3f81ae7220c5b59490d331eee2225dc666035c072d12feda118fce50be3d64ef

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
Size

1.2MB
MD5

f13db3584666b70fc8948bc73e2e1be0
SHA1

f58a5de86a135739ca1eeff541f18e3f23ecc0e8
SHA256

3f81ae7220c5b59490d331eee2225dc666035c072d12feda118fce50be3d64ef
SHA512

2624920dacf0d0d8281dc61236d7877b32bc4dbf22fec8fb8696be1f965a8d6cbc5c85a077c0e6492536db6cd17173680b63dfb6aae613416a8e464d09dcd0da
SSDEEP

12288:xJ47d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+i:f4Cks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
736	alg.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
744	fxssvc.exe
2704	elevation_service.exe
4024	elevation_service.exe
5104	maintenanceservice.exe
2428	msdtc.exe
2104	OSE.EXE
4748	PerceptionSimulationService.exe
2112	perfhost.exe
4612	locator.exe
4472	SensorDataService.exe
3228	snmptrap.exe
4988	spectrum.exe
468	ssh-agent.exe
4128	TieringEngineService.exe
2528	AgentService.exe
2004	vds.exe
3592	vssvc.exe
3216	wbengine.exe
1568	WmiApSrv.exe
4892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ad3624cc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c49a6fd050a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098f566cf50a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f24a80d050a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccc176d050a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe
2288	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1596	f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
Token: SeAuditPrivilege	744	fxssvc.exe
Token: SeRestorePrivilege	4128	TieringEngineService.exe
Token: SeManageVolumePrivilege	4128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2528	AgentService.exe
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeBackupPrivilege	3216	wbengine.exe
Token: SeRestorePrivilege	3216	wbengine.exe
Token: SeSecurityPrivilege	3216	wbengine.exe
Token: 33	4892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4892	SearchIndexer.exe
Token: SeDebugPrivilege	736	alg.exe
Token: SeDebugPrivilege	736	alg.exe
Token: SeDebugPrivilege	736	alg.exe
Token: SeDebugPrivilege	2288	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1636	4892	SearchIndexer.exe	113
PID 4892 wrote to memory of 1636	4892	SearchIndexer.exe	113
PID 4892 wrote to memory of 1136	4892	SearchIndexer.exe	114
PID 4892 wrote to memory of 1136	4892	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f13db3584666b70fc8948bc73e2e1be0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3268

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2000

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e8cf8a721b0705a84edbf27a2d9867ed

SHA1
c19f80e0722d0748c68272552b82eb126bf78f83

SHA256
864f3019b94cd95363465b973c6f42fffe52883dc62397b6758fc8d0b1b733f3

SHA512
6781081650539f583bca8a852443590d4a70119287dea67914ef53057bb84774cd4c2594ad7c16900928d8a297ceaf44abcce47c19adcaa9cd023c3e4fe5197e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6549e126c14926ff5ad66e5896b375a2

SHA1
8913ae555b9cd6307599d23769d75b1869fcf0e9

SHA256
ba2699244d69abc4f745837561102b879c69c35dba745e1ab7d1d0fdb326fc83

SHA512
8666f4b6d42f91e56d58ff04ec99ce7c7fd493eac2bba809adfb57f4abc76b372c90d6c5ef98de7e67166054d9124ede5ed711dad1020bd5a4d282749154dabd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b9b692f5dfcd156d6dd528239d30d37e

SHA1
04d799ee3dc2641a77fafe0ae30d8207f9585315

SHA256
d4453815328726e4820581c5184c2430d37a56b904c80fcfffeae32ba9c141a0

SHA512
ef5a8f6984a339146e65f984ae993cd1c74a458f092ec4b47b426ebad1fc5875ebe4389b8fc382bf6c5fc058afe348374e966324bfb4e52fa53a6b5e3766e982

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6aa77f538f48e904f7a6612ae7cb6a64

SHA1
df9ffdfd23ed2be8f41b4ca306735a519644b3ec

SHA256
941d6545085767e6432a3f05c4d00809d48a2aba6a955af86be4a7e55ece2b18

SHA512
2da5302e19bec028b6b660f7757357f7ec8fb061e4797782b884d05e7cf2568d5e1826266417193703ca1fa2de0d5001b2b3ff4727570292448c923dae872f78

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3482c134ae58cfa95d7bcc3996e850c7

SHA1
1f2c3b47631b98f264185108f96eeb3226f6d1ae

SHA256
c62e009fa96d441c4c55a43ced3cbc5cac1d5d0497baea7c9fc75b1c91a4ca29

SHA512
3ffb800ebbc5b558c6df67ed498fe43dc33485e8a113624b40d7391d80412de5c2556bae80dab743ffa7f2d3a6fadd9637752f47c7e5684437cee46de7c9d5a0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c1197955800381870be22b99de2a2b5f

SHA1
2addba8d4c0bad33218884872885bc4e9f99391f

SHA256
352c019b3265fb1909f54d4584862d6e4ce150746dad22cd8df007a2e79a7456

SHA512
a0d70f519cdc5ae71e6de25dd1d525aec359e23000d0cd2e6a159d08ef3dd8fca91cfb79cb5bc3136e256a681ce463c544448f2e1879e59b44f5292fcfced57e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
0fb915268c4b38f77a9fef20d9eadc5f

SHA1
186520285d0d7fc7e3bfb0016c8ed204ade81fc5

SHA256
dc5a78ff11aef1da95daa2695c98bca509c717182676337b020385029ff1381c

SHA512
eeb9265c1a5b8786d2f867948a2929bf308bd66b4cdec36f77cd703386decc787d18e2ba93c3c23e2f3ec6ab6f4df11145ec89149f88e94392aed9c3fefd7248

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8b229e0cbee4817be3e711d97ac448b7

SHA1
8ad8d01af2cd4a25ec94f36a23ba17640d3764e0

SHA256
ab28330ec0b90c882ec61de5eac24bafbfd4e7a2a3d0e8416e60898a44f78368

SHA512
b620fbedb65f8361c4082644ae58c6eb260d6fae29303237b0edf993fbe07145634682711d48bdcf6f78c81a010c3aba5dd37f475f26a272276ad8174a0a1280

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
13671d84172826a082328a3c1cf0096d

SHA1
d0370df9419805fb9a1fe2d8324eea2ecd18463b

SHA256
e533526d1b1d02f3dac57127b4567595d02b14c7eb58b72aa4a32185eb5e85b3

SHA512
10c7effce5bf689c2c18fac54ccbc7ab1e7c859c6ba09d1c01d4d0b8af89897dc5905c2aa76c2c68fb1dd4f19783f406640f26655f11428452b86056e956e948

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1e663e5d585201890c6352530c08cb4d

SHA1
7d5cce788d83d657608b5ea74853e592a33f6021

SHA256
e707c097f84b671e447a3e79e93c571ef883f5cb175dee6f8a8e09aeb51b7d3e

SHA512
9c0eda41ec958a96aed0f54b6023802a2a9045d4e8fd2eb855734782e73fd5eb9ccbf5d2159082f9158a7a596083a882c74b2979ceda93043a68332bdf1b1bb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fff02e4b34d3ce8c86857c3aa188e330

SHA1
17ca3516c4f9f833ea6016325660592eafe54745

SHA256
b31ad0c308b6a408b85a8a36f45dceff3243c3c23de98517340dc67f2b631b7f

SHA512
5c3341ef96d49aefcd6c9f6edf17a04b2c83d3387ebe3f1e589c54ea6aea00deb18b1bb2a4278c4f5cfc1ac9ef602377ba6a93b15697d9cebac803c5d2ff2a95

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e2cdc26c895e535796e425b9890dfc34

SHA1
6e0556e8903b577af48a6637f82e4d2adf3d5e02

SHA256
320e431f357e4b8ee3cf6c22db2e69957d21213c5ff5802137584f6aa0d90465

SHA512
5cd8e4629bc101c5cb441a72a6a65008961b931d0588b799675122af684c14ca9fad394a45510a34e119d39f0885f25a46e1eca8da01669652147f77df7543d5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
559dac9af0acf39c9cdbf1a50283b597

SHA1
480cd1a5bf4ec064e0668961caf6e48504267571

SHA256
e625205f487d51bf8779e1dee81b5c5ee49682d980db8e835e98347ff10e3d14

SHA512
2ceb90509878bf75c94e466c2eb3604f7dcc7bc2b185cd78801fe86f17c7ff836e1f127951eb64f13981ce928061ac1cfddaabc93c2b8f3f9690adffc62ecbfc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e5c095ae94b76bb7ef18935fd0fe8260

SHA1
35247f5217b53628ebfd0be0dcfb22cebb0ad146

SHA256
262bd64a59f484623b3cea0b188a8ab4ca341a028098946ce9116411292266fb

SHA512
e47d3e275cb71fa4eec37f8902812ccf997483db2148c3a23ae06105a9d1ef1ee7439492b6d6857339a30ded90b0df486805f687cc6e99bce0335d001a3db2d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9e516357bdce6ebc7c7cee814b94d69d

SHA1
4dff51a1d032a8c5770d3868b7e047c6e4bc6cc0

SHA256
d1abcb0509f6fb680754f9d8ed067f9544b8be19c7c63c7219fd2eee717b4461

SHA512
9ccf7524f6a381def9027343b16d81a7e2292b351c89bc3878142f9070952d4576befc4a30740d85257c00ed06e54550a991e22a74c6ea950654a716d08d0862

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e1637005578c228f1f64a9ee33b3c8c8

SHA1
a726d865ea57b58ba3a639d48ceb1c7972288ee4

SHA256
4f0bdcbf799f776485381cd6c0be1088caf494eefe2df815c3655bb32c41e264

SHA512
871a8a7f52dd89430b591e36fdca5c87b595dc709d2e0e83c07890ef9c72ff4ec43df51e0079cd286ecce14c15761655c841bfc664348291e45df85c006c8ab2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d07a7833d13064b4217e9d54438f14d2

SHA1
787980ec9f1025f586c2c85da7a85630a6141670

SHA256
f99c92c7f951a8f5d519a90cfd9ee111169ec11553fff43ef46cbdd066fadc23

SHA512
09ea50f4f1ac0c478eb4edb4c862d7200ae7b57d01b4535f73f3b7f5acb2a5265fecaee914799013bb82eaa1ac52bf7c438573598384cbc41d3a5ab4c794af47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b926060cc4ad6fe7063392951ed67f83

SHA1
62ff97e0fe2425c43685303ddd567ddca6fc7377

SHA256
0809939f319c0e857cf480257306d58df0d77bc7ffca49caff80751b47b03b5b

SHA512
72a9533acabbdde8a84003369e4f64fe61496b82b7b40c7694ccdfb4cf0aefe82d22140d86ddfe11e4d72862ddcb3a8bbb8d4d1ad2475531d96d41bbba350025

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e0991b1c3cd9b4f7556640b9fc20da01

SHA1
f1a561c77fd6700bcb1b5da55edbe6c7a87f7f0c

SHA256
b5b7529d360702913c90af599d52b87dab4eb60a10d61443740ceee0e1d89c41

SHA512
3c3abf170975b94453dfcd4dafd876964a2d7760ac8dac2b8efa11e369bbf3cab9e798c6f2f168a8fee48f556254d98f45eb63be3e90c68507333fea95edbcd9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bc2e003353d5b3dd8bced86d94c360a8

SHA1
6d39bb43db3de2975abf0e5d605e175fc23461ac

SHA256
0e26f8bdba38194e660bd42ffb44758d055637db4465953657a6faaa953243af

SHA512
5add5faebcd1ed2d0172cf5c6072eef3339d15ba8f9e01f38ec0782e1d0726bf18999ba015971e6b06d0a8503dc943928fb27ef03119e575b136cd0088823993

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
390f2587c2aad0eb190975f6017f5f69

SHA1
a5d3d779f091ef7dee71f8644a26e2b7bb1e6b76

SHA256
988b5e1613c9dbfd408a0d75d55dcab549d4435d1ecae9233dff641796cc6e89

SHA512
3af4f1f3a2c9971ebc8ef186c1fd2ec160fd2f00cacf56e4b17ca87a7d8b98c87d1a9567bc119756009a6fa89a472d048e7128b342312f59482c7963bedf9f22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b073ff57f65e4f279500b2a540e62520

SHA1
ead0d0c928b4342f892f1c319a90d1fa07f5c407

SHA256
8ddda655f7ca3c7a38396a56f648fb1e1ffc30c887467c1451b446aa4c13b509

SHA512
a2b000521f9c25a674f9a13c01f5a71e89705bde2725e769634c052b0b2fccbb04c6dc117cafc96849b15fd59c4ca6b82b9d993b0907003afcffa2b7242c5c06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4c95534544b439c2d9c4d0d5fd1aa874

SHA1
a749776818e3facfbfe50d649635a6100431f72c

SHA256
ee07332521ee7491805f38453934ffa8b36f38cea678cad0c013237252764994

SHA512
1e236ca4f5602f813addeb2a6532db2b0d8fd56cc8e2c5a155110163288a068c0b3bae20b2b0e963ebb953d03164ba0775e91a957dde46dc39cf9736c53ae2b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d3456c90c58c8e91683d2750021a3da5

SHA1
0bbdbdadebcf1bd5e482d00daed381a1f1ac7868

SHA256
12470a9cd958addeb4134a783de6c4ee2f8e945f277cac9e5069b2d07c982e27

SHA512
765c352662fe23c1b03698bea9cb0de95a96620af8bce7580e2c38181053cc8318a3de9a5cdcf443da35b0d67c64b498b58b30f64728e416175141e42ec9c892

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b1bf6c23ee7efb71ed7e4bdea0da0ba2

SHA1
df8724e88a415df43f912266e28e5a50880dfc14

SHA256
ff7504e2db4ef707af9e024fdf07f0cd0ef302099d7c7df4e5f0cf0a7370df7a

SHA512
d7a55ff449d3514766b3acae3f7b3ccf43c54d4a67740c9d2af4248a132be23757e2430271d30f85cb59af7d16c8d634c4b4ed8d18beac62c928963a5511438e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
df2462803f2f489b3c0a1b3707deccce

SHA1
a793f5fb1aa0f7e465dbf6ffe23618d2ccd88cf9

SHA256
4b03bb7e4cfbdcae5c974eca0a1b133ea84b5d20ad11c8a67a5d41811ad74222

SHA512
475d77be22f3d237bc2ae6852b4edc5d5d24e01a25d1966ae7a8df2bee05313312fbf91d8bebaac243ca53a1d76edc9e1d112c24ab41e5feb7403a3002fc1820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
9722b36d8bdb9eb48617e6224887f93b

SHA1
f9e934e230f16c15fc1642353ea007089cd7e724

SHA256
85dddb8533ba042badd418304dcc01efac5d6a6a0975d100b39f669ac8e6d4a0

SHA512
070f243799f2e7f929feca33e71c8b85dc1fdb5e1f2220b1640c77b423073427fba8a44b05e01cc9b76adc9a1a1400a16516ae14a981ee7fdda409b1e13183f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
cf262b2d8f233feadcbf7b6a4c5c977e

SHA1
b019d0fceb65bb9c25fae20cd4854c63bafaac03

SHA256
699d5d818c7f75bd26c3c56fade39b182c7fe11989b901f8862dc47cbcc0b7bd

SHA512
271fe14dd9807337148233b9e34b9d6217dc14928c912cad7519d7af7cefdddca06d0de86d94457b6d2cfdf5c243d0664aa5a713d5800eebf28a50025282ca3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7cdc315643eb3b7cd2e011c38954cf15

SHA1
eddfaf2b689188a428e2aa033777e83225b3a34a

SHA256
c834b5fb7d862ba5402613a54aa60de9e41051355517d9d2974e56da27970dff

SHA512
49fd9c7c41d040bca6f4da689d2dcd70117bd0d80718862e1d4819f1d27383fc28ac192109d21d782a510eff4a68ec130fbb5f30fa80137cfb1442e3de05c956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7cb50b80462ba727d1f295d09b49db6a

SHA1
48e082af78467269591ccbc3784bfa8747966797

SHA256
1c24f6b21fe1e9b149dd16f7d2843bb5a1a1be79d35fe0108ccba806741dc11d

SHA512
f359e82ae01b90f49c9eda17b6fcd16268c15d89c73aae6da08c2620caccfb5fc5ab99265928a5c154dfa60e23346266d049de49f996b7a701322fab04ce58c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5a65eb059bc79e640d3f8db932cb8d7b

SHA1
47374433d4380106a605632a995512423eca26da

SHA256
8079c7358fc2ffd1bf708460adb1df42908810a0e762329270b46e510bc474fd

SHA512
3194fbb025133c2b4892259df26f044bcb85044f659b2b049d5d7662b3aa819f49685f516ab9e373d7abfd05ddf27bec0b22d8ad5be96a39a4834bf01277be94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ccd19462ff9f9e5f1405b0685a8f4cba

SHA1
2add6a4e05cb6809b21a74732286fa9527b9776f

SHA256
b006bcb0993152e5c187c56b6cdee242c8259baf9b770352bd4ede6c04ae7864

SHA512
fc6c3720a1c1794082569c1ec79b84ad5eabfcb7a5f863b1c57843e892041d97e1571e91b460bccb5772618fa6cee4ad979c7bc46ce645974c462df401aee724

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
1afb8fe2eeffe9a8294d74d6a56b7919

SHA1
aebda7d3412dc4faa27394bf2ad8270ffb34ba84

SHA256
1c477dd984e6d395d453261c55e97e95b43692912f2993faddfb5fdd5b1493ef

SHA512
aabeeb9f435ac60cf57a7a14fae6b3f3a121ff0e1659a86e5ce6b736c55c616b8e38a4dbd193d61552cd526274d36ccec67a2f5321aac2a93e289ff70db0cb51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f7f3f01b93f42c1070ae0c9e00278b31

SHA1
fd959ae9b7e1fd441b0d91acbef4021c088a088b

SHA256
ac05b41ba8e2962c41cf00e8df14900ccc46151d4ae5e25438ad5ce584e38c4e

SHA512
3c6c723fb8ca27ad20e694c6a23646cb35deaa6bb41fa707c9559c28bf522057fdb4f4e1513810f9fb85bcf3c885c51474711d348913816c4179d9ad2b4c176c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2769c6248a125cd0140bd268ce70c221

SHA1
abb5ae9edd50b6eb24a94ea91f59a71696d42795

SHA256
0a5e3303382e08ad4468f9c496c03ff3e23e585baa42e536b235503af4c8f792

SHA512
9be2437efbf2ca2b0bae34d595782e9374c074a72fe56ff2c3dca70dd8584a1744b00a6ff73ee4b34b0273b191594d5c35b0ff409d9b76ef245225f3127178f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a3708b0408e475626a0c473cdebf766e

SHA1
11b697acdd0da2df314c66ae32f2b38154140ad4

SHA256
daae91665a2f5710a221b9bf26256ee758041b4234121a97443e660df3244dc3

SHA512
39521049deec7f656493baca8aa6d8b0c131341ae8a6d5d46ed379e1851013d06d1f279ac7b190d8620766532c81ba7d5ed73b458f1c8ad2032cf07d5e8ccf35

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
35faf4335b40da83c2559e466c453568

SHA1
c6913ef75cffc67513527b5cbcf2c8db9ffe3ef6

SHA256
623f12ad689682d5a196e0fce17b8fe17e21250eb1f11b6026c435ee87e9db9c

SHA512
d15f4021469e3f83670962faa7dc17adda2240e0990de3974eddb0a152d1ed7d5e3b010a02083fa1987ce4c7255e77b45daf0aeccf7d8efda0ad4cfed29fdb79

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a5bcdd0f11071d473b322aaa86b81397

SHA1
1c31e35d66646b2ba9eb51854f940e35f071e94f

SHA256
5538d806ee262ed95c311545c85c4f0f33274c01b288db252a0fc8495199ec8d

SHA512
fe217e307bef832cdd546fb9678e43a698494f8d4a7b7ae8122e216944964442e08ece22ce869dcfcaece337190622a7e710f285e20443514293b66821a275d7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d715480e769f595cd5938177407f7c2a

SHA1
14846ed1aa226ef4a499f79a0a56590678620f81

SHA256
9c075f29484ff59b5e04a049aed22d9fb58d6bc925abee8a54230f85bb421281

SHA512
06260ef0af2558457dfed2e4af79df4af63b31d4eee8a45c087360ed53f8ccb1c53fd3ab5a476fea99b2fb1668243cc001770ee7791176a89b78e6890d2058f0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e5dfad104e41df64dafba43ed2fb2873

SHA1
2c245f56829bcb37df3c55098f93dc415b157458

SHA256
8a9f67719cba89c8f2ed6a37f9eec3838342f9eb1b6907d7c9b80df3e0396cb9

SHA512
41ea9e09f90e8577f26c2637d52bdf18e847aef167708be1f12fc4ba86f43f30a902dab4ef9929f1234d1a723a2e0dd49619b83933d9fb83efae566783034907

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f81d6c25cc31bc0a187375abf1864a6d

SHA1
76ca82dd05d7642d61cf8666337ba6f653bfe72b

SHA256
85d3c607c65f7d76366ed39f14192e045e3be3aa8b29e04dc7946dbe5a08e263

SHA512
b4ab24e87f73478501fd5bb5230c1971beb31dc9b6f40bce5f22ba68e72daae963589ed3ec5f2ca35214b0fe1ceab18646c758befb7dfa3e88c9ae8dfe90a23c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3865303b91bb067a865a6189afb065e3

SHA1
2da7665e64e200256dc12466222d4d089176403d

SHA256
234ef49a64c1a9aef614aada34d7a45abbdd03530eaf1d12becb4227d78a39f1

SHA512
93bc5e77a0c948dc16c4fe3923fc1275918acae7aaddb88adaa9e97a618d5d63ad27479e45b6c6190c8bd7b9b8b4c8917c6d2392f9166a1dbfe0cab1359cc2cd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dd5ce627c2fdef3dbf3cbda7fcd3bb2a

SHA1
2cf16c668873dd1e2765ca5698000b3995864a3c

SHA256
1529324400cc493602a47116c6c7295fedd38316ba9b9de68cf91b69b15101e3

SHA512
8565b204b27d42db114ce88cc64150b5e3ecdf2553ab663f47792e5b12a14bd761a8775993aeb6c174ec3ccfbb0ab7234dac28ee80fc4c4fd863481552a9b3c4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ed8259263ac4843d529d63883a0ae374

SHA1
57dafe157f607f0ec945a8d5473d527860126207

SHA256
4c00db5f973cf4827727bd9c87d006a8912958e77befdc67be2ea69ae793055c

SHA512
cb97957e5296be73374aa3ffd11ad3481ac56c33b901ba6298a16635a50f8dc797bbefaf951bd6de68deb97e6e75bef4c774c032593496fee12774d8a7773030

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9c2e8a3b7256639b8d49316119c367be

SHA1
0bffe547a69ae42f0b01f147b782b767f4bd6824

SHA256
a55779a288a3583368e09493e16b4755ba16848baad18f601c3ada8afda2a35d

SHA512
a5b536a03f94ac8aded7619db7c51507bceab958de3e0414023b7ee519dfda40f4fa20d5e1d55fd15e4b29b8a47c6b0306ac3493d6cfe6d25d1a0fc07edb746e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e9ecc05ecce87faa287215bfee1b16c5

SHA1
926b9e8c633801fe6b7c8d018256dab3351d1ee2

SHA256
9fd0406e695e16d26a885f4fe7dd594240edf73ce8f7eecf5f74a436a95985e3

SHA512
c37192c6e1cbb840ab397d62f7f64f14a9c551de4bed135b0631b195566ff634a4aca9bee6c239d61e2d47327816d8dc15eb229ddc795c3c7f01a650e3406b4b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
86f523b9ba0de304ce227cb8d6a1df43

SHA1
6e3565acce820140e329916e20d3106015ac6ab8

SHA256
b350b26adfe72e7a4a63d28d180f36a09a5ac6259ab81d50eda59bfbe02d5d4a

SHA512
c7509ce22092a2a4a3c7b93f5a610fd0f2a137e995d60a9c5e0b81a64e6ca9d12d4531bc736d0d7af32138a1bb54711e92c2c3c9e1575a49f0f5239a9ee25146

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f17c37cb92c0b670910024969f5a9441

SHA1
0e2f7a20bd4e90229132722a06ba595436e03ee4

SHA256
24e47e0eb6c913e88a5da23caddf26e8bac6a4fc12cdc63875e8bfa67e270511

SHA512
c3bffcfe9402f0fa2a7694c1a5f1bde73120998f4c5c3ccb6805e044a318a14dd5648569b1cf991e8059c21bb557b3a1a62dad803b11d96179514718d3c07887

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1add1391e796c3cd5d6f16d18d444465

SHA1
89ce7b1e9d7b8b26babef5b8f13078854b1b2574

SHA256
c15c28160a26ba94aaba4774fa44c4bbb01e6b77c16a868bc32595a762871535

SHA512
370191b091ec4c7d1f06c0e15e53ff89650b485ef4a0b58f1b5e1f9875c86b9bb6e2e2acf248e25ca5f533b09a9bc7f818782148c0722c1cd7844d5485b689f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5ef63434d3d8172c85eafa5683ae7827

SHA1
53c1328a71e1d148bccb09ee4c8d1f0793a323b2

SHA256
94c50bdccc49e7b3cd9614bbdb4dc099045ea39fcd690ab5a5433e80f981d77f

SHA512
fef2de24f8ff28586742757d1705f5f635c0bb1b61ebfc0ace3b01d3f6ba802d84f93dc92ddda538ea9d1e56928036bcf661f1957146ebcb1a8a9dbfee306593

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b347cc8e43d9035bff02a3aa8e246804

SHA1
eba49e74043e1686563f7256ce4de024051c2a0e

SHA256
fb458663b215c6cd4314a4e94cad190186eb89aa42fd8190b5b53929137f7a93

SHA512
974d4c8a16a5670fe41c1bd9809ee70f3d57ea2ed30942654e6fc63765d8f3c8499087006c941174957dbe19d92ced94b9470b1309ca37d26530f5825f6e2e6a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c7fcd4e72382506d6c4331f992604b1c

SHA1
b49904f0e95740656b812e1e2a05b7c9b653f419

SHA256
df27349e4e1bcb79747bcb59e240b4f4b580638b6dbd5e80d2237d7fdc0dbbbd

SHA512
1e2f677584312f68bb5db5c44be07421aed776a2dd595143a6e5c57308cea91c9b4b43322b53f445c97dee1e98258bf86f7db62528fe14060a80587a3ef8a31e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4e19d52a971a1bae14ed7b59ebb8c862

SHA1
d2c30190840266eda8ab36d27ac19369be59e038

SHA256
12bbfcc49670250d06ac2562831bdab71bbc0f590b3988a52469a851a8b52eb4

SHA512
c90ac96acc8d0bcdb531b0fd36943b9f688667292ed23892b7ed9c61936bf9278e2942cc75ca9a1da20282c6957d6e4589bfd87ab21c9349147bd53990d70f7d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5c42b422d9078368fc91cd4605019906

SHA1
22ec0730b4501e75e644f299841381b46806ad83

SHA256
63114568a9f7aca08c1c0758832cca8d36a4df6175e2789bf91a22b95609cc63

SHA512
7147c29154dffc922adecdb06394111e4278be95977662d36450fcb88f03a10833e2a877a34d7b0757c87267526493713e0f81fb2686acf89a844106374ecd90

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9dc496aa29f3eda3a7a592a2c57a3b2b

SHA1
0ac72c915b5e34648b2f2e8ca357641215d24947

SHA256
006ac7c6b31e5bf5e503f9cc1f9e4fbc3971be2ce2d6d7e573d8d88852f5e5e0

SHA512
f104ea05b80be6c43d1d7564d8be4bb8be467f8a58f79271ef75adaf68c9df72844591835c8d5b81db2cdbda9f957c54493c9def1b629fb076ec9aba97d4f20e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
10a64f17e8b8f2fa95b1ad6eae63f429

SHA1
985d3f055765546594a5434e9606ec50464d9863

SHA256
5c2d03f88c7bd16fae51ec9f504d19a58aceaa60f49da61bf7274416fdf36c27

SHA512
cd9ee9b71942e91f387be5d60ff31232f6219078633c32087bb15ec8c0b3d7d3ed80926114c74441dcedd0c6c5740bcb7dcbfeeef6712374f74fe9cd790b10d1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c6cebe485d5fc395ff01527725fa5835

SHA1
f28ca8c0e5c8b3c327385be363e075cc938d2189

SHA256
05ff03e4887f3d3b514e72fa8db572f23aee7ad4288a2cf9214c767ddc72790e

SHA512
f92170c7d349d9bde3e10595c9ce33edf1bb2c238d6fb6480256366cf43f37a96139b6d90f95d4637b76939aaf91195f6016732cbd3eb2eecc399bb5dbd702c8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
651b500ea5bee9594aeeca508dfb9846

SHA1
6346727a86745fdad3bd9c819be2b4d5a169b13f

SHA256
403123a4f4fca69223d7f73c904584da7d479cc95f8a60052ee06e026f8d6d1d

SHA512
b1d4374ec9d16ffee5aa3cf32c9ebf6d0cd4a50e2e402bf4c77fd8f136cfb2e87f2d8869c837615e4b483dca4ebed874125029316a4dfd3107b9a86149de75a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a8a118533eada4eef1bfe799d02aa702

SHA1
bdfbd428267193540dc766948a63749f54947c01

SHA256
39620dfcea73791dc1d6e91bc32ca4218352fb496650dd7694825fc9452095e9

SHA512
b2476f28a924d66281b78fdec36c01667f34bc04da19ec30bf4746d94e6c080d545ce2718a5a85d8ca4fe055db0df1ac95d4c46c3c0437b1835288a45400b32a

Download Submit
memory/468-178-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/468-565-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/736-104-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/736-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/736-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/736-20-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/744-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/744-43-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/744-57-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/744-37-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1568-253-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1568-574-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1596-87-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1596-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1596-335-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1596-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/1596-7-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/2004-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2004-567-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2104-216-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2104-105-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2112-240-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2112-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2288-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2288-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2288-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2288-127-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2428-97-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2428-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2428-201-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2528-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2528-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2704-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2704-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2704-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2704-55-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3216-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3216-573-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3228-162-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3228-491-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3592-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3592-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4024-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4128-566-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4128-190-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4472-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-531-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4612-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4748-116-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4748-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4892-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4892-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4988-548-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4988-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-79-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5104-73-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5104-85-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5104-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5104-96-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download