8375a2f2efbf904d7ca252b34932f1e5d58d2d2f030741fb0247981797d1288d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
Size

625KB
MD5

151826376c7ad93c0e914f6dd9a3b470
SHA1

a9f2dffaf91f3e57b3075e7a999508bc3ad10b34
SHA256

8375a2f2efbf904d7ca252b34932f1e5d58d2d2f030741fb0247981797d1288d
SHA512

b52db7e245f140d66e63b5401df971015016cc96084fc04e7c231b6dc1413ff65ce14a4073b9884e98593437695bbcd9aea0c8491583ff4edba72b3d6d05e4e4
SSDEEP

12288:h2a+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:47MdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1684	alg.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
856	fxssvc.exe
1584	elevation_service.exe
2552	elevation_service.exe
568	maintenanceservice.exe
5084	msdtc.exe
1560	OSE.EXE
2368	PerceptionSimulationService.exe
2060	perfhost.exe
1604	locator.exe
2752	SensorDataService.exe
4932	snmptrap.exe
1320	spectrum.exe
1568	ssh-agent.exe
1620	TieringEngineService.exe
4960	AgentService.exe
4912	vds.exe
4660	vssvc.exe
2828	wbengine.exe
5092	WmiApSrv.exe
4000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f0cccfba1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004796acef12b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000144bc8e812b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081adcae812b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bde6e4e812b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1d469ef12b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000403d6ee12b6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001e87cef12b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0a0d3ee12b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb03b7ee12b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe
3672	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1044	151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
Token: SeAuditPrivilege	856	fxssvc.exe
Token: SeRestorePrivilege	1620	TieringEngineService.exe
Token: SeManageVolumePrivilege	1620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4960	AgentService.exe
Token: SeBackupPrivilege	4660	vssvc.exe
Token: SeRestorePrivilege	4660	vssvc.exe
Token: SeAuditPrivilege	4660	vssvc.exe
Token: SeBackupPrivilege	2828	wbengine.exe
Token: SeRestorePrivilege	2828	wbengine.exe
Token: SeSecurityPrivilege	2828	wbengine.exe
Token: 33	4000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4000	SearchIndexer.exe
Token: SeDebugPrivilege	1684	alg.exe
Token: SeDebugPrivilege	1684	alg.exe
Token: SeDebugPrivilege	1684	alg.exe
Token: SeDebugPrivilege	3672	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2044	4000	SearchIndexer.exe	115
PID 4000 wrote to memory of 2044	4000	SearchIndexer.exe	115
PID 4000 wrote to memory of 3048	4000	SearchIndexer.exe	116
PID 4000 wrote to memory of 3048	4000	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\151826376c7ad93c0e914f6dd9a3b470_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5084

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2752

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d7d0df39b2a9a43d1298a90e3069a4cd

SHA1
93837388d6f2fe0c6b3d50dc91a0ddad887e7645

SHA256
b33fbffadf79512a521e832da84b87abb56c0aa7549179c173613807e5bd38f4

SHA512
2725621a468244a0948d9b9eed2005c13290117b80099d2e23d700640d6f0dfcc50708525b64cc792d625ac996b65ddc3f07f02d3f883d287206f5109d84b452

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e20b6d354423b5d6050e1658b11bd09f

SHA1
e509f22d96018a9ddaa23e3676a71b4493460dde

SHA256
7a5e57aef26a6558725f6b6374d7ee333855388e019585009b8300bc4899963f

SHA512
c8ef8d6ef8d0d74b7764a2676f405e38366fddaf0f46bdaca5e17597b926ffd0b1d47982e48cc4548802497da38c6d06741df1b51ea5cc5977b910beaaf1c554

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cc5d04eb93588dc93bb8021012278786

SHA1
2f57ce410cb461984dd91824533965449613a335

SHA256
b6142799b887391715e33339da4016e3ebcc4b93d3c835d60f192012894a1165

SHA512
0d2f237c779ef17de82ae29c022b81f37c6b88eb478c2d4e0916db0e8cfff6a1d5a450d8c672abcc9f3743369f23ffdbc7abaf1ba362d345b93d015207bfac61

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
baeaa4ba22bb82a82463bcd940de330e

SHA1
8940c8faca15b2e0b383f6f3acace316183edddd

SHA256
52c24390521a31d9636abd8e392e2e9c0ce8acab6f73c290002e007dfd95c72b

SHA512
9598750aa04b42bc7b851cdb06b4b03c4d972cdc453954cd2629bacf0956edf18d2f5a16ae5f004e00e39b77f12b9f50ff11ed4d0d25903e32e428352e21a651

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ebb995033ce1321e5dafb5061b2f0e57

SHA1
5f633ba4962fea4c8e57b05df7dd3c2358d0f554

SHA256
22673d3692fd8d233bffbfe66b13da85d7c6930e7dd1d1c17a0d0894774f1060

SHA512
92be131fceff4d3f4481ad13af1034e7b6381e30b3f019ea7b7ade97a98384df1848549a16aed3677bb0bafea85e07ece772240d0d95952a075bf5239e54a314

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
27ed2fed3c973dfe126a4e084c76c6d8

SHA1
7466cb8a225e05e31b4e9d46167e9f8be63a5142

SHA256
f7c0331fd09ad7f2359662ee515a2e195b21ed451eb266296719cb7092e52829

SHA512
2aa81d20fa231e33c9026296ed8dd50b9362098aecd7ad99e4dad0436567c4d9093fd8ffc99dce7b3ee526ec0965bb8f79e7ba782c4e613e9f58bb6992a95e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2e55d5f05563388bf63ff3d5956ba2f6

SHA1
4f400af4fb4fd90475a533b3ecb61155d0fe7dd1

SHA256
7bd49f4a78a323bdc7331ea31eacc26ae73e0fe83e6ce68f27cf729d698d5c3a

SHA512
af2d25e41ff34d7eaf16f9be31c4592869d07307bb5beef7be1032dc1af28bcfbb4386c27878dd977ac090c605c5553ef617c1e5f0cd2bce3c114710150bfbb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a6946d1ce5f6fed3fcd1dc54382124e

SHA1
e099d44b3e4348fd9fd44e68ec3020b7dfc51fd9

SHA256
aec7b72699da930105d85447e634502d771799f0f3742b9569353119cdd2483b

SHA512
ab36caecb8804dfd7148a2ecdcc4bb15dff52d268793126cf085505c74a47151683fedb2d7d082e438047722fe5831d8c4293fef6a26a2165635682f4e828208

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e46450289141b015d4d665dbad8e9518

SHA1
a600660f44806214c50cb3f1442073c4187da47b

SHA256
9a9578fb63e5f0f7181b344b44b3e7a9540a8c96afdd747eed23aefae56810dd

SHA512
4e883b692805ed859281ff182ccff71e9e19544eded62b4c6601f250bf32605c829e5ec57fb248c2d0bb3479f41c76f9f9aa9ff488caef92232228be00e07a6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5482a6254f8551e5329ac7c9f49fb9f7

SHA1
c8abc1f016a00453e237b2dfd7b2795b6fc12994

SHA256
b70ad3ff96c4a68c6514ba7d666b5c893f661276abd837f851f51ae1f3278a6f

SHA512
97606dd0c41c6be57e7181452360d7abe8b97ea1b63717a0dd96da9a838de40c1b699fc53675ba5eba335ffc18567b00432201f8f6499f25b4eb5494e3e9d330

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e67d4e0268ce002c6a0f17d4b39d11b7

SHA1
2f61bebe69be738d3dd5a520462e0b4f577bdd48

SHA256
c20622c916f84cf5e04c83dacb48ecd165627febf4efcf8519ed74d56bb0222f

SHA512
b59a1a16a7bb91f42d0f48c807e9cc9206e842ccdb61d2c031a9e5ccfa5ccd558fa14877fcb1d058dae1984c1dcfc90c0e35ac269cd6834a5f93769e376161a6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eb9d00305718c4e3f95f581f15ee1314

SHA1
6c128a53de119422baf9b33325c9bd9d2d57e796

SHA256
fbf86a0a6c42bb4b8196841b30333db0621a3a32774331f7edee966ad64bdb66

SHA512
a2d89fe8d906c9bbd255d8956b39850bf1bb2aa9d4409f0d14b2bf79b732f67916d08c50f71095e0ba864e63ea887cf3e7eaec114ab72255cf706c0f2d53624e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
69245e0842ad8c7ca724d199fcee64ec

SHA1
f1b45e47c5a2244bfba28eed8d1434fb9b458a0f

SHA256
8559d750ff9701d0f87139f3b4095d835b4dc77512282bf77fc6b73ff3ecb9f9

SHA512
2d7c08dfa632a67aada6140c92be7827c2d7db7eef06bbf8ae8e4422fb5e379a26ff20cf66753a87d8bbb1de029b9293144184f3faecdfb369f03509bacf7cfb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e8dce5570f7d0a71ad6f6bed230d2cc1

SHA1
7459c251b1e0d73c619758397ada6def185d78ee

SHA256
e29752fcd83acddf8eb0376fc2f8ad311cd36db8613ea9bdb5f449e8842fe951

SHA512
a62041f3b045e750010afdae2f01c726e9d5521f9a1be60807686f98563d0202f51615f09da60b285847ddfdb269f160e3bd74bf089d9f6ffdf8b4b267f4fd89

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
61fc6df126a3e608719cd1e5f920d92f

SHA1
69929649c9a68845027c875487f2181a07f36f81

SHA256
3bae8176bef69a2fa07304d6de6059c935640b9cff1e131cfe614e31983ca7eb

SHA512
20bc284f56f886a099640d67f506324ef606f08ae61e2f07f4208dc01df816ec75e088306a6bf40ed2fa34d1831b912231e84fbed8b232b57aceed1ca3529f64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
042f10ce2768d7434c638b96c68f1d5d

SHA1
fbf3861c884745e3a7b24ce0d97ae1f6818652b6

SHA256
bf908996238a0454fc728e5b41e38cbfb732b589af63508168622bc1b4b8a7f5

SHA512
925ac1f245fbace4266658167dcc91b3bc7504792af6e662975b44a95c6aff7f9f7c0488ef68261c1abcd558bf3ebf783482b6a00460974a809fa8d480e41f34

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3121c929627d173b693ae0a47e6118c7

SHA1
8a3aa53b5952d51e2e43da6ca8ac06d673adea51

SHA256
a9b40d7ed213cf69cd148a2e20951df98e49704dba9ea7dce8d1322b6dee91c9

SHA512
0110f278ef9b6d37fe87979e4a7b4f48cd3103d629d205118b271a7268d2b29797f853614f48bdc0e734da0ddd6df452687741cb74f012130cdb0d148a5d20a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
029cf62e59b0dd50847099a96b9b2ec9

SHA1
07aeda717d3bdbf289661824ccce0a8673eef62f

SHA256
9d9b4b2d501c1ae2a3e1b6f6de2099e3c0075d69c3d58945a745d3651be3a033

SHA512
a4ad90d59e2bd5ca2b27e1f3d895d2e1ae6340786c189e4623c360fe2444a2863200835407300f58789af56b53ab92cc0eb90f9a66b7a89886b6f69a64deec36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
092f933c380f8d7f8ea61d0c8e7cadc4

SHA1
31ae2ffebeb5c5bf2265f676c3d8d8d3d7d5749b

SHA256
551eb35b5f7a661c95c7494089653f5fe7237bd5cd39fde39f4dbe6e98f2537e

SHA512
c955c63d29063e70580bb086fbcf077a9669858de1058e19a65f589c4704a5352d0170d42b9e6756859db11fa11c6f698f36661d4e38daa81167cbfdec6bfc58

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7cc906c7abf9b3f7bc958efb64eec056

SHA1
8375283bb6a915e507f3ea52a4bc59a8bb86b706

SHA256
4be13f84806dae16d4d8633b18f66340b752769b4d6c9426d019dc6589c48f00

SHA512
10248fd465dbcfb639c1ae6bffde6f30a00976b699b791bdaae1bf38ec925e02faee6e5ee00a495ec946b626198e6033f92f01250d1ff989a9e8902c0efed36c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1105567dc5bfb6ef8f888cad3ba894ed

SHA1
703d0ca3913eb203ec63957eaba62c4e73bcf17b

SHA256
0ba8cb549a5ff18635f16d954761c3cc6393c35c67975773f2d29364460eb604

SHA512
e5d90fcf7065592a771e8192f72f2d27aafcefd6df9bd62241b71184f25ea11d5b95b9a6289b59489bbe91c6f75f7ac150989ef6ac54d57e0213e22dec7231d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
91212872e390d3430bf36beb5dcd7542

SHA1
abff3dc8a685ef1107da61900b37e840828d64f8

SHA256
ed81f57ea7843366d26b0ae87cdf88cadf0c26e32fe08b08ceb6257dba4831cf

SHA512
590524ea9e3d1304c2ca58de739416da444ac842452106f5b61eea132e08ead49ea6ff6685bd4715e83d9a870614675186138407564f18f14081fbbd5655094a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
78921b9ff8528df9eb7b9229cb072de1

SHA1
45540fdd2009f52093115fcf80ffe271a20edbdf

SHA256
f88db563fcbc022348554064772aee25e5eecf7d02e7ebfa89c96c80e01bc01f

SHA512
6cdfa0f7355d61d4647fadaf53ac8d9cc025ba3671b35625f2df09ac0c752cc6991dc851f7dc3b45cb8862214a5caed619b55e21adbe91b635df5e4a26fb3ad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b0b9ff75484c652e97f69aee0c3f14a8

SHA1
64908ddb978e7712f48011c967d2ac3e8dd0e130

SHA256
f0c46bd11e40284a871149ebbabd452a26150f72c09da2d07871b089b2a4f9c5

SHA512
107d0db083dc3c8e244d6e6fabb5b9c22b60b67ad64a078f4d32b3d4d687a142b505b9a6d1400e0c7f99873b2df53718660432453e2188a04d9e2bc287b2b18d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fb9dcb149e79f3ec1b41a101ae2e4b45

SHA1
2dc98a63db3c6561221557d07a465919aa3065b2

SHA256
35c4824ec01cbd407a4c72f33028b2b1c8748fb365b903bbfc2ba844e1b7a0c4

SHA512
e2ac274d4aed23fce75fea086cbca7a6eff39e7db8c8246bb3928174043915daf4ccb6db33c0e826b6d4c3db798d4d82bae2ae1e48f9fe1b1edcb1469e328ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b3050d63c2a76439a5330c36fbc0b83d

SHA1
0dbfc47cc9536afe9265e728435bf6193e942919

SHA256
3622c82a780c2db1859a1864bedd902dd58a477e436bf69879c6257fee171749

SHA512
2a57754a9257d39e3249a1d2c2030e3d46b23405637176240099f6b6a29d13ba679ac42350d0b3595bea43e4b25b7af8fe8129fb9e9f554f283bbbb593bbd76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1015ed5fe3ca86a2ac28b7c5bca0928d

SHA1
7cb196f943f9fa8e10618f73e4261cc8d950d9e6

SHA256
196ba14359b02185d20c65782ad1d839510e1ab51246199700f7bbb3da900d25

SHA512
c181e7c28499c40ffdc327c164fde8a4ea189b02287d6e0ddec1cfd97f32ff3cac96d28c199a1fda5628949f78039e7020384ed6ce2de952d05b4a028ffeef30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8e5dab3aefac7a4a0047d233f2a0d321

SHA1
364ea42f9b856064aab33f243c4256cd9e667309

SHA256
1f44a76c8314c628bebde068623fef76ebcf5f37c802906d9cae360f1f9b1281

SHA512
7d1ab55d7e0e3f6d5b87c3be2786322e215943b996fdc356a638a690b415a6ad6d9850b1ddf72a3fa1b199391c47afb22e251947447010dfe510a0cad8949f77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a377e5ae934e248f0b74e973385cf143

SHA1
a320f70e58a5969b2635aae19a7980ee34931c04

SHA256
6753cbcb5f601ac14002182b05a5f9325ea93e9544b00a5486d52f8cb2a80eb8

SHA512
3c458935c6bf7ba8c923bf4e1019f27fcb49c4c18d5c0d44db09c7e230a859796f3d5d010d3caa81a4f9d70bf840a64fc6b20baf52736f76682e273e4d094771

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
770274d8e495fd3627a932c3074eca16

SHA1
3eb9140327d347e6fe480d20fe2ec46074cacb8d

SHA256
b52d79450cd42383154e373363504ee27c8d232b4a81ff10ae3006c26a5634b6

SHA512
6ea7411c4ce0e8b90c50c7b4f90f075142344daaaff2b2023d64018d9ec046566a3cce46248e30ba9d7eed0402a6423c218750cdb133363298fcbfb49578db19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
feef5d9bd6d15a2942de8df2963dbbfe

SHA1
04160f6b70e9351ac601d56917897b21faecbc02

SHA256
f3435f00821b1bfc895b168f47534339a71593ad602500509630254e60409682

SHA512
50d0db256fcc2d8f7022f47687935f1e267f70eac3baab25b0fe8063fd0a717578db9ca30205df43a8d87c2f1d4ac85884d6d70bca36bb06fa867de8490ae5c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4451169de72161bad019f98f04b1edcb

SHA1
8fb749b9947ee6ddf8b1154e94d81eeb438d2e8c

SHA256
c8e9493e89c876d986dc078e6b379fb00f8ba41700dbfaa908d8e163a76d4d4b

SHA512
ed9b16164c36667b36e356423c8565ca0bd5f1fbe74716b49023ac55435c532fc3907bb84004f18253faa215ebec8ed029782a738e9a30c75f07c9206b2245b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
251202a5e40a3a8e3054b6cf32b36b58

SHA1
63aca9d9cc416b2528459c04f5cdef591f52fd4a

SHA256
73693f11ab19e21e40fcdd99a7f94b78eb2f21f2d9436342bfe02271870a81eb

SHA512
467e0aeecb4da1fba45b7156cb82d0a68c36a32b9c797fe433fb511b2d9350cee48e7c7d2e51dfa428c4f3e891b045a1ac33d01d227e4b3817d07f4cb633c7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7d7cf9ecf8f655635f537706a112225a

SHA1
f1ead8934fad2cc110cbbe42c460e6b288b0c431

SHA256
82a58d57fea2288de0168e954dff6bc2d4d94b64d332b96f766e9afe1315ac38

SHA512
bd79f2925cb0791751a4a062e58a9cdfbe7c0912f4d305606d531297051f871fb41f7ba9aaefcd284dbeb45eb2aec31280388106e1e9f31757a9eea14899e23e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
622ee82831ead48ffb68da03163b053e

SHA1
b063a63f7d3d7ef9d669e42216167ff55c1bbb7e

SHA256
e03e1ea2fe1699ebcb280d8341084f207b0e34756509758877bf2a1cb61583cc

SHA512
ac1112c3c74bbd59f92057dd8ad931096faa2aa0399c6680e2cd30c0dab1fa4107357526f9d7fc8792cd22251ba0f5551ec5c0bc2a42c4a4a1a9bd909c0c4a6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c0a8da75747b31f488fdd83daf826921

SHA1
ae25ad7c824718a1cec2f76ba9606c5583697a90

SHA256
80dead99a5e80b3a0ef5e77043a65d6d6f768d22d8d3af0ec99d2c92700f63e2

SHA512
0ec31dfbf5291d887975c677a8072b392b2a764dd4d15449367214b2eac8810f52ce4434d831f888a26ca187b4633691f7f00189022ecfa7f83af374e11e3ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
7df123383b2b9e77fc3ddefb1eed2fc7

SHA1
f6ad4e3b26d5931cb0aa1d251f312466b80823b9

SHA256
ee89191724cd5fdae568d7b6b3025c3f9197c3622ba4042dd5f625887bd226ae

SHA512
fa5e82a2c329a7487124756fc5c3bf2b54834ad13da7d109cee3f144b04bee57ff76394df38b538c30e974e7142bb8ea2a340d4b4f1a7f0e54dbdc789be77d9b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4a9082e4547d31a70aa5a49d2a14bfc6

SHA1
e138a8410462a9fa0b206d23d699324e4929e57f

SHA256
bde8a9181ccb36ca4af57803bdd98ffd35d042bd7afc96ec70c87b5ecdaeeb66

SHA512
0b4abb8dd7a4436a78816033b22d6340756772933f4b533ece1a56bc34dc7fc1811930d71aff4cc65b08e59760b63a1462e3343a3b82ee99d0ec583d54f978f9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f4f2030cf9c8a9db5ca54b4827fecc3a

SHA1
4b176a15f137aba34f5a1c985beb0ec1d7c9594c

SHA256
a69b078fc8aeba84ad102d60e90e5821c5bb5797531930e37461bb56b6079a7d

SHA512
fd3c5436db650ce3430f217408f71c14e2f4faea7e69eb8af1ba39656908ecf2eee4c527181483d69d9989f0319cd6945bcc85da09832071738d7b031437b851

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5b605b15289749bf5897caaf1e4c760f

SHA1
b93b9ee5eabfb9df4c92c36963d24737cd9a70f1

SHA256
a393d753b8aa2066392d1d241453b566bff5f76ddb8a55aa0ba37776e844a663

SHA512
96c667973ccc328f6b4a02311dc302f4cab1f5d838c15901d4918aa0fdb6d1d4c3b603054d37c8d7607157267b17130f5295f4c8b42bf1d7991686cfc7bab245

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a5879fb63bc55f4780f5ea2d02e28251

SHA1
c673146ce854b474305115a02a95b8258056fe20

SHA256
84f1a5b3dad5682aded48ec4620c5c1b2a1ac47416d14dd37b67002f42365c6a

SHA512
0b0a77a58cc9bc8913e75051a274567c247a753d2d2b051587afa5f646475f3c267dabf218728381d5120a04a1413deea1fc61e6e2c0ad69b9c3f8e1bfbea19f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
60f6b9568c9b0c9ec396ef269a4f881c

SHA1
ad018cb2fd7522b2b92f0cb0d516b6cffd8b81fa

SHA256
b669acf16e35821b535123ed17c6450e3f6bb72d4e1a10407c6b3fc0f543cf4e

SHA512
d991960069dc0af50f2abb8cf44d42aed81abbdcdd38b0120ba3d35a16564ecf2afb3f158f1b26f07b18410fbc73c86268e423189611ac7539e44fc8d2090308

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f1d4c5deb02a84ca96458642a0b266aa

SHA1
3143f980c9b32e32e1e3cdc4073d92fd3a9df113

SHA256
135df7e8b52cf0919a8897b59464216363db49d2a722812d7d896abdeb13b164

SHA512
12ec85610e41dd180847e05ace49c787514a15d0f30380be82ec456d13864ca8d51a9613ef30c2db47403a9fbaaaa90073020de92643b9012bc65e73c3a44d60

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
77e1173a292fd279c9c3ea6cedea9994

SHA1
ece1488b2ca67a0a1b5d173cebe57ae0f518aa9a

SHA256
e1ccc083dcd96c39b0727bfba611e5730f6819f7642038d2419d6e1df58769ec

SHA512
296c2aa75e868ab808318ed1e486652ae79a4c29ab4fd645edc77cc967c2d5c65cc4c5cdd94c6d4b3de5e61540acf8b60642d02a999018db3b7c62615a0017ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
643b55abbffa60c7cbbce70eef466db4

SHA1
d4eae978e8f3ee4de674bcf72362cf64efec6b82

SHA256
1c999a153ee847f16810fe569195a3766cb2d5373ce53ece8712bdb9d715abd6

SHA512
8faea3688ff73a4bdcf75930362689b1424697b0c7b421db035c32a7f5fe18702e22546cee4458042a243a7026124393ea98a7dea41e60b21492984dc01e9f26

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2c41d2686e98e2d22e40c4a322eee688

SHA1
4789dd1c174245d8904d1c590fdd1272818ee7e8

SHA256
7d68a7012bc586bad693f55871729773bdf9860faad9e924b7544c6b4e408274

SHA512
511440e268e86cab68f4a5d6388d4bd688c7d5925f9348e1b85d9702337e1353d0bb6e293af1aa9f9427a4ba9325adbdc0484d56081b10a9d2a2d93c478dd146

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9e3f324189341c03f9c824c270eabc11

SHA1
f3adcd0584d4cda261f0c90c12411207ffd62d95

SHA256
6ae31ff5a10b164e350aa1639ef5c35d9790d552d47159f5104e01e24e2f99a3

SHA512
66a4f274c3bdeb858b2bbdd68c7de856dc16bea8bd7c2341658c69788f532bd569ca3742cf071162901b51a3cfaa18f4346c03a82544b1f9b656330b45652725

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
df62c4c3fdbbd9c71c115402238b87f7

SHA1
653141ce26543d86ed0252cc246f40ebb8266961

SHA256
c57ae09af92a0b23576f74305346ff980d48af38466f88369468f35ed968f1f4

SHA512
a5fa37372e443b69e2a0a9014eddbafa3430af1e8a688e5039e9888268e217d260b3487a077e80711030a68488cd844b386f7cef78a7bc41d41ca174ab0bc76e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc08815d9c27e449a3332b0415f99cd4

SHA1
0db41d07b43a58547c86a54958afba593ed70b76

SHA256
28e4e9e9b858a304e6a8091ed8f0df368100cf5a2d59e0a0af3414e34de14655

SHA512
90f76c8fc7249402178c1abf7bb5aa4581ae1f2fe72ddd845410c9f2fcdf18d29c98f5f674238d894f68acafe589221f5471de0c5d659cea513926c788a81f3d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
63c417043d0975eb3d0e440ce555a93f

SHA1
43453c50e3e61db399b3d8b8325a0ada96eb1bf7

SHA256
316d63bf8558bc0b4dc27817f51b15e81f004ceff0bd90294b13f7b770d9073b

SHA512
7e31c73a595182cac01794f65eb380475eb5927cee29c9497db775b63d42b63e0876750eed10abab20ff84efbe61f61a2a442f254debd78f6b15beefcc1d50db

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d59962bc671a8b5038d2c23bfc9e49d6

SHA1
1c548764a7b6afdbdc9321d3d1b6dc81235a1af1

SHA256
654de34bdbf8efcb03af91f7e4d780ef04c6bfd35942d9a509376dd06f85a5e2

SHA512
2c837a22f900a80cf9b4ad15b959f6fa8f7c07c0cc9edcd4416b7a18180737888eb320dd41fadd4aebceae410c456704e387b87076239769dc1f044238f456be

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
095229f95197e4258445c5f6bb874046

SHA1
09ec7561d2892098145a7375ca0ef8427a0817e9

SHA256
9b701806d577e58fc418e67d9911dae39f90bd53f77e0e1ed167000f279f0250

SHA512
1fd612a29e8f5baa18238a50b4d4f233a6179dc09c3e71d96ce638f793ba8e2ae74607ead7b8191bf6afb6085dce76d900aebe92dfb02609816b3c337cbbbcd7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b16101efbaa3ddbc0c4c9cdef3b0d3f3

SHA1
cd7b6bef2f29f21a0b4fe702c2e6248dc27c0183

SHA256
82f83e8c8566d96a72cb869148f414220cc05832ceb4baa0f5ae831ca6e1a22b

SHA512
70552e29a6c31bf7e8ea646c660a12da5f0098ffdae099a76f4ad95ae92732ec42f94bd6acf760d6b7fa1c4d5ed6eaa2a3fd93c18a688476c276bce315e4d063

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
735060986db4395bbbc9317250aea848

SHA1
a894ab04112fa9e4bae6f15089950ec2a10ba8fe

SHA256
c238d8b072811afbcbfde83047030b33bda966d382e3d6304df8a0e995a230c5

SHA512
baee4656d42ba32a762928c3dccbf9a215bc359e4458e677fe2c9ae33fbecc483a416eb0b76f40085ff2d15d8cbc6ec8a44ddb1b869c44759f9d0d0383952f7f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6e7e6d234f31611e9e189751f99f286e

SHA1
67d9e9db973e7723a01233302e92b8b331198069

SHA256
6df9726a49b9a7182bd89cf9a52234029244ea2b0e3d681d0fc1c535b4c432e7

SHA512
018670b8ba5ad1172b522589528fd604a5dd2ac1a9743bc6745f47dd7a67dd3f0ccc5807ec083eb35718ba47ec7aacd782a69e8cbcd0e3f1a46f0109d25b3f50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9cd8ae3a4ae69ec9e630d8e6838fd107

SHA1
68043e16b33bc38b363e7fcf7b9c96fb3be30b01

SHA256
3d21da6d666f540f5ad1da8dd8327b32b98142c83187fe3a013df4eb5349525c

SHA512
145cf209b5d0185df22fb8cd750f0d9cb2ffffa41a658555cc529268d6b39878f25e64d9575128beb3717622e3b38029d263cfc6d23eea3aceb399c4f055f3d5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
45db61c7e2e4f579d553fdd5bb422d95

SHA1
ea12db517d305de11a36793106aa3e0f73735465

SHA256
65a756e947901456bfd6353523ce5a3fc0e98c8ceb1cd480aa996d568e1a1e6e

SHA512
3de564471919d6f2f3bfbd31e230d7bf68df0720b45e2511cf50a119e0c93cb49ca021ee880db00c4e48a48b212c65056d88fe239a9448c5507536199dee22a8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e99d88e003827de46c960796f0d6a905

SHA1
a356356e3b89ab2f9c035200f43bb55a5fa1c283

SHA256
bd0b399c2063f94dafd3d376cba29fc543124ad0fe9f936184bb139754992326

SHA512
74a7dd1993db89d4e3ddfcb76ca1ef0087f7177774768bed08c847b21610ae80b86e1719adce606e36122104cfd2589ebf4b37e9914bf3f28580c9faa567a3e3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3bed030f8c9bc2e3e2570ce0263e0e9f

SHA1
9298cbf7d039ba754cec86a9176bcc033068062a

SHA256
ffeb83edefd785f7398931864831f40360fb64eae416154fb34d9705e6f51d34

SHA512
45b0174731845bff3e0cfdaddf51fe8d506be2099b942728548a1dd7991f0aa36be330b2a4499b219ee98b805331226d3eae993d55733f779dd4e09b19bb31a8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b1037934efa03e95267b17caafedaa68

SHA1
17879ae6b011d13fafc392b40292b64abba82288

SHA256
e6bf1c52b4676d099b521f8de656bb00195c9369f01f1d378656f128496ca7c3

SHA512
fb5ebc9d3822801193011c1d62fa8b3a42f74229eb84e313068590a9fda768df4eaee9e3fbc2d4f05000bec88cf2f5d2b78b4f453c3f8aa16b3a332c528d18aa

Download Submit
memory/568-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/568-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/568-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/568-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/568-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/856-51-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/856-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-40-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/856-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/856-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1044-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1044-8-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1044-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1044-446-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1044-2-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1044-110-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1320-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1320-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1560-249-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1560-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1568-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1568-515-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1584-53-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1584-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1584-59-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1584-200-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1604-162-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1620-516-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1620-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1684-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1684-160-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1684-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1684-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2060-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2368-262-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2368-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2552-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2552-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-221-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2752-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2752-508-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2828-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2828-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3672-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3672-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3672-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4000-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4000-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4660-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4660-606-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4912-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4912-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4932-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4932-433-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4960-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5084-90-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/5084-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5092-250-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5092-611-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download