678cf072a25d97f47195b19db676a5a62c76231c9e4fa20d2e955929d6f702d1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
Size

1.2MB
MD5

68fffc26ebc0bfa3d62ca496919e9580
SHA1

bbcd9f4e11695097d1dcf9410ef7297e49bb30ce
SHA256

678cf072a25d97f47195b19db676a5a62c76231c9e4fa20d2e955929d6f702d1
SHA512

868517d47792c433b378b592b96a902157846c7e02e812608e33ce369ce3c6e7f1e44efc3c58e61dc272c05f04c9300f68f53922bf1e1b04b201d525e887ae66
SSDEEP

24576:ryhYW6oivxbvbVSLKCdFB2YuEWB/3wgQmlHMdIuwe3zfIe7xmvH/:r8YlbvbaNFwYG93wgjMdFrIe78vH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2200	alg.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
464	fxssvc.exe
4812	elevation_service.exe
3972	elevation_service.exe
3676	maintenanceservice.exe
2316	msdtc.exe
2288	OSE.EXE
2796	PerceptionSimulationService.exe
4340	perfhost.exe
3872	locator.exe
2616	SensorDataService.exe
3908	snmptrap.exe
3332	spectrum.exe
4212	ssh-agent.exe
2140	TieringEngineService.exe
1772	AgentService.exe
4384	vds.exe
4544	vssvc.exe
4696	wbengine.exe
936	WmiApSrv.exe
3080	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3a772456b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014366ba85db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b9b2fa85db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b04d21a85db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4a32cae5db2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004f33aae5db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe
2248	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1088	68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
Token: SeAuditPrivilege	464	fxssvc.exe
Token: SeRestorePrivilege	2140	TieringEngineService.exe
Token: SeManageVolumePrivilege	2140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1772	AgentService.exe
Token: SeBackupPrivilege	4544	vssvc.exe
Token: SeRestorePrivilege	4544	vssvc.exe
Token: SeAuditPrivilege	4544	vssvc.exe
Token: SeBackupPrivilege	4696	wbengine.exe
Token: SeRestorePrivilege	4696	wbengine.exe
Token: SeSecurityPrivilege	4696	wbengine.exe
Token: 33	3080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeDebugPrivilege	2200	alg.exe
Token: SeDebugPrivilege	2248	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 548	3080	SearchIndexer.exe	115
PID 3080 wrote to memory of 548	3080	SearchIndexer.exe	115
PID 3080 wrote to memory of 1772	3080	SearchIndexer.exe	116
PID 3080 wrote to memory of 1772	3080	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68fffc26ebc0bfa3d62ca496919e9580_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fae0c3693ad643f973b547f78c267861

SHA1
9f37355dab96c780a2bbef45494a895ca064b278

SHA256
f9ad3461cc59fa153e2938df15407c6a04d0a1e27bbb550d80fc0c51d61a0131

SHA512
32ae821c4881ba940f2a87b4b7c26342dd388ebb8a373b994afc07dd59d74a84b01adeae892fdddd30913435e676144a4fe7dff37c0b53ace10c0d701d4533d9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e2bd53d589f0e96956857496915c8d20

SHA1
a8e3fb15ad5e55d0bcc5ecfa000fb12a8c29afef

SHA256
4df5f71b7bbb2b16b71036149824507f5862e9956248c4bb394b54985ed0c83a

SHA512
b9a4bdc7b0be1d95cda466db01a0f85fbdeda5d41ca66a5234f41511baceaa8812390a44eae167753c8c83e548ed5d5c647004fe3309290f379a88bd15b5b711

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
346cd3d53ffed99f7d1900624ab14503

SHA1
c88e42bb9f8ec0aa19e75108ad3b982d9ca8a57c

SHA256
18243ab840b82f1747e2270661955e52ef8d9813652f6acb16cc115d4fccc2d2

SHA512
9c0f4ff886a0f7c73b6a26ced017c652b76c5e100371035c37fd41cacb13ef7d685ad20c11425881f194947ff848bda625283e28c8493e3966693d600b7b7d18

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c430428243a17b9666b5092aa3a5eee

SHA1
064bab35a3f045bc216496fb8422dd0e82e9406e

SHA256
e223e8f8cd2496e96227bbfe81f01d74f3e16dafb3f7688cd798cc15490f2f76

SHA512
4305bda69fd909b4b154375c3f26cd85cd79b0042a0875089a2086bc3da5943073ed864d9eebc668799aefbb4b637982bda1cd57557acdaf15cb3d17dc061ba6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0fc0ddb4c572bb58d4d5d8fb2b2eabcf

SHA1
e6dee1742fb9a79c9b2d185d11b1b53690ced062

SHA256
537acc91cf378c1bff7e5017c5cee851c1c3aa6b3dbc1cbdfbcc5e87b810b308

SHA512
05c8255b7300cd26ab49473570e6668016cd3ca445424db3571906846de470eb813ae8f8ab4149cc3501a0a1758714ec1e83612b398b4d8f0312e23c27e49e8a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
090f4702b952ed4c7c6539d9876aa1a2

SHA1
0748275791825516fc18946395efe61606cef7d6

SHA256
fbe70b60b5283b8f477555f97251c72e169c90289a603df58bcf27c502971ca4

SHA512
f3716fa9278205d5005e7d78a74f6db90012741c51f763d5385b50d0775787b691375414e5aa7395b6b3c036a872bd697b35416e347c44e9975aa4865eb4f700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
66faf0d9c2689db20f1d7b263f86e5f0

SHA1
7c1390efd35edb7afde522c58f092bf77a475652

SHA256
5741768dd44f71a837ca731fed098dc59d50da312654be30b307b0c71befb795

SHA512
dfb1d4fb18e0724794e9e3a83bd1183fd3fb76ef2d622b2b5b0f93fc78fc4a74231aeb5e39f56cf0d976ea19e8147647d688d478273c0dc224ea85e184bedb63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b5fcc37eb8e799aa34600fdd629da04d

SHA1
00df86e14357b0dbecefc1f531638b12e0584a70

SHA256
14ecf01b224f83e6e803c8a3df39d5728f858657817c36266fd5783856d9ad7e

SHA512
83d8e4294aa124a9e7f932a87df69493afebe915f87c02eadd0993dbece4816b86942c9a4f1e7b7159efec699d71382f1029f91bfe914eaf912e011f1430e07e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
467fe05a663d7a8f4e8c6544a3d6cab3

SHA1
203b98262b90a1cba7fb8db8b875c04cb6160790

SHA256
efa888e3c30fd4183bd9001e1c3f2248f6bb9f94e610a6923e88fd2921252c94

SHA512
b47ce846c00a3f4d3cfcbeed434d2a68c7466d067bfa6918826d1eb803d573b747e586448b81f6368b8a3b8dd2d91b5880813cb61c2091b149fb525317fb8d69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e8a6d61e5cd19d7674ddc27d5925041

SHA1
b33110c1590337ed84b49f19c702e31623d8c226

SHA256
ee1512737affb09de41485992b79f0ddf728c719a20c8770cdaacaed54176db2

SHA512
b0729304b5d054f58350dd6ad51593982cdbc2055d47d7b7b5739648b79645d45fe8e02a8eb705db40f9772c23c0934ed3da77ec8808c6f7b48a3b130ae5e4dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5f27ca5365d9c43c579fc882d3f3567a

SHA1
66df3d0f2f3021924f9525a3e02cc8c79477814b

SHA256
bcb66ef666673dbf52f69ecb735106c91068d507bc05208f7da89b41ae4a2312

SHA512
2f08367ed2ecb2fc0939550217f4d848630b2c6b6a218eabd720c87f1ef9a3aa074b4cbb96c92ef3a3d817da80422e241eb65196aec8c058387cd37736c22455

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6efe71f2abc7f54862ef66c3ab4f7fb1

SHA1
f995acb53131bf284dd788efe1afd50289fcef6b

SHA256
180ae1ba952c2fa47b4560e44efeb6ae406b437b2fbe92375bd04543073e3e11

SHA512
b8364e420798f67d147a7d1aa8cf0853c2735dcbe5e9fb82d8e92ad57db8318976a99e87989f668db937cb2db8c7888258f6c32831409329f5b60d27b7f8df89

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
40007aedc20d8a0e3e3423646def7fed

SHA1
c00f8093d20ce891e2fe474bc225a55d0476ff42

SHA256
49797b982b24a438bb913aef3ee6a043ebdbe7396d92ea7dbd8e825561886dbb

SHA512
5149560332db50737b78de38846483ea726309e4803d50c6bb01502de379c2d872def912f2d4911a5652a37fd1e07b42e51aaa89964eeb4a4c67055ed20ab11c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c6f3ac254d39d89f7f83a683f1229e3b

SHA1
142924d54b4b087fe9d3491e33f858e978eb993e

SHA256
9599868cde245dc3feeaa3bebb16406c24a41d246911e54f758e3472f4e8d140

SHA512
03223f17ece933f0a771b719b8ace7f250b69d032e8f12df4a8e791c1b8a9fc31645e3ed5d93ac2e72b7554784817922f906b31cdd51cfd43f6bd5b10d410017

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0003bd9b0b9edc4ba79624ad62e78353

SHA1
239267152276ee911c456bcef2cf0caf89f0800a

SHA256
b77781b55c4e7e8e42ebcb0442c6f2c7978f683d4e676abe854f6a7729a05bc9

SHA512
6edbc4be4acc997b8ff2fc1a5607ebfcb7a47a919faf223b8fd6543729f2786da66ca1d25c40384c18af5c06a83a3641d1a0be335326a42c16117c3f1f853c32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9cd162afe3bc94136d0ff5b7e972d253

SHA1
5636ac7a70a6df9f509e7132760dc1acc736b7a4

SHA256
424eb6de70fa49553ae789779be969094544cb21d389bad238d3ecf050345983

SHA512
fe69fa4c3cd6c1823d5e162b029cee23abf7fa9abad4cfe121e1b692acd5805f2359c0b6cd6325172c23405e7333a4a0e8d0a6b45451022e912bdf9a92ab9621

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
647812509a534899d0c9fb30ea90694b

SHA1
e77a587097feea2a274cd7e7b82efedbe72a06ec

SHA256
9bd3e0a324f1783056402217b4d58d1c618f0c99e0c60b48ae18575258878084

SHA512
41c83d7f3bc5fd4a4c85620b8ccd69508aeb428acdb14b582f4ae11d81441577e60e88fa46caed575211a0b6a7caf4984a541ee423c92e6d0152b91f50d380f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c3a47226bc9a48e436695684756eea34

SHA1
a9d5fcb8ddc780c326cfc9ec0bc49bc130f8024b

SHA256
46493a2360b9241235ef118a429771dcdd5edf6806d25fc465f62fceffe4355a

SHA512
4d84862904cac19d07271cdb721e8cc758619428e5dcf35950b35f2dbd1b209db8b337996260873685d8bd0f3d43268e4c7b853a3dc19bfc3fadc9b3941aff59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8b6b57f593425c746bde8b629c845e08

SHA1
79b3a558bf6853050dd5e0209916e75b45c918b6

SHA256
d2f26ef467608dc55a1dd4f4a8abdfd54e591a5a19a74d9308ca0228289b4add

SHA512
0f93327554cc4313d046918658f80b94a3b840a497509929cbf8fb9d0b6f6d88f8b86eb7ff7914ae4a18196a494ff58bbea9830417ecdfda1793f3222a205fe6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bc959301d5e72951f82f15aa75a8a43b

SHA1
22d46f1a37fe224365f7ff886f6c753f037e627a

SHA256
b21d8e46118cecf6aab055dd15cbb23f15f8bbc9126eff3b3bfa412b86f496bc

SHA512
9c8b04543dbde57a71b1eba0c474be9d248933573beb03bf42de3f4d36a81e2d1564d7a5661601c6383c53a711163159936185b4919cc6c973f6e24e3c36ee73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ceb072de8774c4487b118c2f5967589d

SHA1
af3d08d8dd05e6adb7f35e9081e0e3379c5f971f

SHA256
a28e612d97515e80e8972e7d64fee923169250ab668e5c621fbc0f0f5de350c6

SHA512
9d60c996949f6f24e8a9aa45631a0a633ead420b7fa777356c6a33d3f4de7a2a3860ea96bf791a433db9b74da7acc462c46a97735da94e7095a9ddafdcb851fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e0b9f0562ff3239dab2f4545880cf507

SHA1
0e8967ddd5c1cc83d92de86dd9207dc65f945795

SHA256
e3732ad1aa060f03381afc748a4a739b3edc82bbbc58cd32e0a6306e7263cb67

SHA512
4f94a74298948f72c632f49b47e90c1e0e16e9845c532afa95fb30e4f60ca4f38f0f0643df9497acc6b37d0caf1743b301927027a7609eb6a0b6758301f22a7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5eec1a7862cc7b8ccf99a6cffcfeed31

SHA1
c350622ed994bf62665362372c7884bea7ff1933

SHA256
ec558321415d09f96af5396ff6a7b36c1e573d1c7f310d4955c3f2959f69fd5c

SHA512
2dbc0c0a1ec0d9d4a287dd38760acc0c841a226e14e644d9636dd290ba63fb6277710eeffc82073e9d7d976aea363dcd64837f2ea262e0ffccdac6a45b998b94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
84efa812d81d6f9432a48c342577138b

SHA1
2c8460d9450580bac6a1c2eaac3add2b332e93a4

SHA256
4d16b163c4d7d1e1270ed4f445dc75d8471f290b2f75d213bfd241c760b18e35

SHA512
7c83a781543698e9cb26ebaee7d6d16c6aaf0aaab98d9d1c18b1754cb8da2721839963d5f91ed1e25ec3d6223a92bedd1813a60f1f91af5abc9583d3faea2333

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
99a240e37f590802248a0621bcd1031f

SHA1
879ea1360e6b8c24dd36d9d635b8a105db5b46cd

SHA256
fc093237af80b3481317235fd411be66376cbd313c3c8799de7ac04945a982ae

SHA512
9009c6a7b337b8d60fe8b35b98be11924bc6646031db8e66acfb3f35c4545a099ee7c1d7bee8afeedd755ccf12b8259edfcf07ca9ffaa5ff11214d84901465f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7a44208c6428cd787a332b77c63ffc30

SHA1
f9714a5ae1014eb7011a5d476e52aa4e78e45eac

SHA256
7b65fe4e9e25d626d69ae2c11c4ab6ad2df117480ba6e5934ca2ce11388ddfe9

SHA512
ba0ecc508de6f5c551e81fd493142a88daea6979dc0e81938b4732d9ebd2cd5f1b1d493d76b728bc11e33eb4d2c4eca8fdca7a1e795316a7fa7646ad6726ab52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0cb49332ae60ccb7c6af12088684fcb5

SHA1
ca28fd43479ddec5b2e207e4dd9cb44af3d929f1

SHA256
518aeba349967e958dc68eaa3a37dfa72e07b932678ecd837a29d331af23833d

SHA512
711e46aaa7e9c181c5be3a0507156f86e4eb2e4a4db0c5247d5f103dd43e89cab087c9b6b1a98f977283681d3eec62c2fdf3c77c23bdfd55418d1faa93784a1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
620334f8bd58f7ba2649904131cc4535

SHA1
05cd96ba188bef77d440c00456ba77c5afb2a3c2

SHA256
85b5f612691e9715a1c39dcb1866ae8eee594974e797ffca5a33c7ba4e58a571

SHA512
0431d4354ab59c0785b26242e92e112dcffb62f6f993b148451142df4604f437387e803ea20c71cc3bcd43d6ebd4466ad29fe460be319b4a75a36a97d82e62b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4a6305ea424e1afa07a5e297c1056100

SHA1
5bc66579f40e6203135a60c41132989bf6994a89

SHA256
e78c6f921f0fd94949b9bed0e2e32d1b9c25b32a0210cf62d1f645fc2426a747

SHA512
89270f315712316c31aeeec261cb3fe4e418d2ef1fe36311bbef518b76f702fad7b3d093a878d0c763a95955b55018dc9c1e2e5e6d743d2bd69dffefa941650f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3a9d7eff8f258843b9b784767e210eeb

SHA1
df9c98cc023c3b6c53fbc5cfbb81dcfd7092e415

SHA256
19838a55ea51a9a45c00718205efcf0217f8a144e559c350cc0d20da59216966

SHA512
8c60ade2e4a5be6f23205775674854e5a92a55bf29a6487ceb9425271a5eb3902f8ba73ca6658145e8a816647dd98d8b2316ddd9e05b6964b2d37168377625af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b3865966a2626791ff7725bb48d95400

SHA1
4a9b643c6cdc8f179205858a7f0ea1258d4320a7

SHA256
f7de5578728c1ee7992e31d9e972b11c5635d65a7324c888fef25c1139758572

SHA512
b07459f86413ef059c945a319373087ce5be89a34cbf542147d3af58d40309dff2c2c8b1c9a9b7a6e7893debf462191c5a12249bf8eaadd693218d5c36093710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
016cb0503ff104130e4a975f239a5a9d

SHA1
2ffa4fe20dfdc0bf7886b3adc0feff688979df86

SHA256
5d6767424b4d9a96bd13818d48ffe205cb2abec006799cff72611a111fffebcc

SHA512
ca31c67fc4c159682dd71decd83c803fa090cdef54cb04181ef3a40c535a8b355e63dd72a181dae774523bd0e2992bc5fc48e7c6533361118330a5f81ff7ffce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d9d91bf4187aab27304ce936dc689836

SHA1
25da89746b928ec7c4b215b3eecc555d27f68b74

SHA256
04bf876861573f1e1ae0c31abab5cef2af1a7bcbf202eb2a483774e06132fc70

SHA512
35ee78be1db62785022c4bec6fa583267cda7db8226b3d51450808cd5f86d23ac4fd5e43d8175647b3cd48cc3c343b49fb78f2705be5524d084130dfb73bac8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2952183d1d0177223f60df8ef87e303e

SHA1
657704558436beafe103138679edc30b8326626b

SHA256
3f64b5b6f20ff635eaa4f88afb6d0e6cebddd4094b158c34e9287034910822c3

SHA512
ff5354f21f928fc90b825ae948ac065a55ec2b97e44e44cdb5af96bcf98bbec83b3ba8f43b30d89ee8cfaa30ba1e331de4e1201e10c26e63ff28da08514167d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c68a2aad81122c9ff27c147ffbbee791

SHA1
c68169dc25fda0759cef2b9abb75a23736686a6a

SHA256
8fca1909169429d87f9db5e1d4ec7603bc84447d23b2aaff9bc3d550c977ef36

SHA512
a1a0c9f69369f00f0db60f6a0d474e938d700bb77cb21ec1b0171c536d6343fe9cbb8a063195584e0775f9f013ad48b401476108dca607af27b4721480e0c83f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
8f65df3f2cc47cf52ea23204eb1d5cad

SHA1
0e7e208f1fd6aea3f85e73925f47695f3b770ef7

SHA256
6f19154c5e4df8143d1c0c54f3bfb64f82582d084ff933edb31a1c59bb8cbb95

SHA512
7554f5939b83e35370f3279a5d515c80cb2c574125593f44c4e161972fc8354139f02c6f2167173555f4fd93e9af50dff922120e33c603d84dc19cdce908a3f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
27a09e8fd47b61279939bccb9628fb8a

SHA1
02affee614d3b686b607dc9b6eee695fb6d77b85

SHA256
cd1d3c89cb818228e10fd6e5c8f8783138e4c74debb165c23f4bbce79fe81cd7

SHA512
e007297e002853a811da6469b1df11f0099fc869816425199bec7ca444168cc7a1cb8d1699a8a3d765e25c6aa24477596cbfda3a0d5f8015f07b056b72ea3da9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3e0ab60026e731fe7154b957c8591394

SHA1
4f402becf0e198afe0853dbf0e3b62118a930447

SHA256
c9847a457d14a0323701c55dbe9ad724f699d6c4e8d2aa347f081ae44ae88a4e

SHA512
a003f0855b4d28085dd10ea6d9a6a108482403b055b7cabfa5024f56b6a4b16d145a009d3a1efb3a4528bac4595909f392acf7b9a7859c3b9889f02cc05b2430

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
3f034204cf0b52697478e761387d2dc7

SHA1
3d74c5a9ff3df0bc36d55c35628ea73da78d5040

SHA256
7a3563a9d86adea14ce168bace45c655e46f0391342d78252b5e4355fe267f4c

SHA512
cc3d44b037803de9bc5af6f31ec88441594607240bd9dea9ba4933b559d816474020c36c36714f0a3d17e92f5cfb1065b20543db2854cea9dc6d7f45dd9797bf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7c047b25b0743db4b689b4045d3924e2

SHA1
9545720e803d36c724e79d7ea7d8d60db22cf98f

SHA256
bb73c5c5a1552c21b5b4f14b96af5a4d25c31acd31c7d183b83becb203b73932

SHA512
9ecd8ed62f0f5e858b0f603896b16659e1622f8003407a2a559591a22c37e73280306da0fb3fcde4b41c32b7b457e0561e4e60ba395d5a5c228806472cb4156c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f8d0634f0d4e25c88647664e716d31f3

SHA1
3986a09d443e3549c686eaf75689c28083b33798

SHA256
ebd00da888f9b9a6023c7bdc475755b20dc98978ec604aef2359e781f1dbe98c

SHA512
405447ce121b71323d7b31a2bbfae188ccde5ede7efce8af54214e96599e033551445129573d9ebb6117dd69fed9497b036f4b28af4604a107f92858732c51f4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c7c3284459ef806b4ac7256dccfe3a1c

SHA1
dddb34b27d8e3f62e5755080ab97401863571fa0

SHA256
cfb9339759e6e6ec27111b81d3c70f95038fe42d50a934453af4dd8405e256da

SHA512
6422e7ac0c78cd551e539f64dcf5f9379c4ffa18660d1ebb4ed29c799e95f75d02b6559198841975e3236ab6e1f86369c43b0d6ba3e045c52181eefad439cb6d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e12f4db70075cbf706c628e3baaeea3d

SHA1
0200421323f7d566aada7987e7830766aed45eb5

SHA256
80f3cff89a65282edcf2e2fb332108fd0a31005b4fb846c6d463deb4c1767adb

SHA512
cc7e8c8cf4ad632b60498aacbc2ac5072b41fc037ae5ad6c7308c6e3478a8e98807e71b61c6a9a097deaee425392b44d78468834ee75ae0a5b4c180f46345cb8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b7fb21c8168cdb57a648a1abc211c0f2

SHA1
880a68010df7c2ad29390714ac3a0fdcbdb4aecf

SHA256
17adb131f1ccae5d12ff9d8c0ddff77bf1e1a0e7335f39e418456ecb4286d322

SHA512
814df56beeeb0f283e5174dc705466c302236a781d3c719df715c504332842cd73a361211240885da8f3b6d008180c8263d19508103dbe2907b4bb86256f9aa3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
38e1058430b75ca5e5f2a630c72d53ef

SHA1
34e68b3e6f0d6ea31ddc29e339457329bf02865d

SHA256
ff0fea4022e5cb3f850add495bcdc4d450249c955b37f09683a0f0f276743547

SHA512
997633b6a2a3c7f750307d5951acb56551f5a4280da5ce34b7ce3c95cf9a1681208b25fa5c0b79d48b2ed3c361bd6be7a0afb1dd589bb8e381e618bc5ec7a741

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
16f8b4eb7990a6565f4e6a848a630553

SHA1
2c9494bd3336e05cb287672c9f97722f158e472e

SHA256
8d4cae87f56a2ba0740439bcaa83690666c0bb5237da89299258643dded7fca9

SHA512
43a37d2c1da93ca4c5b5ef9c4b6110f28e4a5c91ad117f63d7e1700d7c98b2db61b5e5ea43ccfe2a85c5a545646ce886db285cb353c3e0a115396363ed6a7403

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f019bcbdb5767ff695e7ab9c17632d32

SHA1
a24e91f0ac4fcd1505e898d63a7bede8672a6698

SHA256
e9ac8b59ddcc71bef3b5eecfe2d9de2507987a1af8814cbda40837060884cea8

SHA512
0ae147f9e4477ba8dc14ee874b82c1a9c2b8891a34295bfd1c53fd4b7b2be8463db3966f8f5e348869a4d292781fb15668ba54a1ede808e967409a19c8cb9625

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7e13718fb5c723344a6a8ca8b81fd014

SHA1
110e6307037b2ef1954a9936c416f3dbe00fef98

SHA256
980e7c02cc84b74ae332be6136281db1dcb6b5a2af183570d285410c88722674

SHA512
f19b623ec72ae39637aa23afa0bf4475d0a78ace2722a2848a0ea99392802dfbe551071d2505da8323ff4abcabcf2de95bf64adab61030b999fa8e7f6f2051b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
320107adeb33d81de570e46e1cd03a38

SHA1
b586fac399134c233ac7085d80699a0f9510416e

SHA256
67612f050b912c4b9592aff8fa17fb3f2b01e23e630b1f60be14bdd127289840

SHA512
914722d2e56b51bcfe4841963886c9e08c0c2a12958bbd45b5464168a781073e5b3e0f68471e67a43a8c2b92c83d6ec272c58def11ab19cd860d7093c46424ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ccb3bc4ddf3d1c5d054e6398780cf9d2

SHA1
30aefbe36e1946b171040086b42fdcf51f3a747d

SHA256
519de1fdcb2146dde471eb510b8b393f3bf81fbaddd57dabece23862db9906d8

SHA512
029b1a4468e08af40c916d316473c73927c5cb9acce25c435f924b96cdcb494c4cf3f19e28c4852d7a4f787d4f2fd5b18292e6c955c535f5b69465cd90ca4615

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1cb751580e3d88e610addf78d2f7cd81

SHA1
9a4359965836e36781ee53790a3f95fe369bbefb

SHA256
117f233b0b3ecb4be2314bbb8459355784479d91031b05b2335cab1c06a3b6a0

SHA512
e4b2cbbfeca8c151ec83ff9836165fad0c67af801cd7ff9befef099c6f86c592a5f53933b1149717c169669c165d6e2e5ab8179a7120399bc663834f98e94de8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3a7724aa0d7d407384868821b70d633d

SHA1
1ff1209ceaffe7a5ac58a6952daff50aa2ed8c00

SHA256
321aec9e7892b09821911a3b160295a2a944aca3ffb6c4a747d23ef4a442e43d

SHA512
b18eee541996080489d7ce70c72e70fda8051a42da280816d0b79f88cdfbfd7e7b8f514fba23457186eea89d6f346f506e625b40e767ab04d4539a459eb146fc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
91ebd5fb889ff4b915c1379aacb0ae2d

SHA1
9a6010986f284cda078612e669f96d3deacef09a

SHA256
c5641a8fe6dc051c4b88b620bbf390cc9a6f77118a90112e1b0388bf251f0524

SHA512
9935f71668c3870c619513c2bd390b859fa1f7c557807d01823f9dd56bd1072327d8b5fd18bc790e66c8b8d7f7524f4be5b67e63f4721aea0c3e2e2f26011ca1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8730b1f91d5ed0d61438d448de2ba033

SHA1
74a1e59a36a8b92aa4bd0c70f5c84ce168f3516c

SHA256
b593c27b3b8ceef7d506d0b07cf77a51f2adad47f15be80107e9745e2acd1f74

SHA512
ce0e2a7a36df7fd036dfd7d7b14db2dbdedee11e366a3bd3c927a28951423f80213c4fec93c5ae29132e758dee239b69d3279db797e2d8d645eb6ce1587e6baa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8d1a8739d4684af6905f5c15d44caf48

SHA1
9d93d334a50db87f0dc7395c4ff7a9d5cc47bb7c

SHA256
34b25ac8a1289e92d56f39b293563b125bcaef172a8dc1ca3f216dbfa69e4fd9

SHA512
f89c68f041a1380fad2acb3bb7a5ad3fa512d87a008af46baccf9bc604aff75177e242e72f6bd4d2f3461ae4e90ab56f7b71ae1cc234dc77729b92aa6143bb7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
64d5217f0cb13e5a02c5ee64fdc34e47

SHA1
8d95effe90cf56fc09794d769094366d52912815

SHA256
0c6a739f1a5c2ca22f42314e830ce25bba41cbf696fe441819dd60ea59ba6f4f

SHA512
b4167c28d770fcb4f60ce4b86f26bd560e7561e9ada8ff13ef3591ccec3f2cac5f816ea7cb3b36114d6db41f9d44ca7ee78dd896551ef649f486dabba2f1f8f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0366d8c412291697c0dbac6b5af3c661

SHA1
8b43735eed24e6a236e668a2e5480679a5f03a84

SHA256
7d668706e991f000e223a0c19a5b5bb0d6b08fa3e742594e67421830c02b5c9b

SHA512
cb2cdf02fff431674d1fe249a5741367cfa350c4335a14fd2e75db93d15a557844f8035acb1cac918368fcf35164d36a1490ac32d46dbb3d9b83882571f46f6d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9973f7e2b875142d85b5a956aa974f24

SHA1
c136a7b3defa92051876c047fee2a0e9d8474663

SHA256
559102d89178d580a777b306fb63aee87511f83c1821f0e3f42ce4c36ec7dd7f

SHA512
a22fd530b16f5b12a57f2c621ad47711b26d63627117186c7e1a421aebd9687e8d72b2f0be837e5155c97fdef12e820e8bbe6d426e18eddc00f4d79149bb6894

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
903b8c046f86d05b38d29123b3fff195

SHA1
05e6d0cca314710ad6e30d25651f0680d09af54a

SHA256
3590bd46c202d868a51b77929271977353857598e628707b97d84578724855a0

SHA512
809f1f0f5aca520b096029d1d222662766d12c4210f8dc2a57382461c994f6ceb3014f0ed013c1226612a953b4b1218ae7ebef7145187f7a1a0f8dcb7dbb65c9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
fab6a67fe2a9b501600acaecf44cac81

SHA1
2fc8b3a30a952536f975311c0da2e9e6094f4970

SHA256
617c1337486087fd328e6366808d3b1797c6760666ff1cac0b751f58901bbe7f

SHA512
0babba82f018e0c7f000397de7dc7fb3f33a2acd409369db2ff57059b92d05d6dfbc87839b524dfcd67c2a84c74f62bf7e0bbb2e0e679bc65dcce85f7a1e0bbb

Download Submit
memory/464-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/464-49-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/464-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/464-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/936-620-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/936-261-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1088-2-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1088-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1088-375-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-0-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1088-101-0x0000000030000000-0x000000003013A000-memory.dmp

Filesize
1.2MB

Download
memory/1772-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1772-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2140-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2140-564-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2200-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2200-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2200-125-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2200-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2248-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2248-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2248-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2288-224-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2288-102-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2316-90-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2316-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2316-201-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2616-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2616-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2616-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2796-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2796-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3080-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3080-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-562-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3332-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3676-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3676-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3676-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3676-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3676-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3872-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3872-260-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3908-534-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3908-160-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3972-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3972-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3972-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3972-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4212-187-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4212-563-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4340-138-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4384-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4544-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4696-619-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4696-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4812-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4812-59-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4812-52-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4812-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download