60ccac65bcba21179c9319cacc6ff49fb0e3aed835cff89f8307e59a2d9a3050

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
Size

1.1MB
MD5

17b83decb4d3a794fb6fd2a4b1ab9c10
SHA1

5205c13ddd0c8b0a1235255d8b703c6da21eebfc
SHA256

60ccac65bcba21179c9319cacc6ff49fb0e3aed835cff89f8307e59a2d9a3050
SHA512

6f15eb70e870f051ce842b536d01c6ef80dde3afc06407f493f7133e2f3f3a80b35891f41eee7e899187d3ad1591e67abf164d116d2dc840a8e0bb15e9d3d0af
SSDEEP

24576:+Si1SoCU5qJSr1eWPSCsP0MugC6eTtvS9quyZXaumgObRWKQHfd5MEcEvbWQb:eS7PLjeTiqLXaR8/dJTvd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4180	alg.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
2572	fxssvc.exe
2700	elevation_service.exe
3964	elevation_service.exe
1752	maintenanceservice.exe
1444	msdtc.exe
4980	OSE.EXE
1648	PerceptionSimulationService.exe
4896	perfhost.exe
2040	locator.exe
4596	SensorDataService.exe
4588	snmptrap.exe
4232	spectrum.exe
2720	ssh-agent.exe
4532	TieringEngineService.exe
4684	AgentService.exe
60	vds.exe
2088	vssvc.exe
1076	wbengine.exe
3112	WmiApSrv.exe
3992	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\43ad41cdc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de9eee476fbcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d62536486fbcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065d727486fbcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039c7d6476fbcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000834b5c486fbcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049c1ac466fbcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ab201486fbcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4372	17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
Token: SeAuditPrivilege	2572	fxssvc.exe
Token: SeRestorePrivilege	4532	TieringEngineService.exe
Token: SeManageVolumePrivilege	4532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4684	AgentService.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe
Token: SeBackupPrivilege	1076	wbengine.exe
Token: SeRestorePrivilege	1076	wbengine.exe
Token: SeSecurityPrivilege	1076	wbengine.exe
Token: 33	3992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeDebugPrivilege	4180	alg.exe
Token: SeDebugPrivilege	4180	alg.exe
Token: SeDebugPrivilege	4180	alg.exe
Token: SeDebugPrivilege	1600	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1880	3992	SearchIndexer.exe	111
PID 3992 wrote to memory of 1880	3992	SearchIndexer.exe	111
PID 3992 wrote to memory of 2672	3992	SearchIndexer.exe	112
PID 3992 wrote to memory of 2672	3992	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17b83decb4d3a794fb6fd2a4b1ab9c10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1372

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
228712a8d40c749b48484e37e349701a

SHA1
a6b4415ecf7b9501f0dafbc1f462cb917f630e0e

SHA256
778eec2e758e6a8dd6b0731e68b41687def93d88793cc59ebfb441b0c69d9c86

SHA512
be44032578627374f34b9b4f44d450833f7683b484356708b6e4b29a2348a2f60a201b962cf017ae172808833162c6cbe7f36ef176dbd1700369efd333ed83f2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
a5afca754f996cd741e4366979fa5aaf

SHA1
fa3aa9a6f9c5d8fe627a21340cf61fbcce8d2f2f

SHA256
c3a5f0798e2dfd8352f20597db13f9590e6fed572da408b1ed7a481a3997c23f

SHA512
2eb44651ba5c7601e05c4044ba6e759eef069e80e21f3746ced4bd86138d2c682ba6c4a6c4ead403b1284cd63d9cf648862d48e6937352e6be043f446c7da4a3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
edcbaba1008eeac2c6a08a2d9aa88a84

SHA1
5550416ba61e6cec0e6a131eac8877bf1bf22961

SHA256
f0e1a8178b5523ba0012dc897c8a886bb20723b1ce0348b0dcb18172e00b1f32

SHA512
a1108da492dc252079fc724e917eec3eadbcd8d04b04695860ad348ade79913be53a103ad280f10087f73106d937d4070106367b5bf79c2b163732cc6fc8a77b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f0e46f97628d9934013ad1a6c0ddea64

SHA1
fa812177fa887893e13b7f84573fa9b07b5d63fc

SHA256
dcdc78d06f091db66f0f80345e78c6e83d603b6927ed972bce13d967eb2edf8b

SHA512
575e2763c2f5011cd9c427263df41ebf89a4df2c1e9d25bb976c7dac2e34b0140b0a6cdc2389aee8fbbabb08bd0bbb935f496d5f9d0818010cecfce70257e20c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e4ef60fb4973202c7863c38d254281f

SHA1
39ccd2b951508de123c4f605558686aa6918ea18

SHA256
a2f29e20900287611003922303cbd679d77a057a8ee2ff6c494231bf8f567178

SHA512
2a87a822c83d94a1211dd5cc99df7ffb93d0ff1911afc03e359ef1416431cd897ad260c05809dd7439e5e16e2d079d72e43d4227efafc553b84dd41cc8568852

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
1f9980019163c353104c24a07ef07599

SHA1
13f5fd503e9e297f2abb5a96054a0f19b90bdcd2

SHA256
1f244f01831ea83e1a79cdc95f67debad1ff14d0324ef0771069a03df5abad91

SHA512
71a779aaaee3ed3ec3c7e3d20576a77babd0a678646e3727eb3b051b995b2c9e6095124a674c6f2a913cdd31edc8e9d88ca717c19cf34bd3d37646bff8ae2ca0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1c60935315db9119f52e30d1aa0f76e0

SHA1
ab4167bc792b132cbac427780b44af2cfe59ad4b

SHA256
4a93d6bdbc3223d9da18664c75c8968b0f0a54728ed2a569501c660af99d3e3b

SHA512
fb6e4e29e91aad72952f27944e955a77104ee8e3eb4be5fdcfaf3c832ce7711ccf45a237600cd8057b647c534aa5db756fb7d6166a37ad11c09a6caa3ffeefc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7b88c003ee5918f3d55bb140d4ad2cc4

SHA1
63751376e9324ea425f4cf4499e924e140e462ac

SHA256
b05c5018116bbf1cd27c131c3b18e782a51fd73fb6f135efac8dca3e202e2b70

SHA512
30ae8e9ad99c35b70ea7cfbf497a0feeafe8a6c425f95e89c9d9c8ed6b425c00c3f67ecad9a3a143d6adea841b241c3aaabb5fae05191dd482841a1612f7ad43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4be38133886287e553c5f173442a9829

SHA1
bc9cfd886316860a4fcc9ea18db9448ada6beed7

SHA256
16b2e1fb801d256d5bded8b34dbbf7fd38a794f22129e53d5ac62914d82e6344

SHA512
6868728ed2ac15c75c5983d1e02e18111c6452507390cf6f4a3b3171807d89ac94428cbf89356b4ce592ae35ac79e180f7d5d142f838766a6fea5af718104263

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c444c8e403981fe08ec7c23bdea4d942

SHA1
8fd04aae7353f9110586f9620f089fdaa2eb7fae

SHA256
9ee1b7995b242f5d9b0df8469b1be88a74090cbd14eca374d64521b99d001df5

SHA512
512aea7217ae90308f7c1ab7168ad703a66559df1b2c7db7409a99304881724201aa1d4cb03a82cb9d02b239b0ce3aed5642ab110c7454246cfa8c92796f2870

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9979c2a12842480b7552d0f357dd23ae

SHA1
1dae026862bcd3c4670ee1da274073f124e33dbd

SHA256
7c3ce7d151ca35a5e140de19bc25595fe2ae0be7a7c85e00200d57d885b211d5

SHA512
d47ac44e33e12d82c31fe792c52bddaf25e858174c27554d361c0384a2717ba241d94655810174eda61175c25121abcf250e760aa3f78618ac15a93bce67059b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
45a98fcf4d0e756176e8ed6ddc10b3df

SHA1
6e7eb7ac04e462993c5269443d42ad879b54963e

SHA256
e3de97af4dfe0114b55d463f7dd5bdb4fd2d0e44e9c4d9217ced03eac84a27bb

SHA512
abac93f09bfc6db0e2b83935bb42239f0bf0969eba89b337e470bbc80e4875ce9626199656319297698957e1a3f5c4b4f77833a44830d38628284e9959171930

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bd1c49d9b6d553bd74a6b6b5436dfc31

SHA1
6d4b9075e4aed8e4cdb1b04331c950b0e5b74203

SHA256
752bf68ad6ce3c408184d8a26e5df0a12b154bafb84c8f8df6a2612098da3017

SHA512
0590f9dfc091db004bce35df7e1fe207cd13c34d7c5d506414b06ffe193e66c6f761dfd1c5091d2a6a0f6e2d996c74b1b7bcf30ebb4542599efe6723126d4d81

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b36b58745ee264cb3203ad0607929523

SHA1
c355802bca4f53649640a46df93e1d72d05347fc

SHA256
335a8bfa34acc8a239b3eb2909309fd3b4620c68a2aa4bf49f61c550cc36164d

SHA512
ae1d620247a337427c883af0d5d2f7f01529d666615253121fa607c4d8424d34388ce1cd9e34c103b51b69466f191b83786696c67e69cf78553a320b05007acd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
03667eab617ff7933cae3baacea64de0

SHA1
5e7485afa0fdda9368c19c0a4751ee4402c6f2b5

SHA256
69c494b5be5c6c9b6b9ebf55b4032549d788ed4822ff78efc5f8843543f44858

SHA512
02b97cd4fa671bf85ca86014a7b876fbf350dfe1203d5e2c36bdd4fed9fb05a589a8805a46aa0b01704ace8dc507d92a20a22c4aaab8ef64e1e8b7229ac33438

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d41401df44906641b9c4884408e6478b

SHA1
e54f49c59d7b6b25163c2bc6cefec29a52758ab5

SHA256
c29cabaa3bccdb41284a6c4ba21d56921f9c90e766d6f4c189df9e062795310d

SHA512
9da3d0edd5ed21ab96dd95d86a388b2f90e9b41044b01a621089a72cd7981452029a6fe9729411c2407ec8275f45fa58685af18cd648d2bff0e13dd0e2e7871c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7a06d2ee998908da25498cf8fe438d6f

SHA1
08f23c4d40d87f76138907161f90a82079065b89

SHA256
20bcecae4a2f51a4a6c70efa1784510a590859b76e9254d7cee15ee162b30762

SHA512
39145e3e6e596cbd4c06dd042198fabcf09b415b88f36b34073dd5eb013bb6c08819d2d3c462f2f07b680c6626ebb82b8490916694d7fcf2fdd98c985bccb125

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
790a157ad822e2bb594a81546610cc5d

SHA1
7a4e391906dd8afe8819e91fb63c6db04b696fa6

SHA256
1564e03f776b4a5b6fabe8fb2703907f8b9e8b19e312c82486b0884a2c40f5c3

SHA512
eb231818c358f5e4ff77f2b4377e266f339a016ecd5376a5236705207ff11b0f9101700369b696165f9dc36d880cd669ce115c8a6022e0be6dabe5db0fc7c1fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
490df1de7690d4746afe80851fad4530

SHA1
b5d0eae3f54ab0ce6d2aac367cd5bec0443fc804

SHA256
40a094cb2f91ceb78820653d598705586f6a23162d8c116774cc52191e1d7933

SHA512
46fc41a2457f95918de128d2ae4f788186a4b5fc4d55d8f5d73ec217ef3ec2bfe82b47baf6ec868fab56b8ccb8199dbdb4d778305fc25d40b205e1eacb1d0db0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fb01058fd1676b5025f0cbeb9e009238

SHA1
c6f77926f9ba61bed53a97523851f698264773d5

SHA256
f58ba25441f636821e730d0640c84ef0f40faea6dd71c84ef6025775500fd28c

SHA512
778dfc9a42f07a4a38a0a4471892c268e93541e0a2b0f1ad0b4174eaf2dfe8dfe6ca0a2c5cd3f06b2dba1bd98d1851ad089b40ddb2e3d7508c178c43941ac9fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
8af62fec313949d11a9fe77bf2aa0378

SHA1
dc20603e1e872fac91143406289c76b0aa7f423a

SHA256
594f718cfeee6b25f24488f91c573ffdeccdc1e41ed4641e0d1d82634c351312

SHA512
2aa21b575b55fd6c0438e53778463a65aa206e71def8e0725b0ab0aa537b0f6e9f2a40912796d89c40bf33af59b9af7069764b5f01ca36f2709b32ca64555ded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
60395a866d6304fc124216ef37631bcb

SHA1
7555f7a999447786b2276703c87b2047ed881e10

SHA256
e24a4d6bfb64ae266dde4ea2ec77c7c6c1b3f8f011b40be0ebe714fbde060aab

SHA512
206d001d385c31f580933b98555be46f34e60efadb31d6e9ad97c84c10ab6c71db96d88e1cd00f3169cc00353f812c0dbb41872d1f34ff2e56dbed82181b259d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
e12fc6a6578ae83a9d69883565e98d52

SHA1
e2ad85f893b4c481de9f266ea89902284f36743d

SHA256
7a2efb06fe17df3362d22139b35b07f323d4d4c054a937e2c4b1aec47db4276a

SHA512
153b2a378f2d8e38324efc957b1ed115b2833d9a3f7df68d89eef1b8831edde0888f19f3ea1a5db8695027cf8d5ffedf31048dc180414a247315121e6a848ffb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
304b670cce8a69b5db9210865e325189

SHA1
0c427021aa2beda431e10178283c0d3688b925f0

SHA256
e6c17a035d3aa44828fcdaf02f1edae34df9c19406ac5ff797189654a820816c

SHA512
9777506a94f6d40d63cdeabddf3185aaa440137b931515a368a60e28e774c80d8906686eedd2d9898c63af68de8944aaa4d3b0dd9f64147a9380395312ad46a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
1f5e70440512f79b68a4a7328526dfbf

SHA1
fa72221959183b23a043db2c0add82884c5657de

SHA256
1754467bce4e186b50dce3bf0690545604f455c9494f4effd66ec935b57618c6

SHA512
c82e59bb00f3aa47af0070d68b46af3c10fd4ff94965a59e4a0e30a3a28fb5938e7e099a6190d7866c8f10eb9e19674bbf78627cc97cfdeff4fcd60bbbcc4a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
5bbf0c16a19fcb53e541764c1bd0a35e

SHA1
7f44603e8af15551dcf7e40222750801c3f43f91

SHA256
ce5cd9d362056a4eb9be20bd4c338a6f1741a5332ad64ffe1f46006a6429fa80

SHA512
9035d13d3362cf0d1a542b946bdf36686c56e2dcc6144aca5f4e89092d1e63109c134aa7e3ac62770c8c84b21033bec200ea641a36f2b494b4695efe076ca117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
6359e605da352ddd7807b302b8719bf0

SHA1
029cd43fcd3ef41d3b24d874a583ce963934e919

SHA256
c4337f1d0872ea4955940e22d1e5e41459f32e3e727cf141eece7989f344aa02

SHA512
c8578fd5eee94477698e5eb543661b6b1806fb23ab25c7c65048d6efb482df2928b69a335f90a4f7cc89f21e4c9ba1ff2b8c6d4f6282e520712a7885d8db0361

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
12186043fb5c0b9e345805ec83168a4a

SHA1
16419f6b46336504e9870cb204c47eb53ba8c631

SHA256
5aa7558470c9836428cb2898bf0980d0547401d70b0831f8738208abec823579

SHA512
c57a641fffc76b9a20ba36a744247202243116b84597fa140afb25f7a33ff3a77b329fa4f83bd11a8484e65e34dab6880fe6f90225084da1128682e41133d97b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
35063d63a1df1b6ded594f6233c2c995

SHA1
3293b70c73add1a6cc88dbd841862ae3947f807b

SHA256
440c3a6e383ca21aaa3a11e188c47ce80a30e015a1c9e04f0dbdbac0ad9714dc

SHA512
f170e757ac67dc22242cbc0c0d42d9195933d761273fed436eb544b5ae3d91e773d8bfff0b397dffd682091cea7dd8771c9df52078dfb347e51886afe770e614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
d413595a899efd5a30757e426cb19933

SHA1
a3cdf5e786e2dcfd3e9e2c66ab71c41ffe2064a0

SHA256
793b6344ec70cc4ecf72c57ec75285dd7380f38cf81e67a8d4bb6401adb5f764

SHA512
20b6087c1e50cdd34cafc03662563fb8d0c3475b787b3940139bd56de3e00827ebe545b1ebb4191d40664b67e703ef02d6175afead0154f99a376f9330339af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
32cd9870e0ac0a779239bed05d8f6e77

SHA1
e68a68d6eed59da3e3b887484ded056c9613e0a5

SHA256
37fbd25413807c661bdf4178385a1de8491a4f452f4bf900668d71726e0b471e

SHA512
7bc791bd7b40dcc9b3f9ee4339a792f4f282d52783be218c8176b629dd889659fb28c7efcd6d34b2a0184291c4394f761bde59ee04cd4ea55c89af043362cd59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
730ac5db868c0b76618d57e4ff0c7286

SHA1
e09739feb3e73625364ad3d5610c6dd112f7e0e3

SHA256
cb6eb313a07bfe0d508a4aa70caacd86bc952dcb22ed589beca55b15bcbfff80

SHA512
e1542de95bd146d00c87faa80aa1ac0771f90fe4e786ac449bf573f551543bc9e926f649e104c2ea7284efd793bc64719a8adb47521378105461e10bfdde8931

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
7706efd3825d2bee71bc8d0969090838

SHA1
1cca02d1bf1cd2aad48def214d42e5ab8460b474

SHA256
615ddf8203df98fb90ce406c64d45574720a3814ebd62970682aa81db2310d1a

SHA512
b15f163a411b57518dde11ef06e6c5a2c920378910ffc420335bf28f55c4a8d23bb1e2e455308d43e4988fda19e4ca000551e759cf7a05c7e3916e0116acc155

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
b7df9142dfaba75be5d87717c80a92f3

SHA1
8df3c02b80506947bdc92f8c3c3297e33cd5e586

SHA256
a77e5f945f631763ccdf64b72a827d0aad1234072303ce2a5007357a863cbd21

SHA512
400d41a470910d71f72802a654cfdcd32801914772d07c837c2a63a75adc598a4604472752ef48efb002a9ecac52ac98a54fab681cbf8d3ea602f545fb77fbc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
09ca7d3e738ba54cfe1b13094112392a

SHA1
11bdc464adfef5e336c2200ea7f4a8ae27047369

SHA256
4236349fc7ae2bd2a513c9d2551010d47afca0e6a51f69d29907c8c7a08f9e4b

SHA512
23b267724c9defb9e6addcca1191be637aeffae0a062cba78afecfcb602467a9bcb4564bb0818605ddd65b1b4a7105905201dc3d2b031bc29c04c2c19b07fe8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
aa80d4dc0cec7a901d9d42684120e324

SHA1
d2a574243715b9527870cac4d57138bbcd338824

SHA256
d5db47cfd735c31f41d127da8800c7eb57ffecfcaa9891c5159be9ae86efc0d7

SHA512
5046743450651b9a6453c6e7cd74610ef014cb05cf4c23be573a0e25a531021b91e60d0c15f8feaa62c1f4dc840e1b4feb6456fde3a70a660058db430fe0a3c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
19f2b5a19c654b2ab34dc7f969581340

SHA1
e7f53a3bb59700d45f258971ca914f3653f1f228

SHA256
745ae5ab8fefda4b2b123eaa8bac62bdb50937b135afc84f69dc9d84394d3992

SHA512
727f8e312d3fb10af5ff4b704f28efda7aba4823e52866776d32c0dff14bb501e75a70d793e88b53141842f9f0f5fc7036cbe7d00a794a58bc2ecdedc8061d65

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
08754bf770cb469a0591fe07f6ca4331

SHA1
55c2954fccca864106fb799dba14dd5b1576f1e9

SHA256
6f83e6d810f7e1be37457d2f03e5747d4a9bb6484bd9bfae010f3fad17e28cf1

SHA512
5c3cf368a84e7a51cb760010fc4e6fe2198f8a52dc4da47a020e34cfe4fe414c8794b2f509b9304c9341fc185ade1accb647b84fcfc415e243992ac7154fc552

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
5d67d875dfc8758a1b435e72b50cd9c6

SHA1
d7092137c6a05d145bf73d9158d8cceecb7e1fb7

SHA256
80af7aace3473712ab47fb958df974db0cf8a191fb0bec4af19d9bc46ce15661

SHA512
5399e513a1b10e4508fc341410737d1933ba0292ee117ba1fd18a25e06fbceb9c35a11647027e396961f168774c7266b933b53663f5644e850791d01276b033f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
5a5ae0918476f8a9d26ea48063f8563f

SHA1
3c263cd3b64c44d8f0cdf8a9f08bf5b03eb319be

SHA256
c786de36aac508f95d04e1d2f5c6e7122f3d8286189f1fa351ed538940930cff

SHA512
372220f3b85376ed37bfc0e153bd7b612d74d7c2d62a69b68140e56082572d7cc4d26aa826fc15dba42f0a8bde24085c3109582ef1798dc154dffa25c1cb729e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3ab32feeab77bf57ecf9a3e04c514c4f

SHA1
f3b1fbf7723a0149571f35d8d90bdb5ce63b9041

SHA256
97cb2340d80204e7d7d8e69439c0cb726952827d06aac56e74800d41e64b6d13

SHA512
2d48308d92a2857e5947c7dacf8b1c91768dc744172cc4ed4a072590e9337f6b11d133030bd575a7728ce5e688a5d21148057b034636501eacb70b3d74b923c0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
fc19f5a14425196ad548222bd2f10ada

SHA1
da92527bf3d4d3becf1ddc3444e64a2812595c3a

SHA256
32790ce185c514d2da0c262ddc9f0853360efd49766b293366a99b2d0c9c8c1a

SHA512
fcbc9604e5c11cabfcdc6c1f740b1b49f3eea7d28b954bcde67232ff43fa53501ff352086bde864e686d5edfac110be66c618cfb55115a4d251ec0dc68e6f847

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a52d867ba9c0e37a11dce6ef42f1ddb8

SHA1
a45d0bdbb82a1bbe52965ef18e1c9de12fb45b8b

SHA256
0f8e2189b38a6aa12eeeef77ae772e4f509e4fd45d9df9d712661edecd975e1d

SHA512
6b3a3cf07fdef58801b46f72e8abebc678441a61ac52a515ae578bc8aaab9a662f48b1234654d72121c2bdb609184f5335ad9e3db150d30dc3e2f7ebcd6bf11f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
04a5f27fecbcdfe0958f52b0c8c06ef2

SHA1
8713736a8e5407bc1a068ff54e3af546d440dd1d

SHA256
9793586db6cdd0caddc7e6f958b0c490dc5ba8ed1021a731a711e3a3ab9f71c5

SHA512
274d50989b2ee0e74bd55b41b733a55a218c7a8bd07f59728ca6532ac6e67c62250ca91ef613cf9b5e3c1e94398563f0e1909d3e5b7fd9e3a9d67ca2555537b5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dbe7113944af890096a8a5fbec1c659b

SHA1
57c4f6b39af9c6b483ba36f7d71edd9ad466fca4

SHA256
32fed9c1bf8b27b8fe66799bcf568ff8438a390dec47173b3c55e1a0f7bf6b3e

SHA512
7b0b061a0025ab5db067d9c94d2bc09e7dae1c770773b793c8474214253bce1428eaae185658d94ec9579e3184a90449a367564c72e9ffce0fa20d91ee731c6a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
10648759a2fa3a947dd8064aba7e638e

SHA1
cde2453db131832cb86bf43f7a6dc786799e6763

SHA256
24079b02ecb7b6571e9d57b8622d430fd51214796bf85ae8d71cbd56a3a4736c

SHA512
5a2ed58bafe3e620f0a8261a9e990f9a4c8fa259a17368ecc5809ecbb3029ecd2776080c898587a10a79feda14d70cf337151b60698c6a174fcc74a5832cadc8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ade2dbf95a4de7faeb8f2b9cdb3d4084

SHA1
fcbb0011ae45d5de1477cd845ad825ffa6ad90cd

SHA256
7e25a551e3b067602ad99a1cf9c863281034e600bd79c030d908137fbcc3683f

SHA512
502ffbeb887d5b84c698b0d519f15dc84511ebfcccf560e75b815307477ac3e16d919f97de9d8f37d93dd289ba587cbb12a3cc18eb68fef3b78673170fc087c8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a5e1e536aa618d08c16e7d629ba2026b

SHA1
a76cd4638b4ab7b82f25d414d72df3f59f0c0e15

SHA256
1a9b047fcd79df7e7cd4990bdefac361e1fee62171f07fcc068573735e19bce8

SHA512
5451c81888d996479526e1fa3ef2679f8eadc34c450d053411cad3fa9418da9c3ecc08beb38e1f384e366d275c970f928a7c13e38d0f0aa2594b5bc7fbb276cb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9d206a96098a37ff78c0fed288005b0a

SHA1
fee8cd7725c3cf510f7c71ad0841b2c86d83e032

SHA256
c19e6bddd14dac48275f8a74653c35afbec50f20efc4aa2069eca762ae9d1a6c

SHA512
59c86132a7fec4d0eb6993fd844da45fc78203f38883705573094b6572d76303ca6df3c5143fbd21bb720a8642877ba72694d6bd746ba0310d9dc6c2f59d7749

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
a60b66242a33bf7a5635440976eed676

SHA1
a89279f58523f428a659257c50afebcfcaf5d48b

SHA256
c357fb6da6156967e975e5263bcc658214430487216194e78619fd8d2bece05c

SHA512
68b4234bfc0c0fd1b000abe4065ce667fefbcbea2b4a95a387ad145d8d92929956031875984ebdb6ecc7bbc79739fef44a27ce1c5a48f36edbe7db91ba24b6cb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aa11baaa5287543af0f378792845d555

SHA1
cae4a8c5e9cf867714dc6c3074112de15dfc3f28

SHA256
687203351a4ec4f171246724aa23e22f156596b96386ce230d1575281329b377

SHA512
42fca8ba2998093a9160344a8d508c480924a7974298a34415fb2280b87ba3e100a493ecec07e547688392b11c2ddc0d1ebef6b9fb23949a1c9988caac767e1d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
832a2649c18a04a2ca3d16e7fe2d604f

SHA1
77a06e950a79d063743a12ec46ad2d755c22dd51

SHA256
fb9a2518afa40f1e1c046365013c13b17b533123d8c2abd5913709b592836197

SHA512
5449f894690674417834fcc3af33b7274e75373be6be3cd3d3751d4db369c8f20cb3f651cfd7ab055a4683c0297c0048e76843d3b664cf80cc1601d998fec96b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7876f59d07f35e01eb46716041b48334

SHA1
4b6a61765fc71d42467f4fc6a452c19483fc2a5a

SHA256
1ae77750129502d27dab85d21fafc20a77ccd768b82a25884709f92d9c9cb3f8

SHA512
435428d48fb041b7717cf49808465216c83fdb5790bc8c9469eb1c1e9a603e3d618c4b8a0794ef6f6ef76a2ed24b15e6fc383b4f77d458ca92546ff8c6084e84

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
26a089b0fe3cae1c62d729fb4c68aa56

SHA1
30eea8c493d8f93a8ef4d5e78b2cc0f5b118dca3

SHA256
251df683c41c41e36d88a7a505351d97a7ede9afb58853be11bbae954a7185dd

SHA512
ea63de128f9966ddffd2da52a79864673f0b31d8d6aac1282baa32774c1c46d0f4dfbf044e26c522bde69527d0fba0ca3a77164ff40c6293c7353b81454e5b89

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
50f2b08bfd0dc40725e6b86010329a0c

SHA1
546554a0f12a5ee370ed1fa5c6ec53e16bcd4425

SHA256
19a5de49aa7ff01e85bcbb97fcabc2ec2f9ef843cb5f3cf3c7b2ff6df259b3c6

SHA512
d9f11040e0ba19bda54d74ac73155db856c62ba8e7e6e27df510d6ae2e19769011a8d39c3213a7cb0b2f42e3fc22e87987b39a3828c824e41ad9891f8fad413a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
8eb30c3e625890cf6483880455c6d989

SHA1
e76ce66d0514793c618acde47967c836826e6943

SHA256
46002628ac1ac14666223f366e5fc93435199f9e09e705f33dc062aa08a11377

SHA512
acc7d75915fe78d340c797571bde940f56617be7bed606ecc549187b66ef414628050620409e1185329a3cff2a33b3689235f16e0b913761eec288346d92fff6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
76b9ab86bb7e9c954baa0a6c234453dc

SHA1
7b394a0946da8828b4d871da5e4453bed88f94bd

SHA256
45680aa398b73d21173b585e70a812be8b037ee0f4aa754c3e98b209c9e5d51d

SHA512
287ee71333ac55f8ff9fc22eee0522666467d6d19c66773e18be34984ea64074446a061ee7bac652be12a0c5b8f7d5ce5212aa8ba50635c62643c85634603efe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d097773429827c45997baed784be31a0

SHA1
0d8c814addbe2fb1308d0f1299e35177db5bad3c

SHA256
4ce7de5dc056dfc08fc31df2a2c33dbbd60b266763525593459b3aa20ffc156f

SHA512
08193dd5e60d4d858d6e0c3066e47c09326e92cc1e190fbd5786caa7e4cbca8b3d16754e6745891241bc6eb509479b7f725b258997f416f3ed55e4d4e6d8e432

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
ecbab3ccb79b3f7c491f7d5abcf7b43c

SHA1
6e1adf314977a6dbf4dcc251c1c78de8a6cb0132

SHA256
04a5a6d80a50c75e949fef77dbcb21d9e153558e1b977d21753db30de7da50ec

SHA512
4e4105ec2eb5745624794c546341e1f7ea423a95e2aeab179aad0eee08162d3c0487fa2ba3adb87c6940f6bb50b50de500b6e2d215bbefb4c82317d752e01309

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5c05063502ac503a38033e9477250cad

SHA1
80981f5a6f1968e65851ec994db5f0542834b2a3

SHA256
eb14479dc9bda0db6a0cfd5199869b3b6f5408f1dfc7fef962faaa667f4047d2

SHA512
76e6ee7eda7509599a5a0494c113f1b370d9e0d2457fff452e243fe7e70e85f63aade36b3d6ac384886ac6329e79d3ec23da3e52a9ca87fb0191ddd49d097ffd

Download Submit
memory/60-266-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1076-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1444-99-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1444-88-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1600-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1600-34-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1600-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1648-271-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1752-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1752-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1752-86-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1752-79-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/1752-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2040-260-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2088-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2572-49-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2572-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2572-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2572-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2572-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2700-51-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2700-57-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2700-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2700-621-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2720-264-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/3112-269-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/3112-625-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/3964-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-622-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3992-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3992-626-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4180-446-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4180-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4180-24-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4180-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4232-263-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4372-8-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4372-98-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4372-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4372-462-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4372-463-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4372-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4532-265-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4588-262-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/4596-618-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4684-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4896-259-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4980-256-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download