	110
PID 3140 wrote to memory of 2440	3140	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a805d8ac143fd060ee75147ab9aad70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3276

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4872

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2608

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e6efb465181d2f4a2efab00fde4e6a29

SHA1
dd8ec00087e101eb2c12dd1c7e66c7627d77358f

SHA256
75b6f11e06056fd70abdcc6febb0e700267f47117a94011eb0657f244591e6dd

SHA512
e6b121434ba929938aa7bc8631ce773704c97b9f219ad1f3891b39ad3a7eb50d168171d23b73f94a5c5f01c81f2fcd4f99847681ce8549fb281bca8387a933b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
71cf9f9388eaddaf34c556bfb173b7b9

SHA1
5d721cd1c0c45a4e8ba715b90d379ad8e6b07166

SHA256
afb04a389f9712b17ef3a9fc84477cb320c221bb4d62b4578ccd299a9e36b25a

SHA512
5b0fa5e0581f79320000f60f48144ece288fb914a146da20222b8ee458ea03f2683f508ecd472474a355d1c1db743e28756fc1ae134650eadcdc51f4a06011a4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
851f6104a2f34361d5d663fd6e922876

SHA1
5927d865928c0c18c59e441650370e5aa91ba6df

SHA256
5b904dd17626993c8a23300c9d5159d7bc28301e684549405261c5885caff433

SHA512
ac882145a3e91a8396039a278f2b191e075588768a8833200ffd04224530612c1727550121719e89b6490cc59de85791e0be7bab4c318d5e35c8ac70c6e181b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1da12e891bc892f8d08c26cd23a7f876

SHA1
bf6e2a99edd371f8ccc676b5dd2487dc2b14ca85

SHA256
98aef5afc1ccfa37d630fd506ca892673457086746c4f4fc3dee8a7389d918be

SHA512
11325499b2cd9548ee6205a59be40fde20a3d0ad4c1b1d2f5f2a862bd4e7ebf91a367756336e0ee6c23b0a3e09dd85517e78258139245c9d020e8c62d3c8435a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
76c1bc1d1995319aa412865769eee51c

SHA1
e90d0ad1a2538fb8dcdd68e84f77a4bdc4359e84

SHA256
56032a4b9e89ea7734a221478436df6a28f6f20f1dcc7e1837c36c9d55629044

SHA512
b742eeaeab15498e1036ed75874a3ef16c7698588250b7e1c6cb9281fc62826002ba58d4d5b1f43ca54c3afa59095a4e2c10d6a3340d2a253332d3f460f249ca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
1e0c384374b99a67a0f926636eac6a8d

SHA1
fe1c556a49a06e608355fb7f895a30afe54cfb49

SHA256
fc6eadb3af28558449b9671d9407bb00cc33c5d77be01fd8f2bcc110fd6c17a7

SHA512
f5a254776f310cd21a1b4eb384a0865b20b285dc6e045a9e99c1f40b38f4d5af6e675d067e9c9bd10979d9ddd54d2f6da45feab08c432385d639588b30698841

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4852b4a26251e8205d5b3e6e5d5da2de

SHA1
1ab89a48c5ff3aea7d8d05e47397882417339b13

SHA256
05242d5e6e2044f5fff417cae19367cfc3eb146907c3650748ba1a2fa6897aff

SHA512
145f071f4ba214b20daf9fdcab7a4391bd115eeb905dd027ffb3074b110a0c126cd463776d70d01500e49891cd094ebd2d39d3daa35e14638845e92f35a8a3d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9a6fb7382c29e7d444f259f5a1dd1a60

SHA1
ca688c50e634187d85958d127adbf737551b740e

SHA256
64b4dd817c218d2393f3fa48171410960430609b4fb98a48927ab365bb9da327

SHA512
cdb3394c25a24e399f096d3887daba61f2b6267a025e740c418ab5afb660b5952f7bc358ba040b2ea41deef18c98a446967aa9de67517f8ec27d5613934cf131

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6e8409a761f313b715fe30c45a3c03bb

SHA1
4ff6b3bc026c20dd198c343821e5ef6858c74ac8

SHA256
3dc23395986307772646b60c6480cd7a8c20174224bba93478b5106e5d7c0265

SHA512
49587a3d33a50af9a5e6c18215b4b6d3069eee30debbeab1d3d821bbdda5ce71564a42f282c2e39e0f00df0463f6db01430c19f131108f1767611d61b1fe178b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ecae5751c91cfb975a9bf833cf1e0de3

SHA1
afd60bd436c7e560b0fe561fc589627661371570

SHA256
1c0471423ab8094b6a1848417c00c319822998ff6bae33ba4a97aa1f4b3cbe1e

SHA512
ee9627a06c7a21461eda14d4b419c1449424eb8e83d9468c8db5ac3037937d7e907f05daa52890b33a1bf300132078ab06a597fd58d571b626adc0dbbb682028

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
75d388b7144f81866e6c685affd8f16d

SHA1
e99164061a6db2b70cfc9cb8020b057033567651

SHA256
25031d13ac959b0bfdc488d4ab9bbcda1b10cd49f1aa2878a6f86f3df3d14332

SHA512
ece8cbcb9803c1404e9688906a8802563902bc9da312c5a06ca35e6cc2610ae0cf2595d8e1416b33b3d06dc7d73a4e673eb44ed8ff562b6a806df3951fc8871c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ffa76e8013d487e7925e1571c05d6a79

SHA1
06a6eed0f1bf989a678cf359ab73939529ca49b5

SHA256
6a2d2ec41ac637284a61254d18d218794c718df8f78b848eac4a45b3237d9e36

SHA512
52fc2c80627635b870ce3033aa5bd5a24334ff2408798eaa5fb3506c35100adbb18e8d88189d062a1dbffb892fe0ebc5caeddce46c24d09848e75b747c7ff60f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
3a40d7942b60bab99a7edf192bdd639c

SHA1
f67c2954f51b8be69c154aabdbe736ad6162c63f

SHA256
7fd7e4df06190f0bba076cdf1a1cd31ae0afb4716934e5d882c7dfb3aea3e218

SHA512
b1319b243c428658f70aca4e069e8e7156766fe0c91c4336110d6ecda1c9c0e56e076e894989270001d231b62c943001dadc77d785dd1524b7a3e1597fc369e3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
f9effddcd28e53b6cbaabb04d55474fe

SHA1
35526f4c67c521824c9ccec504e6c730fb4d6948

SHA256
184b67bd23cfdca0ef2e11f8cb26327430dfda6ddce10e23365d68de2eaf9dd9

SHA512
008d9dbe87a3fa31e6b44d3d514464e9316ac7f35905e8d01100e71bca75412f07406103f2c5f8d1a3b68b8e885a0e77ddddbe0c9dc2c9ab828c2cee2bc69585

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0cb8e1b5c3280cd696170fd7fc63fe6a

SHA1
a07909b1d60432cd56cabb9f837866cb0d404b31

SHA256
885e43d38479f3096b13fa7fa3a19ec8cc1eeaef1947721ac0bb775abc40413f

SHA512
78c351e3aeb2a21bed4102b7ca2b483de70dde68d06632501a5d7afd401afda1bf8833edc1e5ef411c56b063e7c49c67336f00d5a4913079ef9eba7720e5dc7e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
dac78dc68e5644f82234202e0d0f9a99

SHA1
42a8114b93595e15bdf3c0c9a5faba1b34c09431

SHA256
f557eac3882f40c81b502c10b0620aa4bc06bb38d079f1ce1620f1db49890b00

SHA512
ff942915a204ccc6af6b7cea61dfa41b4ea1d22eea9dfe383b5b8152e381d0b3d6268d23644b5fac0b46be84949d21a8f8a32c40c9ec91f5264749efd6d8a29c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
92df438f252e30293e0ed2c7ea30984e

SHA1
b11568542e161ac97aa62542f68a311e855b761a

SHA256
8b8b1a66bc9d054152fb2d4a31d7d7ad8f26b486e680539a6d39b4578584971c

SHA512
3834dafd4ff93ca944fc382aa7888faa2629dccb9871068a2e2d364d91608b394a2b0f7624633e9d6ede88abf46a6f4f09a5d9e098328fce0d293a2173ac620b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
37bbbdee49c1686b482fafe395ff39b5

SHA1
514593df0e794b4acb83e839afbcb3b1393ec304

SHA256
edf15ce189b289f3af32d449f407a25955def11562b5f396d284a4a9dfe978cf

SHA512
a94709a4a9ab6df128d6cd7eaf869827629458ea56a8ee15186eeeae9959f39118b3b76b6d68bf1020e9223edb7b86230f36b64d0c041de5e0164257bbc381ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e596bc314dbcda167a403317f5cdf4fd

SHA1
45b4f9d04472a56b7a398e5b191747821b1bf70c

SHA256
8ef4824eb81342d681135a1ff66310fcfabd390ff4b70f52862e2b589d68496f

SHA512
f60bfef6b6421c61e53c2b45ceebe1489cc39d259576ff0e8e84373b53a006de9427f94ed69070cd5102db2a8bb27746f56261e24ec203ec38628bcf05ae2941

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a83d81aea99bfff2eb0fd495f9a985c9

SHA1
3e062d3ce63dd1df4eab1d3dadaa27f8e2017ccf

SHA256
612e48a0bd05ab4635052a600d38921baf57084170ae9f0419c69200234ce451

SHA512
cf59f2b1447af95b7222931181ea33295a9197518bdb53927ab588aa31c32256754a6b31ebc075c8d4c06965268de2d8fe2eb3103b0f036fccfe39fbe1b8cb9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
02d1489b54a93d559a8163d84c2eb240

SHA1
c22f4337b78477a68ccdc9af45fe7dd4ecdd8f41

SHA256
9a4754f3de665b019f459c4b9b1a123c9c48d45a14b207fa75b18c8f9f6fdff7

SHA512
babc36e3b4c5d34a4cccf91f4dab9107e4f2e891411ff015153ab599c3c7b2cf1aeb124ebc4e5a92936049bbd8d6db8bb038819f95f0bc04e00241fd4bfea9e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
22025e514f722e6eb93e9c4bece2c01a

SHA1
2a0ed5f02280dbf6ad07a46adfe78ece4296b36e

SHA256
6bf7013c256a303e612076f726c3737597d5eed1bbb23c197656e682a14266ec

SHA512
55233a290270e0dab8184ef1ca80190871cf0bff8ded2fe7eb5df150c76b4cb5022244cbcc68ca67fedd0cfdd70d952bc31c7dbd0d40d93fab55499ff4de9722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
5f4fad884458697baa4e5c0eb744ed8d

SHA1
447889800471d3dfd0cb550d650a724d251b4bf6

SHA256
63ff3fe87270cf87ffd412499fec652049dc2adb2697f1c70825e0e50d2e3a19

SHA512
741fea1089fa6930c4f815e0f0db99942005a9e510d8acdfff7a65f201f88159bc7bc481af9d3ac43702ebbfa5a51a115edfd6a678c36c444d34abb560686d69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d48368b8897d018c990f0fa158a6cb4d

SHA1
4e2de4dfb3f8a53646a313f0294e0a020d215be7

SHA256
a6116fbbddb1e6d8af0948190e88c7690c25d4798aaf1a2013b928d95f2f63e5

SHA512
6dbef9400fcef9a18407e431c8ad375d6ed2077d75fd2ad721f84c1b265784b77c4afc1e5b6b29ec5ce2d727bf07e7cf489c3c56549f7d023ecbfdeae184591d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
cf1b8db916192523beb5173e583c6724

SHA1
39d15c5f2c6988ef416db96223ae41842c71414d

SHA256
3784b9450e013e93ac90da138f90bee0a664bb9e41f90d69cefec22793c3c10b

SHA512
5d5e68f0f8b41260acd617966409c099d5fc72133361efe1e4799aac7fa4593c8b94f761e70619b6eb840f38052e17da415df94f2ac28fb46a1decd4dad18b3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1ceca94a858dd781b9a85de4b8c5479c

SHA1
2065e774775160711b51cbae940d6b49ec57e0aa

SHA256
69d53cd73b6fc1e04fafdabc60f51fbf45ef7ee41337652af67fad4544cf0717

SHA512
8b0fee0511ed57d215f819363482ff03e48f24f5f865632c74cf338f4274f573dfd20bc518e69d397115f2f42f3798085f7176adcf45d9b22e93f8a646cf5418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6bf99d04bd1880c5d82e63412c27f41c

SHA1
4a9b24b5a5d9658f19e9a9bb39d4f7e526b5d85f

SHA256
872de37cf903f22a36210ce3ee080595f3add22db2317c1739fe9f25bd510669

SHA512
8d431f57990a93900cb9e0aa9c4b312c17253015119ce94d9bd1d6d8703c13ed29dbd10fc5fe26bafe32210e405882fb6b6fd6a2f369d5dbbab4b51760e9f521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0457eaea43dd5915dba3dd5222a0eed6

SHA1
a53f3fccd8641a740f933f5f60ddaaf7ffd60e1a

SHA256
b16c08e96ac67fc4ae0167f4c752d282a08290153d8bfd27cc9e929a8e48f3f5

SHA512
b6cf362dacb74ae06ade2b34f977cc523c860b72ca83e651da5eefd3c0cd9ae23c46f01b71ea20ebd247add8fb4ad7116d0bfc5b8a835640224dc31e8d8fea0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
14ce1cd927c2e95f19101a8d3918ae1a

SHA1
94e66d18742ca1e7c6bc6033c83ae4bc87b6f429

SHA256
48c6fd9a75c4bf12d2895a448459c59885134a43bb8ce1ebacd8762efab40f75

SHA512
0904fe855dcd59097ffae000b781a4fad26fa3d6a5c3a98c7556e72f0b8b459f27c16f62da4eaba4b49b38604c4a557c4d169e344a0ff7c4b76ceb0c2981e98e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d0befb3724bb1201faea8d0c56cd8973

SHA1
88c34280ccbeeb724fca4a7ca62a0c9be5150ee4

SHA256
5808e0278810002bb212de515c8560ba709025ae1026f1e0db4ff35235ca429e

SHA512
5f6fe9b96fae4d1b492fd23acdbdd90250d183ae1ac72033d721a13473259fa892bb3f31c39183c334ac8d101f4ceb09b6ee8a72171183264a0026c86c5fc531

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
80f3e4706b7d572f8f3c28b6128cb903

SHA1
e46637b2597a64a3e9cad6f782bcf52ae9257303

SHA256
249f68a47736289a35ef2e30d1d316e63dcbf94ade7b57289a6245779f24b735

SHA512
4e792031f5c9ae94a34034b178f38c6b33d6a27a36564822062db297033982b6409ea44c48343ee5fc62d0d25b12b74517217154c17d1a42479fb34568fb852a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
8b09f0fd1eded80c011b0b28f6c74b3b

SHA1
493d8713272112e812406f3fb3355a1c2c813b01

SHA256
4341adbbf109daab0b1c11b22ee3a33bf77461070b7ae8d3f3ec1d0f4eb10f82

SHA512
64213c0480e0360b772cd9cbf336983681bca86ae4b310b0c039fb960194e81bfd129d5935ad777842409696a27d7099afa4da85e5e9e08dc7ff09735c1a78d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
63091a330eca5c09ae98a2fd3bdf4cfa

SHA1
e6fffaf420284ac1439d9d9f0582bce055f3b7e2

SHA256
0737e4bf254974e0f69d2bd3580b2d40a74b50e875eb96e9124d0fffb37bda7f

SHA512
0e00faa4589e22159df3f1c68cb7fc8a2a23984b54237f044c61e9d733b0570add341702cc0de2f90bec18bfce479445769a844b48d985db97e81aad9182acba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c0b93cf7cbb674e91eef31d04c1bf35c

SHA1
e24613914a3767e40e0daa13e082d9f5a9e79559

SHA256
a449fce66a40dc9985efb4eedd01152204a369e8ffdb28fd04d8563601d05b9f

SHA512
98dc61ef11f9e9a6c0fce7849c5c5220171a56588b70a50a8fec15a845f437c3800be4463ccebdbde1a0772147ba4d9b374cadbeeb4ad832a900ffb19d5449b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
469c65191ad6cec408d8bccce2610d83

SHA1
b6cf4fd79a338e60e8493ca1e7ec6cbf7ae137b1

SHA256
f5fd9501ce4a45c32ceecab9e357c85f1168c5cb699ecf8ab4545ab8a41dc452

SHA512
ab4a8fb44ac314187154514c4a6935e38e73906ae6a992b0dae4e4d736e0d9768a4adebd61841815dfa918fcf8525f4e5ed6c65290110cc1e4d3e2cc5ec63ed8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
8b7bdc7505727d827bbe258aae27bf2b

SHA1
697a3b943ab60a6ab41e4d65d69933ddb3ea43f1

SHA256
71c4b8ca181408e8bfc5cb72721bfc168b4fc53012c3e8509d4f3921c1c22bf7

SHA512
cd7ee46bea0e4d129d20d27d3bb40c98cd5cb7f1979fed26080700e8293c80a487caa11830313f94142a893b9e78b92a63723aedcd0a629f936c5d0d5aa4da0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
90074760376c5349339331b62be33ec6

SHA1
1e8830dfc918264f9d03c6fbd1995751d5d8ab1a

SHA256
c8252ae9a790d4b271ee4bfed174ff66529a9564fd7c5340bed849c009e5937e

SHA512
8a24f98ff4aacc3bd4540aa3f043e338c8b6d334b11258cb5bf338fcf4a0f259d03038c04828137f06ce523dcee707b6270499af213cabba1d4dab4fa0b2cca5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
834367c48db5e7f21b535ae4a50e223c

SHA1
fa5898985e02633f661ce0b3421a0eb3918e9928

SHA256
ab546b961ad28272e94daa8c2dd468bac5c1b9f0cfe7dd7e287b87b4b92955ec

SHA512
f9e6820a373926db3b99816d83683881ede02a366dac87756f56d7c1f60c70f8f987f4c1f1aa9257cdf179ef90e9fd30c902fefba18388f9d4195a034e54c723

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
dec1673b94b9cfb3da375d798a49d0e4

SHA1
b8e3b088f93de9e1a5545984f5a7417ef8c5d7bd

SHA256
c0ade321f455b781e4d5b74a005a3260e291f5e7070ef9f996359d214f31e3c0

SHA512
4b4428f846326c1875d8926e73856533bf90909aeb5f9e95a481112b95918cd8cef5cfcd0f4c3dadcef8726e478903166c711cdc368eed7b518c2f129f198740

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
d5d47a64120755984bace7cfc68f2aac

SHA1
add1fc238881fa6d72270edf48e27a2f4001b817

SHA256
c3425c65845daac015081e3e86f3b1bbf69f484473df0b5603b68ab45e1a6f90

SHA512
8efd7a5ad38e5a23ca6f62521d872c64c3be28e1e526464a745aabce463cc171b4b1f38cf27815d8592dd736a3b56171936fbf0ba6a3590a8a257e8ae6f7ea8c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4931202d6232f2b75f088d8a6ae97607

SHA1
219fc623a3c35e7a85a616d82c218dc54ece4547

SHA256
cc8ace459dcc6ff22310c282a77c11ba7304d74c605bd839de72b3625ca94295

SHA512
e15be6a67f309ea9fd5c0820b8f30e2f4313745101c41d958b4e3bb1976c0c91763fcf4cd8cdfcddd772e35e02e5b6133a0e9ebcd89e0fc287406e29b3d6a250

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f53f1e915c388b28ac99339e2c3a8a6a

SHA1
2417a290a82c62ff7799bb55cf091ca16de2653a

SHA256
cd95937f6b6545bd2aafa34872a87fe7784d16805646013a22f3c07d8b688ed6

SHA512
41ed269facc426b21cdcf4c57decd4817d0bf35e5971175c179eb61239f83948e756e28fea0dade346ba3ab34034026c8dcef6f1c53b793b979466305db6e219

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
991308571962c11e503d0ac4c5c1a4e4

SHA1
aae756d9a6d60c37c57bd44c0a65ac06fc793409

SHA256
3fdb0b0d83572e2e8dc8ef4aa720a50c1b22250f0adef2b84be169193d26cdf1

SHA512
e3e04317c2cb7417ed3531fdca2175dda335241efa77d2ce2cac311cac06c4b0c61738908e1479b0bc6053142914c2616b493e34a45d10139b8888662fd0916e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
321a33873e7ad4aac067d4c26569a08a

SHA1
c75c9df81080fdf47f20ec237ef03478df012eb9

SHA256
2c0eef585b994855d0cac00155ed73b34cc5a4c869562ca4c0fcf92ec4b8509a

SHA512
d10823aae99096089c0638dac2469ae04d64759bb9f77351be0bb9428a864dc7d5763c9d5cf2b5c40dc284338c4b98f9278d6904065fc7d9df4b6ed87e8a077d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e048bc1d2f066f67752dba6a6709995d

SHA1
833114d7535ce84292565fee79114e4a5d378025

SHA256
8955d4ef6da9ebad5460b30bf964338363f02ca76946aaee373b316eaf4c665c

SHA512
ec9c6606cd218d07791d69ea45855435eb87938e849bdca2d1ac18b3f7db441b0a6cdf38f2b5b81470ef349883111b6ce4f0ca379c78797b5ebee87dcb760647

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
0756a7d344f846f27e44fc240814a676

SHA1
bd80815f74d8bcb520f29e4bed56934455e57758

SHA256
0523c0d4a5e791e2f4b14578e2305e1be97a16d05c7a110cbc89e824100a0568

SHA512
92a64b44a41d6fe4c55ba99e14a3500bf524006e0886e9775be47cab4c60ad15edef5122b32b66408d1e38200fbd257aaea2ffffef7cb7440b47d1d37559fca0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
37ad4f4406d9948e2dae449d86178c9e

SHA1
f206a348242a5c6706a79e72bab6cb192826e312

SHA256
4d9617c91718d1b303c49b9a6774e201c4ff314b7725dcf6d176e7037b8143f4

SHA512
fa1fae93645406003d3f3a78c7d510134565096328b65932a82b090a22d64651410d8d61fb5375b928683ae49e0f5ed368877694e9c0967e5a480b3682e710cb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1ce1ed54f167ec18b40e826e35fa728f

SHA1
cc7856ce2e37808b05ea62c427ca67cc16ec6d57

SHA256
53d7cd65b8dce534e36e907f0d7d2416818d8fe9f9c89ce9e62c5d3923c6eb2f

SHA512
0f3e180ebb3ca476ed866b123ecbf16f284e3868b13af3d75c7bb1c2bb1bde1f2decbdaa150e6a158729b7e024b1aeb1b6f2a61d6806950221504ce781c869a3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
882494a91759f8848e0ed7b0984c7a8b

SHA1
474c48f15e671fd0c9aa254466610421d46c9053

SHA256
a157b6e2da9609f918e8a2c2b47869369f8924f2f4f3fbaba7b630dd2a75a069

SHA512
83dfa5e0b4b176b2a65320236dc5909875e5dad803655849c72af48e6f148d1f7657ca240fa3da5b863430e36fd4b1d062ee96b057a4078b425057503fdb8084

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
069ff9d47357959c74c6f51eb93aa810

SHA1
4b1c3014851eeb347eb64ddfaa44dcd9ced90e20

SHA256
29fc012905b5cfa9ae582e13136eb2b2ad8b2144d04bf13d51dbeded0bfb3d54

SHA512
d7553a02ef77ed0ba196eaacdbbb3343260ca44214223762a0833ac563953f6268492e606d624ed9c8e161a2b52e4efb4719430c22abad71aa8f779a114b5ff8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ffcc4929f1846af0802dbb67f212638f

SHA1
1bb4dc6d11c9eb8ecc886f1b3ffca90ea5d4dccf

SHA256
9ab66f290cc227e3404423c528b524c55b339cd1819eec0dc25cad92d018ddcc

SHA512
ace28dd02a197b681a493277c8d9ec5c630e7110e2c12ce06aee094026b105c4a03d10b940f40f7801e3f059ecf802355cd1b3e27874a5ce4394c7601b5c960b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e63a5a6d0e5215ad98886af1e22e98a0

SHA1
cf2a372f5ab4ee4301dbfce3609650aea5189613

SHA256
3f9aaa770b23a6066d878b175d4792fcdd2acea06ba1e81ac3b22d3aed3046d6

SHA512
1adacb1d4e3f98137112cab6f34caf0af876e878e1ea138390cfee9cc86ee4c703057bd7a314c8f92fa13813012724f7f91fc912d9bd9535e5807531c6aa7ca1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
651474d1a02a194137a69282c41ca616

SHA1
a837b1f9d2b668c3ef090042e56cf92df7d109c5

SHA256
d6c9c89c268c2fc619a9629b9c92ee79e82a55dc51d82f3d6fa2cc19d0b1ab48

SHA512
67784734b9a187b6f9e4757fe99209818a485cd7db508e9560424a6904b802866227cc428870eda639dd338f1a4a26d69b1bbddeb238a4cdce45f6a4d5f89a0a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
93551bf7c5011d1fcf6d5cc36f79e6c5

SHA1
e4b99145b1ddbf17257829c75adeb1d058d09b0c

SHA256
dac38528760068e6af9de741bfdf8cd91b244254f4ad9e1dfbe215387f00a5a9

SHA512
216426e53b26bd9b73bf691bdbf1de8e4c3725ca7dbea2c7e7a05aff08633132bc60026303dc1c7580a6080de185c2c12380804bea61dc96a1ac43a16ba66e01

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9a1253e040ab6c6d381d44e7d528a494

SHA1
d0c41d00353bd426c0beef0d60b284d66ee003b4

SHA256
bedf42547bc253fe13ce221d94494e27683f35307385fd6fc0607c7b109bbfd1

SHA512
f7f6181470452105621d563c3e58cdb0b51f312a52da9716c393d03a9f701a502673c5de921afffdfb1e2e52b8c7ba77154881518162b74003b1262536a35223

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ed864397f0f9361843046672c1d316c7

SHA1
2723195f406bcb99c918100eb1412c7e330e7dd0

SHA256
9cd7b0f3dd2c6cc8fc11dd0c9f50e7c7fb36c006fb3776b1075cd7fb762863f4

SHA512
23ff2d1320a59cb63729cedd06da0f6e9e0ebed5f3d1b538d892aea15a3962207e6659e72ccc9ef53d8a3deaada090c2a8100cc3c0473157ea8d99d207ade6ac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4c9057ad8a1bd24643037475b28a4cda

SHA1
649dfe4c887e7a9abf8ac080957b5199e3b8b764

SHA256
479262f4f383b61df6f5b0b3fccac79e2475169509df7b02fd32d41677c162d7

SHA512
ecccaf31bcb387f8b0a4333b9c0628571594a6102ef56774a20dabe3ca47d9722f3815d560e60036a8edd4a1bfc71c9325bf5ec018c32c5ada24760515a555cf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
449ee2cd48272222b91d93448950238d

SHA1
337890c12e033857bf507291b93483246efbe2a4

SHA256
8a7d533fe5b4a5c42db424208fb074f90181d215e95f940aab9ac8d0ca6318d9

SHA512
a434580b931fa47b196e9187f4ac437fc203cc5235ab16ac97109eb78fe409fe7fa883eaa1a525a5c00f220f12d25ae3c9a6eb65ca04c553e0d45216411cc2d5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
e29a9b6b92b36dddd9aa1b82145fb666

SHA1
5305ec0cbbd1758d1d10dde5a1b4c58d0d4d6c28

SHA256
4e8a6370a9adf5bd8916357064150f7c90180cadb17dd4468bb08604ebc73955

SHA512
7817a41602428fde57142f882a7a2fc4c18c3311b258960e564fcc72afc14f4d2f5ff053c20017583034d4c8a1a613c09489a2d23567b88320fd526b924cd02f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
e7b6de67bd035903f01447230a244029

SHA1
7722e80a4c843736bb6f1f5599eac35b254a032f

SHA256
1e36c4bcf2b548727fabd2602ec7f41ce9a18bdea41396eb0368c18df7d8ba8c

SHA512
07de8a1121ed0a851fa4885a5a3b631735eb0148a828579466c9881d2c5fab58b888035beeaa8690a55b409b816dc2b676c691870979a9017e538d1fde6bace3

Download Submit
memory/536-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/536-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/828-91-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/828-85-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/828-224-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1056-233-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1924-227-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1968-26-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/1968-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1988-360-0x0000000140000000-0x000000014028B000-memory.dmp

Filesize
2.5MB

Download
memory/1988-8-0x0000000140000000-0x000000014028B000-memory.dmp

Filesize
2.5MB

Download
memory/1988-355-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1988-9-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1988-0-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2032-237-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2608-218-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2664-15-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2664-502-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2888-226-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2888-95-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2888-100-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/2968-236-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2996-38-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2996-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2996-32-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2996-503-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3108-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3108-221-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3108-78-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3140-506-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3140-248-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3244-241-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3360-247-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3360-505-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3404-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3468-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3560-232-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3560-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4368-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4368-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4368-504-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4368-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-61-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4872-65-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4872-55-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4872-67-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4964-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download