d1d42ae515747b653368b66320ef68ad597b857dc915d1a823bac04be2c1772f

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 01:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
Size

806KB
MD5

964bb0b6a18636c25c6edf31eaa03370
SHA1

c7d1544d0d20c5b5a274bb89c0f96fbad7d79e2f
SHA256

d1d42ae515747b653368b66320ef68ad597b857dc915d1a823bac04be2c1772f
SHA512

677fd5f3c35b7cb3d7aa18adb7de7a44f67437cf76faaccef8949543f363393dfa7b3a73515e1aed3690bb73c80fb90f47edacd7d3482a5555f70b41ebfe2246
SSDEEP

12288:d3FJbk5jJ3mnHdSwM+iQfWGnMhl2cmh462mxqAubW73NXBZbk7wrnygFrQ7c:tuiNM+vZUl2c9628OW733i7cnyoe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4012	alg.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
4216	fxssvc.exe
1224	elevation_service.exe
2232	elevation_service.exe
2440	maintenanceservice.exe
1232	msdtc.exe
1532	OSE.EXE
3708	PerceptionSimulationService.exe
3748	perfhost.exe
2300	locator.exe
3308	SensorDataService.exe
4348	snmptrap.exe
1396	spectrum.exe
4752	ssh-agent.exe
2148	TieringEngineService.exe
1216	AgentService.exe
4596	vds.exe
2812	vssvc.exe
4320	wbengine.exe
3084	WmiApSrv.exe
4576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c3d4da2293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a38847f8bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aeb1248f8bdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092fe2548f8bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7915647f8bdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026b87c47f8bdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092fe2548f8bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026af3648f8bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de260e48f8bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4d27b48f8bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe
1060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5076	964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
Token: SeAuditPrivilege	4216	fxssvc.exe
Token: SeRestorePrivilege	2148	TieringEngineService.exe
Token: SeManageVolumePrivilege	2148	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1216	AgentService.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	4320	wbengine.exe
Token: SeRestorePrivilege	4320	wbengine.exe
Token: SeSecurityPrivilege	4320	wbengine.exe
Token: 33	4576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeDebugPrivilege	4012	alg.exe
Token: SeDebugPrivilege	4012	alg.exe
Token: SeDebugPrivilege	4012	alg.exe
Token: SeDebugPrivilege	1060	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1508	4576	SearchIndexer.exe	111
PID 4576 wrote to memory of 1508	4576	SearchIndexer.exe	111
PID 4576 wrote to memory of 2400	4576	SearchIndexer.exe	112
PID 4576 wrote to memory of 2400	4576	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\964bb0b6a18636c25c6edf31eaa03370_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1232

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4252

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8c07b38e77dd76c176e0561568bb1553

SHA1
52affeb50ace9b3bb7b72216f9d2b06680670070

SHA256
2f4b5f5a3ebc3dae444420ae7b6b28daa26e83487620c93e2a2ceaef01a3bc1d

SHA512
4fe139b0072d3804e9ac48c188c16be583917fe66297774759c6f95f1af7581e288aa46e5c0a24d26f360f130e5d1301b9400f8e64d9aadc6e746130a1908b0f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c1a93bd5d65127612122117d698042ac

SHA1
5dcf724c125533b785ba1ff3a25fd435d7c740f6

SHA256
0c7fdb22603e5e441e39e74715b459e734e48ca80a0720cd4c02d8b34cde6c0b

SHA512
d7dc8b6eaf7b1b10c3dbdf98bac855ea67c2b49f4fb3f9cca1562381b4a58345898d4259429922dfec8f3740555fe1a8af25d85734929859d7dc18d67bad7869

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d300c6fa7040d6c48b0f3bada8bdd636

SHA1
8db8c73319d47ee12a536a431802d118586974e7

SHA256
aeddfab27fb6dc485d27c5c327534d2f2a0bd0a8adea2e15e0e219ba14b07f83

SHA512
25786316210b77d92674b81976addf0118605bd4d79ec3814d77363c0adce8739d81c7b096a2b90a3da634a9fe51fe747f37b13f0547692de3f2cd5c0b7968f4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d8e292a424343eb901bb32ef2a84f3f9

SHA1
56d1d6f9e3cf1511501162e1f1238318a979dd32

SHA256
9c77b618bc9b06f2fd62c6fc2fca4cdc0c6a9d901ce530f1950de3ed6ca532fe

SHA512
93f8e320b5598ea93f65ac20c28005aa9bbc8a17d2e4b2af3d89775453802926d14cf27fc052b068f8ead4270663e3f413b5b8a22fa24758d4146a57028ac81c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f01564039742f62b2bef01178c8d398a

SHA1
31e4e5bbaf9752fd69c9553df7c3cd844c60618a

SHA256
7267b99717c7b65f2b70bd30c12243f05e26bcc4d7225fc381b419645f5e9de7

SHA512
f70266328c5f0cdf24ea91b2b5276779b3e309b035c433f6d72573ce86436a0e66df180c6958efffa2ca98d8e8f7cf440f7daae85a37c528bc85ddafb518277e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
60820119f83fdedf2459238071fc302f

SHA1
69e05db72429921d801a557eb2f9c0d7e7a05db3

SHA256
d8c8ee0d60fd0c70634e6617a245afdc9dad41a7b81d54ba245bd3c569a6c3c4

SHA512
bce57347f01f513224688ab90a0ed8587910286e913cc4ec2fa326eaca7171670f4c05a92ce757ae5cb2de979510fe1c1c40604d8033da8911e81c0877f78406

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b3001ca0595478126d84ecdae32a8f5c

SHA1
fc7a2a4c61864baeb7dcaf176699201537877ad6

SHA256
d4b526104f1709adb4c5fd2faf2c9ed046058c323d3426cfb7be3989a693873f

SHA512
658ecdb1f2669567396dc91a0dbfce73689569f1a2d57a18f64acb37a133ffbe89edccf451f78f54fac996f3f33868340ab3441b122c846192cbef9cd65ecd70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c12fa9c5f8f32bfab4cb3db7687b746e

SHA1
55217945e5288dfb1c3636bd89e6ead8e43e2abe

SHA256
aa672d75a981edc92bad095ed7755b5aa5b2b5898bfbab9bf27b92bbc18c13b1

SHA512
8bb069e63e32d1109f1490000369a7b1b13007de7c36997f6e17620866815e20c4252540de986a8c7f22d9f223d1b7e7ebefa523ebdf13a6d1c5d6b1574c3571

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
47433ced93466e9bd1cf9252d4199996

SHA1
37b3a443eb60ae261d965041e9342c0dbfd941fb

SHA256
ea1f8620b5720aa011895c5a5d4056cb6fd227011313c8b519807edd0f2c98b8

SHA512
4c38842f4f511fc877c503df43474b6ffd6310a348d3a379f26f02c5500bcdcf8350c3d07df21ac2b56b6d7585fbe4eae0392a3b7c73c19bdae891314f18de63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fa231191073816ee97eec676589f37d3

SHA1
23d35195460ab397fb184472bba5755f6c2641d1

SHA256
e7c1cfcc8457588f762f8bd2b32bcae30d50f22795840a361dd26ad9be12b153

SHA512
b0dff0830790ae8eb618aff0c4b9c13117641b37b8b01f41283f1382114a5c61e2a58b31566e795bbbfce5a2ace1f6a33606b33b98e84343353160bb64edcd73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aa25a92df07b144b2d566674d0a1c026

SHA1
21f90fa1cc820b04119458a3b44df3ea959990b7

SHA256
e9b807eadb549ecf37a019f3a5e6674ca85cb790a68d4fec878d57b9c3e9154b

SHA512
81d0fd63ffe02753f32a52aa18e0eb01a72d9170fed72d9dcdb5122436ff6962ace137d8ce4b02d6e2fcc499741ab4edd30758c004b87c14cc528e2d329abe2d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d1f946d9a1bf1c4db3720351caed6583

SHA1
5b3a44581c39b1a0d1dea86226ee73e9932214b8

SHA256
a22718323c7608a0d6bb2367a8e7d1c029417efe3b90f1e4c09defb107c11ed3

SHA512
2d7f316bc9190689da50bd7dd33e702b6c2a512c28f49db4b8a511c6b62f7538485517e4e43c42bc1817e35732ea6fc9474900c6ab97879725b88e1488aa49cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2ba93bd131e3ca67af988d552637b5b9

SHA1
390ac72e143b8aeddb488d9fe63ef37b43c247cf

SHA256
87f985a49e8f576d4778b86c3941f9fb5491de0f6117b1de0a42c31b7c8d1cf3

SHA512
2ef028aa9a3ffcd398bb648648a17400ad163a1b2a90bd544d6d896cc4981351ff3a8d4b90e6a0f4d2068723ab2205ca02d32367a010691ba0dd285725555814

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3004ded431f743879d89126335a63e4d

SHA1
be2e2e251a566bb1294fcb8bea8dcb673f044518

SHA256
c2bbca183785dc4910f7984ac884ff827528dcbdaf525e3bebcaa94dd4c0a1af

SHA512
1e77e12e75f2a35acb38c9f16819dba1048cda7a27f8d87cab42222692ca4614bf0f065f0d754d50fbce10b768aadd165b540007677b2b479c721ba57c5f3225

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f24795934b0fd017dfcbb825008a08ae

SHA1
a9d77ecd19d3b9ee94a086ec6e5e931872d66127

SHA256
6431eab60cdb31bec64dd968998a5d791c759cae346d154a0a33fec35eee736c

SHA512
be2ac3aa46ae06fe54327218f78d34bb3e667dbfa6ae2bbe27c563540f92ca9052c18f1ea40fb6645066506252777eeb9a927bdc8b1ca7051ed082b58339dfc8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c3a08a5d14e5696d11513ca05e003638

SHA1
61724f2d4fe046bd583287641d78b4819f7f9e1e

SHA256
7d291da121c80bb004f1b58974181222ab7ab4e1d172ab34f98d3ff22e60cb81

SHA512
380b270a6b8710975d252c0033eedeca2a2e176a830d750ae00b134f23efb0904f3ba871e8e935ef62174b04bd225ab48dbcb4f573c75dc97abd8e1fe4467ddf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a6749909625210da9f21d4b19e89af2e

SHA1
b0a966c9dda8fdfca4ec0a395dc6364841586307

SHA256
ae360fe5187c33d9157f84782f4f71de53bf0ca455b0e0402968120197e0b6b3

SHA512
d38aae7bef37efae375438d0cfcef1f910d1b36a9c1110f4688ba86559ae299ad840b19180cc78b437a8c8673ffbc177e5f07ec1ec9cc960be0f044e1648cda2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
084a2588d4fa963b9cbbafd4cfc0fab8

SHA1
79b938490b19a9b022713f23ad81c1c5be5ba973

SHA256
e8529cad813121b9dc7bcc58c92d3b0f5fb146a7a641405179daee9b680582b9

SHA512
cbbe0d3a69f14255527b6c06b520bd74008afb18b1dd322829fd9b99fe7951c1bb30d7894368597421f6b0dddfe2b2ac5307840692d69e8cdc9b57998179765a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
079e8f668a4ca90b884d163524a40f73

SHA1
d17233968475523334f377b13eca6d8f78b089a1

SHA256
db9809efeee6d6ae7343530b93a4f742fb45f4ff0be606d2b4e96035f396f0d9

SHA512
0ca5d86af6bee5b5c50aea10ba1e1cc700ec76439dd3490bfe59215aea0478f2263ba91c5d041281487142db7ec028ace046b54a200542d55324f6b24fb30400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
985f10db3076d2afb72b4d721f0b4719

SHA1
3c8fb1c63410ffe7b39a39f962d87f450fe96138

SHA256
91a6bc2bd08345efaac5040405a5f5eae829dd72e41fe86910f71a0f45f39ba0

SHA512
42b42c4fc0293cf233cc7d7ed066e6e2e90f7b43a6e1d82e9c68422e858851fb2d2d1ab6bb353954b9509f2cb9524cde4a1cda997e06df677a606b5bfbacd1ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3d80c6830074dd60882c37923d86b021

SHA1
9fb97f08c23e2ce334b0c3e22f1bcc0471669a17

SHA256
2f4a53ba40b152b0a01c50a5f75ad1a091ec9c37fb44371dc7b9c18749781f33

SHA512
4bf5ff9aaccd09d4c029dec7a858cd84c9a4f0493ddb49a661fcf0e4d7a31a8067dc0fad6161fd5bb2df126a748feb5ded4bbe8f26d50e1366e547f36272c662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0e8dbb449e0556b04416e9dc9a30990f

SHA1
7b69107a2d5bab5eb6006015888188440edf3eb5

SHA256
61f1b077a9b1c48bc4d89b59af1418079860e40e02d6dde127c5a6353753bc62

SHA512
9eab7ccef47d9432504409fcc87313ce06764744aaa50d7e423a1947f8424451f64c2fdece57922ad20b59bf945144b50aef0409ac1d7c38d03564ed959d3e71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
787fcc8015eb704fe11625f170ae984e

SHA1
e37c34369c6148f6084ded013437bdc370f6c74b

SHA256
1bea443631946654d25bd35a98d76c157ba2c12bc5e8a28f4084465a9b5ecde6

SHA512
2a763d49d9d0d7a43b5aa45371b17931141ae59d5cf4d11585c101c8369f4edb62194bdc508649413d2b1c6da229e4853403979b4b71930752b927b34a12a417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1f881545e64bab0069c02244b8c359bc

SHA1
e553b8937e441dfc934b334c95663df8cb71e182

SHA256
a9b20df1188f61c4bc87b8fa3279ca2b4f66c222e4e78fb11e86934e1ce4cb88

SHA512
0a4f56356fa34fc29b7b941ae3f99a52ed099c0253b91c0c0a3bf8511fa48890be3ba999fffb6378463f5a11ec3c559c5d4fe32003afe9efeea19b8ea1607533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
93c5420ec476b93db286b49974034f92

SHA1
e71d9fa9ec6832072e03223ce91fced68e20c106

SHA256
6869f1c810477a4c21954bacad8cbd39d000f412886588fe65c9be7a841a405d

SHA512
63636df515b0b10b20dd1c4839e45dfd3f4c5c49355bbce91b0958c5e7509539025b0ec55a68bef419dce28d1a562074200beeb73a59205898d39ee4e31e9133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e0a6ba87951879050cc57c80d851d122

SHA1
38de00cd892d7d1ab57a80e824d5bb591e1bcaa3

SHA256
eb3d5587e3d430df6bea5d8d443fb8e30bf667f6822dc4d87ecdd2fa72ea8efd

SHA512
a449f73c565e300fc5a3d37d6594098ae042a40219553dcb649ad9fa264a824ad621b2101530260db9c0edac0721665859a7fab49289aa2b5ea1e948c8318de2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e88a5ccbed2fd4f80afc9f69e4d8938d

SHA1
8b9e83d7939ea30fc1d02d4ff5342407262c14fd

SHA256
c1cab511a96d91322d4604d612f6496aff85e227616fefac3d80e396597c989e

SHA512
8807a487a4392ff3f8ef195bd51123c3e8ca930feb8f325308ca80a6cbeb42582940c3355e22a8892b4d2c47d2ad482b937ac96e916fab2652f33e97ad4ac13c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6d887dbe332447f29456afded36120be

SHA1
e465d86f76af1c1a7f8f94cb969fc05568e63ec2

SHA256
ef98e23bcf615140a69b5ee8f68b8f2db8f0f759ae36b9859e96d6f08832c417

SHA512
4a8f4e489e8b880d68293adee04d74eb12935a8f66a7e2bc633723e459f907bec8a4a7036e5d9faadc2089a4e0c391fe1d05a78e7c749c9917c1cf86416cb159

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6435d9a5fccba499362340f2d98245c8

SHA1
3971227a9ed1dd10f308dd8500903fc41c68abdf

SHA256
74e911ad84a22fada32030d95810123c948230604d792e01d1c4a6a28a0dc97f

SHA512
a89f644a77a0861adfc3e2b1c57b478d89cd0dcd1f524c5d5c1f03132d20345b4a1227d2ecc4a0bdc7b8830954f756319b5be237db546403d3921afb81a7f96e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
519b55f9e475a149ac16379af355abd6

SHA1
2c2c53172031ffb869b6f6fb499fb8bea1db7137

SHA256
b4669e056b3627e45743f7baae2b7c16f914f9e9bf2364b658fa42d1a25830f1

SHA512
d60970b9a3a0d6ea830b4e243e52639342d3cc556cba4338a1ebe284fb441fa89f78e59adc2c77482de3ad67965dd6941794608dd8b67ba2ecccf33111cf8fcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9a80a34a462cf7b851e87c3e9ec5ee27

SHA1
8606beebef8507e30bd14fbbb3aaa0c8a862a809

SHA256
42d595e0612790a41dc3e7334464770e0b5d3494f12a43bd8c6883eb914a2889

SHA512
424e717abddc91c13b1137c9fbdafef20967a161158edbd335396600d36012e7d3758d3c20627ae06b412ec32651bb93ee0acba6dafd889e92e84e480a3ee829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c55a69ddb712f55d91b167b9fcf8cd09

SHA1
085e17b53405a84a63157b4062fa6d1bc232fee0

SHA256
b85e69fc8d4a75ceb4c94c46abbc0fb35b10ea3c7a1613133f832c1c588b5fcf

SHA512
c83f52493e2558dbef86e5a5f745b2de6400d2310dc7b8fd92469836c16c9725021d795c6ef2b77133533366162c7e38e6b5e6a88f9fede4ca626f206c436dcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8442467885689d01f234454dd6b1957a

SHA1
88aa41a091711b93d87b4035f1366ff207a6e358

SHA256
582be81edd558c5da007b01f52d27f45b487f3f21585ab70533f9c130e477605

SHA512
b194829849750a2532c59ede2b8845a71a67af37625d2d039b8c422f37ffc3d955d833b9a3e689cd43889885a164cf19e293d9440244ef3d6d10e4673e52b18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
790e951fd712758066ce246ba1737563

SHA1
e37253d76bf6955b0bede021ac70673719f63249

SHA256
9d46978f5d583010b454798bb10dea1e0e75ce9ecb1023816eed2e3c856d443d

SHA512
84900b59aee730eb42fd1dfcd2dc6e914f10e26e0d93881374b57001373ed5f2aeede8442220ce871bd26874daeebf64a3551220b1979bf41ab5adaf133447f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f48834b43d1425479e093f5b16a2240c

SHA1
9a0bb07900af2680a89e9ef64ebc9761803d5a81

SHA256
d858128291c4565f1cacd31f0dd3c7e74bd3bb2cb82e1ab0ac4c190d837ed621

SHA512
03a934eb2fbd78f8e7f5ba9c7ee50036eb1fd1f727cad671685a2c0b78148d2422ce892fd8a19a2b63b2a48b2ad37e23432edfbe4c9c22071e21b372a3103449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
aa3fb6b79de6624dd633fbb1f1f20550

SHA1
23927f088de5b48f3c40dfd52cb65fdeed89caa3

SHA256
59e4052efc63a9ab1b02e6e31200c49d14722238c735118a24ee2ed711d46157

SHA512
0cb10e672147946c0c3222e784ae3ce7a4b1254c87d5f3f7cb47f1dc73157fad7b3f8abe273887dd89c1c295d57e1cf64a7912635d84acf6ed2b1b807571ad36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
2d12bda14b487c6c07a5f63addad63da

SHA1
2c164788515009e7f41fad1c113fe5439feff8f4

SHA256
1a9d41292bcd7003083ea600080244c000ede6ee3ab3b9d57f038739b1de5dbe

SHA512
8f3fa2b3e519d5478cc43e339a98e620849ffcafafb49815ca17d2e7657f91a6ef1a75436f57654b3e1627fe517314743f8e583800977fdf88d37e81ce608834

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
210bbe9d5682ae39e1f8e2b41249c28f

SHA1
8197b35936a12083dfd13e15df9881f1753f9f28

SHA256
59882f72af1830380afea41dfbf2cef2e1847cf22730ce4b7913c0d2a15d5fab

SHA512
59678a7f968178aa61f25d292c9285256ad778609c0b7c06aa23a65eff8aa72babf2716008fc5dc79b7c4a8659c106a520b24bdcd6db3c8047bbbe1844a10edc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
883a2c88f51c2c221856908651fbed2d

SHA1
2e7a46935c18c7ae15e2730ca2dd83c523b90701

SHA256
1e136a82b9ed037ce0b7bf47b9e6f85105b131590493e958a5f25bbda8fccb33

SHA512
382ad885b73e95cd735b877ff130bab017b6fe8de16296005b656387b03baa676cc2ec9c3071b21f5186c717acc4dc7552c7cdd6087a7dd50c01f81708180278

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6283441d1b92b81ccc8069fac51dc1d6

SHA1
98de1955ce8dc08a3dd768e7558029fc58cebe64

SHA256
b629fcadf8f3c87b0fc0ee99326851f6ea20a81591cb1e27ba0f08bb3b4fd0b2

SHA512
84d2ada3ac7b22476d0de25eafd1f1b62e8f8d7cee88b5cd39505ef04c95a4fb8d469296c88af5bc6d5a62f566bf3b5392039a257b730bebeb6e77bb45b6c50e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b81196211550bbe154fc054a41be1150

SHA1
65961bee6928ac97ee38b37741519795567f7787

SHA256
d5278efa3b2bdf3d2505fb105c506f65171bc02fb3950354aafbf75ff8b421cf

SHA512
67ee19c32dc2546f5d5cb249c4619579fe8dcd732918cf0c0c67d6d574b0407e2ecda8f456c6a5bea03014ca087962512776916654b8a83024c758d71b2dcbb6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
311df2c3cb4fb59b2098f56f06c4273c

SHA1
9d1598bf7f4c01798981e08859a30766d05a2427

SHA256
54d0b6d61557ba543a530ad1010f83d54bbaeaee3110bf01beb7701b593cb0e0

SHA512
5bf52ecbb8302bfe28f58073dfb1021dfdea16824db167cddd3b082c108662f8f97772859634e7dc2413eae01a5c918362cecc97e3c576022939b69c5e4a41f1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5c946a628724d0355ab99fd6767b2e73

SHA1
48d5680b41bedebd89d73934f86b3476c3acefad

SHA256
05ed271a4b0b8b3bbad4870db3b4f92cedb2ea582e03dc853aeae5f54f01491c

SHA512
24bd80c7d3a94b4a6ba5ba5f9ee43aca5ccfb6b23f55c240dc40e89e1956bce85607d287aa0cdf1a49047d3e35f984c4f1b5606e4a0c7e3fa54a0dac37fd836a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1d6bd135c13cf5fd8ab7f6a0d59dec66

SHA1
f1a6254a50318879f9a381ad82f7d9d2f96c09c4

SHA256
a049c16a6e88fedead2fb9e75270e5bcce01429726f8e8914177ba30f431ce4f

SHA512
825ae56dd438ef4d6924b3f71a91b13910b4dccdecc181ed7711671993b3776c55244f96f8ffe7fb9cd780cf1594286cf8ebb9ea7868e8b0c95c3b203b35fe7e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e7449ad8040b13e68d795083dbf09a11

SHA1
9ae0ee09fb77ecbe718d20e2777e367483ea8435

SHA256
c7e7e496f839c1e787984edec3ad6a7d66a29a0a36d98f8d1f91a21d356c0333

SHA512
2c55141aa67060eb6f4c39ff974f7b438fd3f69488a003fa613c0a8ce6402c6206e6925a7f2d7536cc452f905bacc872c5de09ae64d73380abb86957b1564d28

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7a344b5b253841213a46dc3a634903de

SHA1
16d74f45d494d6e9949b7ff84fa3a146caf9d759

SHA256
d9ffbfc6f42b0109cb02ba7065b12358fd0bef28a7e0bd6c06b6cc1701c684c6

SHA512
1cf9f5974c1c5ff05fb9fd778d4d0ebab01aba730089a2d363e2b9bc70d773c5bc3dd32f8e190b0ecfe27c96fc9861aa9882472b4c378b48e8d7b9025609091d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eb563fd7ef47d3c1307271f616256bd8

SHA1
7751b288be23837f3ed05bbb56ff586792d4a314

SHA256
88d04d24563c69cc996c3ee01f64c4d07bdee9fdee911388065c4d6c983e2967

SHA512
ce9036b7fffb0bdfc85f81e42ecacf941a67b8b5de7b948029650bbd8303aa729f265d81028be7369f096a3247f54b120fda82eee7080ffb08f8ce7abc8881ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f546f3ca7eec92163700b1ed89bdde35

SHA1
05e0358e017ea3303c760ec8fa234b7e2c9f8eea

SHA256
4e0caa86a9e4d60596c66cc74af604888cedf1715d3538bdd87782818d36721c

SHA512
e7323f653d5bf1736ea0c5e0328f0081878f2b869d0bd0e7f0dc9e502aa405f806938e702b01d4d0d0441c12ee59538d43cdae6fdba4c03fc59db2040a9dc909

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
12b0c36287ba0b97a98c99162f6c3a8b

SHA1
03b3d1483b1a6bf5aa00bdda2046d17f27d0cf90

SHA256
fd4e190874bb9f8a4fe2ee784e61bf99e9257879d7de95df2a7513a6d1105a0f

SHA512
f3210565bfc19d39eb1da6298f63de9f01396e4739b393f285fce76be0e56a99fcadc76e4cfc09bcb33dab4b9b0e788e93d12c12a5c54c01e14e851d27161b3c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9cbf86d308be9d8fffbbba8d0a6c8dc7

SHA1
ef91fdbc09a51f510966d287eb16758722d13a2a

SHA256
3fbaebbd168f9973e69cbe6f034b7110dcfdda069b669ad1127dc7b73f037c70

SHA512
56a6a347ee888bab7261836274712c7990c33c6ca9061d7d99bcfed2cf3b54dc5bfaf4a660021dd049df920375368558e650b1487643369a4bcf9a252aee00a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7eb8c9cc48e01ee283a697400f05458c

SHA1
d0e55f72a1ba65a65fe250861d4591b97c12ed85

SHA256
4a5c633e0207b91b6cd86b8ce120889fab285e01256ab062bbf492b139e27242

SHA512
3ff600a35572a3590cc0e5db1b4eda16162a86e94ddfa19069d6c3a0b427de4be9072cb18e179786256c9f25112d31e5f6bf51719e2d20863c3475511a047a36

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5069dfba824bd986068c7115644968c2

SHA1
94d4e24b8e7d8ab35723b491d042a46d5b6df5d1

SHA256
c1588c3c09dcad8bb99bc3dcd720fe96d49211e28eaab53560ae2bb663bc5a65

SHA512
56c12ceb9c60cdda857865506d308e66c319bb97f3c7599e7c7ce5f4ab74e6d73f8768ef2dee241223a5472b060298b48e25d6ee782dbe6ccfe07ae1769dcc87

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
33cedaa4adb84031b0f2a57f46faa435

SHA1
77b7a4019c504de72f01962d5835ceda740d1622

SHA256
1a0ccf91b4f59390658550e16ac1840e67d5036e1ed74a9442a4449c595e8afe

SHA512
f5b9cb14c0e7db1ebe58a3bf056c0121b83332fd6a250459ac1a47fb15ebbc72f88bc7c48e187faeec3606654af34b02bac070ea9369b83cb3dec9b1591fb39c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5872ebe85631c45aee998598b6f16aef

SHA1
039dc2985aeab18aa9bb10c02ef3fd46da50f1af

SHA256
ff974fa2202a5e1ae141a4c6075951e83af5c1194bf03db1a4b1bb437b956798

SHA512
733a4c43128870451b2d01c5580e1aa21e47d1994981a1b6bf7470b160b13ee4abe9dcbc91a1d2ee1b282ef740279244858ffe77cfcc5abef06c096b5465d317

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
13dbc2a6ecaf2fb25b852ad52a3e25c0

SHA1
2148c0d767f74446f0308df9564dd4ade56e2db8

SHA256
75efc8e47f3eaba5ab9f1b38cc03647489c255433fa19e5400bc57843c0d8e48

SHA512
d9b9b1f7b9b7b9016ff4e50906069bc14e3912782c909c0e8ab8ce8c6f2f67cd6d8c8ba13c91404af3bea7a88b3ea62104f4024e3c953ffe753c4f7691d54527

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b49d62cbe0c4bc41d3b6b2780defcfe8

SHA1
dc3f32c9c8d976686ece226676ff8c5acb40c3d1

SHA256
8be3e29f734db2e7d1df7f575121265ceae2bffee748156f91f9d29e54471609

SHA512
7b71575ca0b5361c20ea33cbaadc2d2bc3a7c66e8ac8cd8c50e7bcaf1ac20e871c3f2301fa0bcb3bcdf343023fab55436321f03d599b267454b34bbab11968f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d2eb23b3676a6e32faca23a6a5f7779d

SHA1
5a8c0bae8906b07e5e4370ab17289157fb669b60

SHA256
9c109d822eedacfd7e0d042ccc3c9c96e06cac14ad1cc86661abae3097ae44de

SHA512
47837d1c99d88cfeea6a4f1eaa49b3c283ed61302a9e71a315be1b226267aa9c8c16ce6e12b87217dd4b55dcc0a090ea76e3dba7423f94b2d4fde16df8db3964

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9c9b30a22c78c8b57756271863373ff9

SHA1
3ffc4a49c9f82c5dd153858d67e661664b656ba4

SHA256
34811b829bdc2f7d77cecaba270b81adbcdde6acda3e4a74857a8781078cf104

SHA512
851fb6e5407bb94edad656dc07fd401521f8608094d699c2ec954116ace4601be704ab1492674253a0ce2b3e53049cfde04cac0a1d8a127d561a708c7cf76ad3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
77a0ecc5d066c6d0c034cd9335a970d0

SHA1
46cece0a11d04a8b90ab54c81a67e13a1091a388

SHA256
cdc693a4e093b047e3e929caf753762026def7d1dacf194e4257f8c7965b84a9

SHA512
897e8a4fbfbe4121a1bb41107b9486a8454fef7a81b6b90efca3787c0c9597f1ff1343961f63c041f7c00183fe474a8b267836882605625e5b7c7cc9b6428470

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
eb0559ffa8340ef174b36815ad04e9ea

SHA1
cde34b461d18b873c9bac820609bf0ef30cd878e

SHA256
e71c291e377af55e92997cd68a1c05ee7d05533a4c89e79540eb7be4ba03c3d0

SHA512
a0dd51e3491db70863c985253d9318579658978f1b6651766299c7c4eac9e741f5f535f5f12cb127941b4abd1d027c3aa4d93b6a2a995b76488d253e81f23582

Download Submit
memory/1060-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1060-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1060-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1060-154-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1216-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1216-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1224-217-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1224-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1224-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1224-50-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1232-93-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1232-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1232-87-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1396-508-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1396-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1532-265-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1532-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2148-559-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2148-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2232-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2232-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2300-157-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2440-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2440-161-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2812-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2812-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3084-564-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3084-266-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3308-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3308-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3308-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3708-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3748-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4012-13-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4012-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4012-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4012-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4216-48-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4216-63-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4216-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4216-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4216-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4320-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4320-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4348-484-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4348-172-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4576-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4576-565-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4596-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4752-553-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4752-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5076-512-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/5076-6-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5076-513-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5076-10-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/5076-0-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download