612c96daffde5b3af6caf328a7ff0faf511212e679bdbf40321e02fd42197ae1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
Size

1.2MB
MD5

5c54decdc0701f5662819eb5d36a0aa0
SHA1

224fd20fc4e5e4224bfa9b2234d9968cb167dd22
SHA256

612c96daffde5b3af6caf328a7ff0faf511212e679bdbf40321e02fd42197ae1
SHA512

5f86a8b38b1ef54878d5246a1e05543c3cab12ecf20f2587c3e1bd789125318f898d424349119d69d49be1ec01743bed4ea0ba2d82c422c988740b6a61cc2837
SSDEEP

12288:+BS4u0SAsPqQtf/jQMIJzo6LdE5LWrUJEB:0S4oNjfLQMwM6LdsWrH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4332	alg.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
752	fxssvc.exe
624	elevation_service.exe
2844	elevation_service.exe
1136	maintenanceservice.exe
1052	msdtc.exe
4928	OSE.EXE
1288	PerceptionSimulationService.exe
1124	perfhost.exe
2172	locator.exe
3764	SensorDataService.exe
2540	snmptrap.exe
4464	spectrum.exe
4020	ssh-agent.exe
4408	TieringEngineService.exe
3340	AgentService.exe
1756	vds.exe
2180	vssvc.exe
5100	wbengine.exe
4444	WmiApSrv.exe
2200	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8f235be9c8648821.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d502f8d11ca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff6057d21ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c66dbd11ca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006df3a6d11ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d04d9d11ca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e74c63d21ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000492878d01ca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e6292d01ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
4820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3388	5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
Token: SeAuditPrivilege	752	fxssvc.exe
Token: SeRestorePrivilege	4408	TieringEngineService.exe
Token: SeManageVolumePrivilege	4408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3340	AgentService.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	5100	wbengine.exe
Token: SeRestorePrivilege	5100	wbengine.exe
Token: SeSecurityPrivilege	5100	wbengine.exe
Token: 33	2200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2200	SearchIndexer.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4820	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2508	2200	SearchIndexer.exe	111
PID 2200 wrote to memory of 2508	2200	SearchIndexer.exe	111
PID 2200 wrote to memory of 3028	2200	SearchIndexer.exe	112
PID 2200 wrote to memory of 3028	2200	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c54decdc0701f5662819eb5d36a0aa0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1052

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3764

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:432

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2508
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
36d452f64eed6efa7a6a2a18b3b469da

SHA1
05442ad55273ef2e096010d87816355d94cbd9fa

SHA256
fb2e294038ca90c8329962d7daa70e4c430f2b7f6b42f0fd720fb836ccda5952

SHA512
cc4a4475340669a15559f7a2183927289619446db75b4e64e8a3694fc29e6ca39962ec953297ad383b768ed780924aa02f1534a765b871792cc702079d2a41c0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a4d453335aba313c8805ddc43a79abd8

SHA1
d4ce134ec9359a36c6dbf87c1c93945d68fb7db4

SHA256
2275ca4f57d9ea5b6fe5bd6011cf8196745b520541a77411dd2518a183bcc009

SHA512
1ae2a24156bf35a9f60c3b6e13a75002749a9f33ed924dca1340464007ed6c3e878c82d10fd9cf00b74655774af64188b2a4be4e3003e20d837eae628e70e6b9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0cd8fb0a556660dabbdbd4fd5aad9b8c

SHA1
150ccfc3115c5a233ab5a7ffc8bf1630276ce573

SHA256
906cf2b93c0b8e7fe5c3a4b2be1596f7f0e6d19f6002733843deb104759e1666

SHA512
a32b1d12d746065bf6c2bc48d8dd9bfa350daba2205cda0776f406fc36236e1a17ba17a278fc8647fd7fb4a19cd6c095844b2f111c89ea294c4aa2f2c8b84a9f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3f7d7a85306f9cb1e3c4d1ad611c1a33

SHA1
7425bef5d31cc586b48045764ecd4839021857ff

SHA256
3ee48b5b9b86615dcc84df4e64545711b352f78370feb5f4a82e1ea210e022d0

SHA512
45688572fc278dbbcbfbe2255376ea8bf1f44eefd6faab7f0750c81b9a637a272e67929f34e6ff95fcdafd055b7d09921982ea8e99f0684df33ba6e1a1c75d22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
44fdd588801a80acc02952ed071e0cf1

SHA1
946985666dcd08d28b56ddcf4c02892479a8e29f

SHA256
ff6343b50f7d1448b8d3be8f14206a5e146da23c1216763db0b42d8436714e68

SHA512
874280476e70534cbc29ad0eac2284234844dfbb60e5a1ab976fbf3306b348204f6c324c638d0e3d3e53c6c3e4168cb9b9439baddbe0370c1942ddc38090196e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d6af12d5758283bd861b2c2cb1af28b5

SHA1
96fc8259fb1a96769834eb73dbef5f93cc8394b8

SHA256
07d4cd57924d5401e1cc7ea7fa4b1536d9f11f979c1cbda2627e4d3b93fbc0fe

SHA512
71e50cd1e1fe516afae146f12140b5e506a01ba2e446769dd010c04821dd5c8eee9e9bc49b2a2d530c988510e99feeff4dead6fbd9cb01335cab96db63259da0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bf789ec66ffb1ecf4a747df67a7ede65

SHA1
bad753fe878994ffbc2896cbf75cac480fecdc48

SHA256
838567936583b4698a62419510ed392be42ec7abb121f88e0a10dc8cbc47292a

SHA512
29a918fcda91202bc6ddf7bb9ead5bbe3c6ba96bd0d421e6e0d8f56fb92268d3590ed30e3a7be835f96259c1a206dc3f3dd28bc8310dc1ef2590b7add1a067c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b9caa6d432fa39563d90cb535bb2c942

SHA1
feca1b73ace516d50319ec70640599bf6e6ab827

SHA256
afc454a636c8a0a50b4eaeda1aa49666b2b1f053b14a993813579c3567fdb512

SHA512
bac3ea12f011ea163c3b6e9657caa2e92b5ecd1781649b649814aaf1fe7700d9caf9fa5bb67f26463d46f895ee46ac98e876ac28b3e90626a1abb1f65583b27d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9cd7645821cea57f14684384eb70cfe5

SHA1
9835ca582ee214417662432187b3e8e6f7e77984

SHA256
ad4217bc64bf475949648633c0e6be628d581cd42628c480a420504be00a6611

SHA512
9cb1ff12490524291df94795a9c67690b19ca3073d6ab84d2fbfc1788e3609fac64eb9c18f2baed1e059dd68cc0afa321b55181b63ef80ebd3a79b8ab4b85c93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1105289d9989adf030d2ed254201407f

SHA1
14f4bcbb53a1db0fdff2b4aec124bc66d38a7613

SHA256
8a23d4a50a953fa90817c4b58439d4b4261f48cefe0ba2e6369111d8c84230bd

SHA512
0e3df2ad1f1751d58e5186f323f2358fa93464ee14b1853a56365fba3a8c0b91bea022554c328675e66e7371db5cc2d40f9f99b222d824490c53699942db5887

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc0e19b532668d481485756735c69ab9

SHA1
4a3195158cd6a67a6b0a5d61a6bc72a5108a3cd5

SHA256
4e53dcc9ce080de19a74646c2a513ce8969567ba089c9d6ff208c2c58603d3ee

SHA512
3adb1573d48a627813959bbc65e2e3cee2fa5ef4526e20ddd365ef204c873386363032d1770a84e03d99d95315bf941426a24a2813268767c2a9013020654944

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ded671c99c9083218aafa17549dd51da

SHA1
75bbeed59181e18e3bf9985b9fd4a90b459cfa4e

SHA256
8038f68473448fad747e4cd7cf0d8e3b705173d95b28468fcdef4058f0e7a160

SHA512
679230a07a66888ca2a84ea4d7c51d7911a57f3674880dbcea5947c913ac03eb3c509ad94837066c6dfa4d2c86dab8d2a5d25c35f39e1e0be0d73b95654a0259

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a0102f56a8e53e450783ff8d9a11b4e2

SHA1
f720b3879ce977c6c703a6bb8dbee18043db2963

SHA256
37958769a789537fd031212d4b555a6390110200f624dd1b6b639b951a7e8207

SHA512
4177896747e9baf316862ecef70bf0a2e7235e3e5ebd2ca99c442f6f3336197bee73c9c24d266bafc1678972641a12f9892d5fad1984c1e78e786062cd06b3e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
99e66fa8d66328b9464c5d538e552f36

SHA1
0d2c4576c24f28a250a95fe621f9197164515196

SHA256
6a912992d450a43986782bda2193777f5347e597e0a3029acd823b3f7b2d1dce

SHA512
0e5b8d8a51c715cfc7779c52f95f0756c1390bfa81e1ae0aa6e535f140f19e8e236ca9acebcdd79de217c170f96169121a193dd659710e09ce49d44fda0a86d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
893d99cdf0af175a61aadacd43f447c3

SHA1
44c046dd4f365a2c6cd904206d4177e8023d8c1e

SHA256
3618f71589588336b172484d5d3ae8ecd379f28a121836ac6ba55f11ca078799

SHA512
379e299733cd8ef663f8d2034bb4a6f16325d1b650e8a0ef1673c7ce2020ba5cebf43ff6b0e0ffc80f3217c571167fce5afa1657f925f54637f9a4a740bfb80f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
55c647650f3dda758ceeff48b01f522f

SHA1
b04b65fc40b51e110923bf7a434c94a203204db2

SHA256
ee83019775adf1acff42cae97fb10b20a7b398ed1623d39ee5822682d2b3af27

SHA512
75d892bd23a9704b3a91728d460df773939b17cc6249699e7113f05c1d85f6f66be94c50d83c41848632be4ba697f3d4505a3985ec5ccc69f800d0718063cc67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3a2dbad4f803a1f3c0cc590c21795106

SHA1
d34a94326df6cd6c9e3cb0deb0a17c56fc5afb5d

SHA256
4087368f928a93fa672393c870cbbfa3d02c54da6ebe639dad4d02d46b23de4f

SHA512
a45315af5347e89d67982c02a78a149f98cee9f15e81e3169e818fd6ba1734c42d0d381dabd8b731a93eb66f9bbefc4499c0971712e81802609d05d2a8a0786d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
342c9fe5cc47251bba35f1f4fe561442

SHA1
b8e8a428ab3b14cfaa540ac14cbdb1e3ca96753e

SHA256
f00b9ff1d15f47c90b61dea36971d964322ce8d02a9e647b7c94acc1cd92360c

SHA512
6d469604c2d17195ac813ff3e8a3b3b9458670c971ac8bf4aa20907d0a55e6942f1ef8539f01196700863ed5fbef783292510818249862eac53598b2434c2236

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9b2ac0ef5aabd6d5d97ca56ee57e3db1

SHA1
4eca83186ac7428b1d4505370691184d687d4f34

SHA256
72b566124bbfef3dd98aa47cf9bac3a589e959faac4b32cdaa2b9977d2ceb2b0

SHA512
778b3a3c5b27fb27f88d5d6f0333d9420396992e0b15dbb67f137eb3512f7fe1ebd9ff0bba24d05959c900aab555b345f30e73d1cf20d1419ad4d8e6f719fd2f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
00d0b5ea3893720548a93326ba17d83b

SHA1
9f360c36ec39af039c1356a6f3050ddfe92faa5b

SHA256
7587112ef3ac5f73c28533914321341b08ebd18275ad3d1c4f46588fd84ce7bb

SHA512
9b431aaeead9df88c18fa66dcde82c1978dd9d1744a96b086adb9dc5202b53bf6332b5f3b78a4ff1286f0fe23af5ae7323818e13c43af681afafc4fcc471fb99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7f13562b8991e8212f56c6c49315a2c6

SHA1
fead90df35340f512c9863dbd2e0c5bf787efce5

SHA256
5e086dab13af1fefe218ee4dbc77e817273c359b94eec47e8b26286fe44aea04

SHA512
476dadd7c6eb78e9b9f0f063bdcb2d1a330b1022f8953b2fc01ad75d120c5ea0644282a37f81f104361a9dab3b1aaa3cfaf14770390e51e5e2678857872fc737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
715e4402b9e6c5df1545bd9ce18a2649

SHA1
014fd82a08866d6c265731683375906614cbc902

SHA256
945439a39d64cc035d2a3b278d86d24f565e1fda046b765425194a7491f949c5

SHA512
fb31708828e9a3c4bd17ecabcac16e7db834816b49a5eabdfae2e1128d0ceeefab18c5e847038f9bc16c640d83c5af07ff237ea7ea02a8ba8d3650f3e3ec327b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7a3352d0678d738fe51e58a196312cda

SHA1
f2f8f49fd12b8231bd27db3d47ee9fc92ab05c8c

SHA256
7ceb2f063add5d5357c442b5be32f9c1b7558b136a470bbc33b73ecc352a8397

SHA512
33bef3d802c69f10026bf4e520daf5791608607206cee59259c83d4171c86a28b0c533624f4073835e481f260db6f6abf9054a7281cf8142a9145eb58f06d273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a1d0b848efea085020c046d872d02d23

SHA1
700fdc0593a3cc281131672cac3c24b6009f3c67

SHA256
eb0a000a04539fb6e3452a21e5f6b07c7c203e322cc3ec5abb5fff90bc3be705

SHA512
77b4475100918251d9b2a5cf37ca45d725b4db741bc6227ab65ddb8e03c8cfb4a736fd373681bbeb24ac9af627e37cb18dedf4fb709d412a58fd4a14c1d59616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9762a7ff8803f7f0cc2da5cfc136c327

SHA1
182c078bdf8e3e3dde798843ed91ae04de39da3d

SHA256
ff36f840400d4a54a3a6720a31d31cec1f27585f1e0c94a5f7f3540b0372ef46

SHA512
f9c932046dfef4dee841dcbc31bdf3d94033854b44870478949682ca68f4a9c97577dc9f7d2cb852e24e3398de5c9875a4e18cdd50387f6d5717727436e5ea7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
28fd1335b24f1facdfbe177b62f3010d

SHA1
c082ff09fc6aa6878cadb3948a0a7fba1de661d1

SHA256
57288c45f87691bc8559d26e8f3214cf9df222ca828af7fdf75908413c8597ad

SHA512
bf0dc1926bd118a0e4e0091fb14e994c9f716a4cd11be4c236cd5b4bf60dc31673c9ced0d31920574608a33cf545be9f9fa9af85b8009944a040f0cfe79f7820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
47f9362cbcf08e0e94c29b21f09468ea

SHA1
61aba50e2497215aedf8b63e62adc62d3745f588

SHA256
cb42cc2f48623383c3f1745e305a20f03ef0a5023ebe78627341f8f274a97b72

SHA512
993efc6fbba4c85bec534146745ec427bfaee060c573ce2ad2270b787c956cf3037a552d5b07901a59e35de2a1b7db7464608a4a5ce2619656a89fc502d87cbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ad81e606ec6221bec1ca4fb46fdf3924

SHA1
b0419681e14d831e5b80564e023155970d18d8c5

SHA256
27db98874bb342d64a3f8a315c98d200b5eef207282740983d8067ebc5f1c03d

SHA512
1764260d217085a0839480ecdb2c2fe548d529fe5d335847b03e697485e3215ab32ab8a70ff4e1fb1527ff266bf1d8beebdbb9760098b0bfc1ae7d71e9edcff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
845ef414030ef7fe978c67e06f4252b8

SHA1
23172c193389bac10008f4e20eb036915eec212e

SHA256
0e3255fc77cfc4b7c6661a7d18ed8ca2d0c82d69d8935234803a3bff19e4e679

SHA512
ea30c46b8135586478afbc920a3716271c7fba88bc5fce98b718c9d51d4594c21eab63937da733306b0295a315c43c42f4200cb9aedd5a164bf1ff21a48abb5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fb2db0b39a391a621aef977668201c74

SHA1
2d0d429d5607e92937a419c2de0612f395dc2ea1

SHA256
db64910e85db75f6eb7469e5dd043a95b0fb833c858a191b575705830183d32d

SHA512
db24545c1b487fd2596fc746373c86b970850b22b1c89b1e62efe108108c78c020c30d26ca0890c3b8778f8dd910b6b1682b371d4b6a97224568d6548144dd69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
44c748346e69b63219a4a4120e292bc3

SHA1
5f7c6a64afabdb1400ec546c34b09abbf98c81b2

SHA256
aa51c9aa54c099b2a86d6db35c6b7c40f4e5de3aa02e235ebd7859853cf3c21a

SHA512
b1e3307727004adef3fcf256ecef43ca11b1aecd2480105854884bae94371dd881e4fcffa52c5bb1f5ec597a57f14610b193539fe66eb45d2b91fa9b1e4585eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f84d591683fbf0b4f1ca892099feeaa0

SHA1
2963d1f0585bef46746ff4f880bce98158054925

SHA256
7761b3ee987bc62f688092ec006221905e6f221fe203957aec669450f4b1dcd7

SHA512
f9b015ee23eed1ecc7a7fba3987ebf90000680d7770dfff33106e39cfa60ece006f1cc2aa9195eee653dae48a3affe2311ea9a0e1faa18fb05fe710cf835a1de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
605478ee206fd3621686507e2db362db

SHA1
3250efe5bd91b666056e482a199c51ed9307ddff

SHA256
5ef80f51b43693ca0c9bda37a119bb7b7670658637c1c2e845da2632cb763b57

SHA512
88a5ce7731d6b1c7068bee25e55e1ebf90d22f0d7a7ca973d6971b24edc0de9ab31d18785d9a29e50326f45438f841d4c2c21fad3f4198e959dd63aac987146c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ae7c34e13719c124248be57470cdaef6

SHA1
afc8b567d3c545092aae166093f8984029460717

SHA256
a29423a6230cec11d96e78b6c8e47f4db17903bcff792210b6bb810d917356bd

SHA512
2ada9b480fc1c60c1e24a3e08f2307fa6d1a0cb81dcfb668dfc1f01b4d4f711c76036e620acc66f6c4f844b144948dd3aaed37e646f2d3ee6e05ace66dee9945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a5229d598af12a96694d0a99b4cbe5a2

SHA1
985169243f7ab301ffc08780c96369724e928215

SHA256
c5599840c4cb3e48705921641d4d72023e76f3e4931f193d3d738cfee8cc8640

SHA512
3cad94f28f9c041d4ed732b96eb0b4bf63188a81cde81c078beef25b03d0bd5a996257dcd9c820059c2daeb0e55b3a5d99f1fd190cd48d20c58e267c4201130e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
049a686b34cf63abac49e698ae85f7c9

SHA1
9605607f19b958d845da98e77aca270b00635469

SHA256
b5fc92d0996c0e5a05a925f9f033cc3b89fc72c505e7e21da80abb7dda16772c

SHA512
66645a9e16ab6b4e19410da7c397dd5426613709ea7075dee971d1da85a03c373c0997a790de184872591f8eae02fb89a0b6ddc7abb5fbca3f743405c3f04416

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
406b451bf2b44bc1bd18402288484c29

SHA1
a2d19af6b229504fa4132810344b7c2a7c9ba584

SHA256
46d888496fba2444f9e47fd6b1c2e11ccca4b17519364525c3481c7241cb497e

SHA512
96397d25d9f3a265c1822f4840261e1202cbf2d4b353525fec029918fb3f5a4c73cadf8dcc109941d8a93cc3c69c2afe882011ae8e0760896da6610ea319e01a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f7d6d10616e1dac9b0be52c2636dfc65

SHA1
821737bb1b5777debb390df99898316340a6b288

SHA256
3b236f84e9471d20cf445258e593ae4b6e9c41ddc945dd04265e40aea0be0e4d

SHA512
e22c24f642838ac16f2f30663574fd8991d541855b9c534908a6426a0169dec8ddfd80a7154fb698fa3df93efbcd8d387bfd194e6e8957607f73502ada0abdc8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
129289f295305cc7ff39e24d2832c3cc

SHA1
183fef626d24d8bd15b94ee6109530481e5c0bd3

SHA256
e57184bfb872c352e2e38873328a746db4dc7a2cec58e3b49df531d063f4f212

SHA512
f3dff493224a5d15c4160ee02615b3a1279b26aeac99b43c467966341402d19cd6d2207990a13407530a40dc3ba1101b248dc4e194fd50d907baf02915df4b7d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2d9c18913a1b618b447d1fdcd6344846

SHA1
d9d8696c8f96ca0fbd0d29129dcce6d204474c7a

SHA256
b88199e0e7e036e4939ac9f7c953e9357b1032b1d5cd8cc9f2419b1ff8eb8003

SHA512
bd4fda47ff106ac46c56c04f70030831297706c876a222f7cbd534a59c9743b5c81ad9cb181c9d9eed8c176234d0c7f2f1a6321b6435fc71550fb2fe0e11f7ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b7818ceca57e5835ebfef50f49cb0b9f

SHA1
de9dd807407c2f2ec778cea00bf2e611b97db535

SHA256
e45bdec67e87433661710e7676b0561da88f22b1bbffe0fe22f04c22b5b5e1ce

SHA512
9c9bfb89bdf71b0798957a4598b3db373dd3c375b9f8de1a2d684d175e27b92c6c752b5d3fcb8ae1b8e413a1b4aa9d8f7200e315ce67db2fb3b3011f7bba1481

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fb283cf9cb8df1dc695615cc3feee158

SHA1
41d4a5c87bfdd80f5215b1912d7d9ca000296964

SHA256
371de2eef6c294d0a21b3ebe502a3cd549e00d133cb622571d0cda2f1bfd9720

SHA512
9148d8629815432b409d30874c1b588117afc43b207e48727dee929c464cb6a6a122b6edb01a48cde0fe95a3fc02a78f86b66ae8b0d241724f4582acee08311d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0a4c58e15cd7f840661c671e6680d3c8

SHA1
3f57bf79a704bcf6da627c0923f985d4b4ba14c9

SHA256
86412f9bca6e517f7f8abdbe368d3bddf690bff9c3a8d5ac2b421101056ae863

SHA512
46b1be2a1dbb0cc126e7c5066c0ec649b2aef914abd896f51c948596181392337601711df69e04b23269993f28c68dc15f050d22ee300645087690c6fd8566e0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5c5e8c14312d06cf029b875b675e2cfe

SHA1
22b527089612a362800616264e1af003427f481a

SHA256
7ef63ca00db4d6f9a9889f3713f9bbaac0a70592e889e7363f1513f97573d2b0

SHA512
5a61bc5d5a49568c6e0661e1889c2b512e71cf87f011b74fe36e2d6d4f2efce5efed2dee409cc67d1bac1be240b2681cc301abce24e8c56113fab7cc1c207cf9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e49735755e5024f3c09b9ea4c80e751f

SHA1
26d2cf51b5d8953cfaa2cdae0cca407162b8dd0c

SHA256
752b501f987c78b2eeffcd48d6d515dd9bd99fc712850091ad391e4d959cfcd8

SHA512
2776863c3b95b8183b6e73a0c72a5d0594120308e6598dced9038e4ff1a244eb4a357c9ae884f183290e206f8c27b6abebac3c6fcf8bb631fd5220e791d93219

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
122aac90193857bb1cf3347395c267b4

SHA1
d8b21d819647ef72fc87bd98b3f7525b0ba24400

SHA256
b2a4d5fd7a6c2413b6f61aecafa528400e989c9384b2ed46e1137e1eb9cae97c

SHA512
f2a9e073cc0de39904447ec984bebeb2c460c22666e8dcb95fb9feaa127a5c51241fa0a88c481e7a0a937f9f85757d1c9faca5b99c12c9419826756ba6955fec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cffd085b16bc77c4135dab0411056dd9

SHA1
feac7d37cbbfedc09a232caccc153a166278bb6f

SHA256
0e4ea7c3315b08425f36407825c2ba23dc04071c6f958253bed2ee2c3f1f39e3

SHA512
dba115f20cae32662f3cfd4829a18c548972ea4a8a5d72d8f67bf967a056ef5ef54e515fc5e265ac3cff388bcb8775aff151d4e38757e44952b455c3742b024d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c234930c994a5c73c808ea7ee309e5c6

SHA1
f38812e522c2f594b7d179bfde632fbd5f47608d

SHA256
36938a5a9148959566b563493ea90719abf03c3c66e8c82b9ba6ee8ce078fd94

SHA512
a12c76bad8b8674c2facece071d35a8775c9ab8ad94158210c4aff5c218384b961f54452521e18d415051b2b17fbe10cf9671ca3c7b613df2034606b546747ba

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
24f4a88ef3676b6d3224c39593ea9268

SHA1
079ace21b00e724f2c13e055079bb0a9a6fb2fb9

SHA256
db2ccdbf799d5ee5e675234c1b443175af4e49c7bcbf73890236c60909757042

SHA512
cfd634cc42e84dbbd6cb03efbb0cd8feb92ec48c5d3ecc7378fdd37750e53a52b8fa9a818952a43ebbd66f0eee47f3dbe38d59f31c8b309d144e6752b5266a43

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f57d86bcd37df55997a6c2e542025ce2

SHA1
2488cc0cfe49e8deaca321487f959d86540e1111

SHA256
1506f6ad2f9877d1c628879e352a4fb7c58de90571e46d2d611f5245e6019cc2

SHA512
a13752de05f3f6436139bcae915045868cbedc4932cc54785a3015919ea88d4e57dd383684e79460202f1838aab663f6491665549c9026713eef16d62ee526dd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f575cffc7ccb03679bdb330596b4a343

SHA1
d25a0f71ca436e7ef76a14e76bcfd2aa62f578ae

SHA256
9f657d28b0596568866b56373d096d8d56f33b8876dab38249d1a7adbfc96b6f

SHA512
c29cd39c74bf087839d5aa6c3948b0e61611573542d31c0cc454eefd88336c08cfe7913b1907db6cbcfe2b8743914601450e4eead69af8d04a4aea4b3bf8012b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5de3eb79ac22dd9540aaea8f10547ec9

SHA1
15b2bc8683fbbfde15e06465df71287de2cddf5c

SHA256
bab4759729da1c32ed8344aa27ed70b3b0b6882057e0cc3d9cc55a2d247e2e8f

SHA512
15548efe352a2859c0ab0b644609213b39ee407d294fa9b441daae2a801d4c70bca10a3b3cad0166bf5c6b2a5a6a748527c52a6752fc6757579756846767444c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f3894011ff655426595a4eaec9654e21

SHA1
598fc4ddc61141a2383d6982f6dda34681d506d0

SHA256
5b164cd2dd8a6f6036923d1f613dd3927dc3e3e5f397b6a52b9f0e50159e807c

SHA512
0c0c8767b2a4f58d1408bf4b253c737a10d8989bf5917439e2fb9c9bb34fca648712b6a1a290312661036265883dbe694f38c38cedbf517f5cd4c284890dc421

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5cdb84877158ae63864815911382577b

SHA1
48d49a23f0ea476930c60c7ea0b1dbbac05ede84

SHA256
928e8862d1aada49355c312204dfa92a4d5194e466ac565158a687590b184902

SHA512
24cce1b069630bc917ad7f2bd80d2f13932bd23d9f596ff649d4130c699945d5a5d628f3e7333ebdcf8300182fa66fd0f885ee834463bc8297f2a20db4f76a1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e3d94a36b64c0c580525ccb087a2c2d3

SHA1
8aa7064022cce114ffe32efa2adee5ecb982696e

SHA256
39f8e7804baf18debdbb10099fa8396f9b0a592e514679751bfb90e824adb031

SHA512
4252e6f7d3f2062b272b351ee2cf37c6b854b9c56d531a5c40709692595387f03d19c1ac5a09a9d3e0e2a326dda6b69cf8658989c358293ca0dfaf09737aa488

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7bc7384523a398b542c3197c74018968

SHA1
5d9cba158d4b6a56c2c179b0d24ed3de44697076

SHA256
681bdcc4c5cef8744663f1b50fe4e8a89b7eeb9aeb727af779890d8f02e55a81

SHA512
c19373799a4cf6d32c5520c9c7f78cf474de0447d8ebcc0b574a8551b8288bcfb91590b4f8be585ea5b16c70508ef64dde6b151f875dfa8ce149b88acb044775

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
373a055462d8ce46b51f6280a4c14649

SHA1
58eb37c7fb930d5b39010294e7ca1d29534e9034

SHA256
63089249f3aeb9ed62e57ffd2e1282651f9d91b767a664d22e4c81b31204e5d8

SHA512
c3a25da5613af37a01e6d5cd9e1f5ad93bb095f218b1ea45414f0c07de632fc6cc1a2175b4ffa5266fe9b9f6d1e87becf093abc4bf6bae0a8fcacff2a6204414

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f9d5cff2c4480721a52883545c457b70

SHA1
8fc1f244da33e1d36dc4a78e15f3945a1bd18f9c

SHA256
369f34a36b992547ce49688bd79d3dcecf92a03777aa4a62556392e0c52b1c12

SHA512
e1dd0a1e8c8e4f7c85a070ad07312df29ecd1278cd2ed8e5ffc992ffdd9b9a9165533e90a7e15dd38fff718742e07fcb59c8b4e1abb930455600850ec872ffae

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a00436c476f9dd049ec4302120974ea0

SHA1
bb913552f6ec1df19e21908e0d912f04f67c2e5e

SHA256
673b3d66e3c70a5d73062010a3b53a42359aa58165e6a4af5f989765f8c46b5d

SHA512
960a962666b6751822d57f0a38627b3775fbbf31875001ecc410ecb1e6599a4f37315d2403f0ae1ec52366b955768468010abbc44a37aa2ac9adf884cdf7e023

Download Submit
memory/624-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/624-56-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/624-50-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/624-175-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/752-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/752-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/752-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/752-62-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/752-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1052-211-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1052-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1052-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1124-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1124-250-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1136-86-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1136-76-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1136-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1136-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1136-82-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1288-238-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1288-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1756-630-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1756-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2172-262-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2172-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2180-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2180-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2200-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2200-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2540-490-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2540-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2844-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2844-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2844-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2844-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3340-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3340-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3388-106-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3388-1-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/3388-8-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/3388-342-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3388-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3764-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3764-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3764-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4020-197-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4020-628-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4332-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4332-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4332-18-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4332-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4332-129-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4408-629-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4408-200-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4444-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4444-651-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4464-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-531-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4820-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4820-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4820-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4820-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4820-140-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4928-226-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4928-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5100-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5100-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download