d9dc7822d320b70b99e9f5afa6498a8c00ad5cd858cd49f3b9c5324417d4c7fe

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
Size

1.3MB
MD5

162d613187c8bd50bd72d3dddc0f42a0
SHA1

ee06a8db57b1bd2f7e6684a7c5463456ae646ba7
SHA256

d9dc7822d320b70b99e9f5afa6498a8c00ad5cd858cd49f3b9c5324417d4c7fe
SHA512

9a8a37d3e532e67236b0bb0ae63532a6009aff2abccb8c1cfb188ae704fd89cc4e5fa0a47a2a5765cdc002900ccba9b11fcd6f5f353b8f4f2a609bf9454dc3f0
SSDEEP

12288:tqz2DWUc+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:gz2DW4MdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4784	alg.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
1408	fxssvc.exe
1960	elevation_service.exe
4836	elevation_service.exe
460	maintenanceservice.exe
1208	msdtc.exe
1820	OSE.EXE
1144	PerceptionSimulationService.exe
3416	perfhost.exe
3628	locator.exe
4776	SensorDataService.exe
4980	snmptrap.exe
4568	spectrum.exe
4264	ssh-agent.exe
4928	TieringEngineService.exe
5024	AgentService.exe
3192	vds.exe
372	vssvc.exe
4816	wbengine.exe
3704	WmiApSrv.exe
3468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b65ab5b7293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067c54fe826a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ada24e826a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000731223ea26a3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062ac5eea26a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018032ce826a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053d808ea26a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da501be826a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e9da5f026a3da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
1960	elevation_service.exe
1960	elevation_service.exe
1960	elevation_service.exe
1960	elevation_service.exe
1960	elevation_service.exe
1960	elevation_service.exe
1960	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2796	162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1408	fxssvc.exe
Token: SeRestorePrivilege	4928	TieringEngineService.exe
Token: SeManageVolumePrivilege	4928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5024	AgentService.exe
Token: SeBackupPrivilege	372	vssvc.exe
Token: SeRestorePrivilege	372	vssvc.exe
Token: SeAuditPrivilege	372	vssvc.exe
Token: SeBackupPrivilege	4816	wbengine.exe
Token: SeRestorePrivilege	4816	wbengine.exe
Token: SeSecurityPrivilege	4816	wbengine.exe
Token: 33	3468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3468	SearchIndexer.exe
Token: SeDebugPrivilege	4768	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1960	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 396	3468	SearchIndexer.exe	114
PID 3468 wrote to memory of 396	3468	SearchIndexer.exe	114
PID 3468 wrote to memory of 1624	3468	SearchIndexer.exe	115
PID 3468 wrote to memory of 1624	3468	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\162d613187c8bd50bd72d3dddc0f42a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1516

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:460

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4776

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4568

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:396
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fb6ec463f6927ded0aa8fa71502c12e8

SHA1
e84203db91a0f35b9d826928408374ba77e54ec9

SHA256
7706b2d1325fcc8b2d937fd3f46bf268bbe038eee8cafe574a3b88d192399e36

SHA512
31fbd710ad6ad03850e17b3ccab001e8de9b467f47cb44d84fde5ecc54853f0a8728b8f11cc675dd42c69a2439bff693c2734aa8bb84ec8b7c31a845eeb95d39

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
693d10d214c4f8d0298592ea164a169a

SHA1
9c68461ba966b767bfc54262c50329e104dc2d10

SHA256
4842b5a905bdaedc4e1d8416faee03415484281dba9b7c1af8da6811212a7b22

SHA512
afeea000753086bd68accf4ce52894507d649ada8a6977458cc2469cf968cee15116f786c2e5b0703d12a2409e576e34f5c0cadff9657600fef948ae9ff02c62

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b202d1c2b8ba2baa8c41743604c64af7

SHA1
7cbfe7b72c23c6e9c8cfcf848879ac1b3e4f942c

SHA256
06328d6a551bdabc12f25fdb316394267e838934e43b2cf53b168290365a6d45

SHA512
9153b6b452c30537434bda55e41973cc52bba50043c137229b2f51a4f4b01fe405f9005dd0a1e99ac53b1daebba5759083a96123410b40b225ae77b7f1b6f1ca

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
11ea50e5944c0037a6ef5ec2e409b0b2

SHA1
b3be54ce48d962472fb84bc92954ce7a9e8d02b4

SHA256
2d145c83738854549fc6a3670fd73639988977e4c98a458fee59ffbdad882b3c

SHA512
b970852ba9f12116ec89409b476e6651dc9073053524bed8eb6443f44007af166ac0715afefba82d38caf5614c56b604148d6cc8877a3105ccaca68cbab337ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4027989fd639b9d07dc02f5a0b28482d

SHA1
e668562f993c4cb963bb56877c5aef24872ed400

SHA256
49aa5848cb942e2168856659951b2cab4bc68c5a8f65a45c5c0fa9438cc49bd1

SHA512
3b905249b840bf613946cde26d6435e85cb91aff836ee32247b215321cfe977ddadbd8ee8b7e04b57e1304466673ea637a87c29e63f6dfe4bf748b10b49f9bf0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7fec550d160f089f1a6e3db336897c38

SHA1
feb2b268e59383b8fc09feb1cf345510bee155d3

SHA256
8c219c451acb8c91ee3b1db27bb9e9991a1b20ddf81e13724f49411cee2f839f

SHA512
a6c09514f38cc6df5e17859e295a673e40ad66f6798f3f997fbeca6c46da396c26fd6c6da06c5ef476fa4f17a7da82e177b33f8b04a9709440c27b9b957a3988

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2fba409b5ec63d5eed0e2d74e1b9b7d0

SHA1
443226831b5e698282ba5ecf893ec11e8e8115ce

SHA256
25ede0ee3ed1063f73aafd6db795b987a3bc1d9f26d9f6e267f3823b7eee168f

SHA512
9afab98c5f9b7add726417ef4f4145aa208c3bc5f3a599541790eba583a1b6d39aa667c670bfb15b6fb5d032b89871dae30294a512b2f9bd251903e86b39721e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a62ac46287df5825fb0eedb98e67eb0a

SHA1
7e9acdd7d8f410ec80b3b19f87b1fde2337d0fe3

SHA256
bd70419b0bf129231185a952a5789379a5f7dcbb3ade5e8db381adff137eba3e

SHA512
dbbe5f501154b579ffab510c1d2fac4f41354272e9b7c1aed7dc1d5cd32fd8a719ce8c9819b0ec80669ff201bacf21b7f009073aaeba8b5a94d52ff9a891ffe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
36a0b05c85e9558961c28cb8987c088a

SHA1
0b089d7b02a15b1cdd32d764190592c816b9df07

SHA256
b6f08fa96a30c46bb31936235c962686c9722b8fceab8d990a2e7006f7409c9c

SHA512
39c46758e95b7423337ac194ecf7bc809dbd0f3b447cebbb7143302447c9116338e1365abbd8b3c8e469f5c9231bb76991c0993ad19d47a291046821192635b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
54169fd8f0778ecab01f46895c071e1d

SHA1
54b02453fd7ee4c437150f67bc32e1df26f939fa

SHA256
d4fac089a1a313b45d67272c9aa42716016f9926ef2283cb2e88f3c98cc75836

SHA512
131b4e1069f1d7d446e58dba61f6ce46e412819f6d742a072499fde0a5bf3a83cb89100be35b41b915597239b2a95d04a89fc1ec30b955471f1127df603c3ed6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0095f9b9dc30992990627f17be4fca61

SHA1
40a1e6bf63729f00dbe993edbf4f1204739d7e2d

SHA256
486273b3c37789fb269890b8e7c239783e23ad7931f75c75c9dabfabc0aa906b

SHA512
47d7f42c227080a60267c61d858fc0fd98bc0652ca6a45425ced9513a4443b8be27bc26941e85accd922c7e19110f5849d1a33afc0a3ef20f6e58b539f62aa47

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c658868f2919f6fee0f2777ca03350fd

SHA1
ee8fd9c04859921207cb49410ff4b2ac8fd9e83f

SHA256
a83ed5593a7485076667acd0e0d3e765f913a433b0b03423f4270a9e819af778

SHA512
81e7b674fd8584b9c7db8038cd73d750d7a05694386f4c11f8e5289d97864e34be40bbc0ef411307df9a929aedd6c7b4b25a4b1f18720de08d87e8bacf2b2d99

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
acd68b3df0df04b2741adf98cf158e28

SHA1
37c5bdfb81de24667170c67f954fe20ab4c7ed78

SHA256
3ac220e33c2345cdb67ad99732581803e266837af920efce1a673d48b502a21b

SHA512
e725dfae4b1257c8ac123e19c460e9b904ee6000633fad4eafe9d21a3ba33d6a4d580a29236a82bb31569508fc0661881bdd69e58253982f5f34fed34fce6ca4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
92d9220a723ca7162afd952874a8235c

SHA1
cdd8353be1afb0a2126c217b96162bfa724b867e

SHA256
0f4e549724e0be4eb55d497cdf5fa3d274479866f1ad877b7105f6a90ba5034e

SHA512
9e6a2fd46e032e1df6d7f107c36c20ca375da17fc24ae79fea97ca2e6f4e658e72e20f0e4dd704f925d17bc5c65085ff292b7bf51ee40482a376827622454ea5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
85749d73b76d9cf3b288ae2b60b5d57f

SHA1
f0e7c2a976bf52419467819acf407c6fe85fea20

SHA256
0fb13d188175c789cb58d5ffa03b398b8ef8531825af361504b486617cf63d14

SHA512
bae8c63894560b096965cacb0e4bafe9b30d0dd9f74504021c4961dcb158b7d268bd947af9202f643e8bea634b0344109009bfc08142e0c6472d40790b9161dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0b49c36d66729adfc154055ca5fa40fd

SHA1
a33e6011ea31cae32c2bdde85a061f40d7eea5a0

SHA256
a9db5d7196f377dadd869e50379d0d85efa76699c9b960a81cc090a357c95ae8

SHA512
6223853dc82c777168628aa442538841461880947ccf41ef176542778834299ddb26d17668d410e4812b2322a2181957a2ac818a4106defe4ad1a85cf9c53f58

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7ff343b6572002741374abca28ce7725

SHA1
2ea8b1cefebd72328882553a9760d920aefa3141

SHA256
3307226d290e1ff425af54ea94fb82965c9185bd5eaa5d87555506437388192f

SHA512
2c6e22c38a3d44d8ebd852f5aa1d9216e289424b31a2b01804b3eaf82e06c8a0a5232d908e4d085b13007e90d8d2ec32216b10064383fdf59db4e4430b97419b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
72450ea091ce6d6aa860314e8dad1454

SHA1
77c9b412094fb9fa48db586f56988df6e3e31d03

SHA256
87b1766a6c6daf5bd7e91ed0f54d40d6bbd7ddc3fba03fa6c0e95d7dff661071

SHA512
c7f81efd3cd3f3e01364e4cb7c6e269ec20ed691bf62ea32c80aab845c359eb7694a444565f04fc6a678bb3c008a51ae2e5840f22ad288e34c26b5672197b22c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8a6be3778b89102ba79f0d8fd04efde1

SHA1
0457805f31e31f7ad4324a4a6ec4808ab7eea5e9

SHA256
9b587767bbfe52684bbec51f3ba6a88b7a547e33456b333f0f8972343d6b55cc

SHA512
11beaea70ace65af135f2e76420a36400c7a8a4b3f03fc8e450cd348fbceb8c25964a229274e75558148f2e6f2dcd9ea6baceb1285b1136d8e537ecbf18db872

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
148727618734741e5471cd43cce5e780

SHA1
f9a686380712a5f1635b9a9ffb135b4a6dce4805

SHA256
92d848ba1b1305a6de1db473d0afb4d894d9b246a8ffa4916a19700d3d351338

SHA512
4a129850a3cd113d3be885fc2e866d4a628f2fad12499fd778c2c688295c4153d1c951c97a6db0273b0e629487a79d1da58da854c18a55092a6aa22892672a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6abbee4cb761e6bd31d68bd07f273766

SHA1
3913754e26f2d694dd17d6cd10e4efecdac56796

SHA256
4f34fbc7aeb3aaa6adae531ed55faad0d52b70da73c1c0e9aab6a7d4ad196d19

SHA512
85d156f24f3ac4b5e2da72feb5ef3af04078173d3212ebb9a27b06f4bad9fe303702351e7e9b9cb71451e6bd17702c5abcfd7a50069fba0f0139cd87f1e8271e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
407974274946bb21c2ab1bf27794b80b

SHA1
2d0194a07647e5c710a9846a898b1a098628e8f9

SHA256
17922713211e5d3dcf20bc90643713f6ec38c3cefca03698e897cc4923644c62

SHA512
6c498c799df6ed28dbab4546ded188afa10f6baab1ba127a7aec8cc10bf48c8d98c49c4ee1e5dbff4bdea88ebe32f20fdc911756493f501d99c79ff06513971a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1d270554dfe26a507a134d5f384f8ef9

SHA1
13ca15e432a57d476deb7abf0871d59c3b0c7428

SHA256
c1010e9d93fcf71c22942b3e82226b3b6c449b8f0db22cb2ad5c2b63f3d33f38

SHA512
dcb6e181641206e7e3817d9a573cea40bad07f153f7490564a348dd174a86392c7934c09ff090ee8089fc5b99237612d1c84b2b20c26050cb96e710648ee1bc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bde444d04f9dfe30481b7a1f4f08b1bf

SHA1
95f6b74778e4fc82f5a1adbbc9c7f505d9a42c47

SHA256
ad9eb7888fc0db0f022d7f3be67b191f124254b642d39611b3e5513052804660

SHA512
a14012a7571eb5c15c8b0b3c2efa39f69d000299f37e356eb2e72ffba9f80bd8a7a4133f2a5498b1674ce95939ba49bb9981d6d3f28f6c3bb81f2af2553473c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0be0767bc05f44c4368dba71fac01067

SHA1
d337961ceeea18fec8367b25e66dcfbdfc301a0c

SHA256
c36cec1c894453a21e5536120736966f3734e47eb3f8bdbf00fd8077f4f31981

SHA512
e4a7afa687fa12b1d7c818c96fab343537a7a1fa41a099f12a0cf6a2ea005ac95394890155ca782502c47988d0579404a3cc32d0b375e8cca79e04967e342d7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
17c0f6fb74ec16b8dc696c36a647c2e6

SHA1
2c766a3a8a4c6fd3df134682f3d6b4c6d3e83dcb

SHA256
e79f686cd1b89d3c734e18bb3314b55d2fc0a23398f6bfc442fed5a7bf8cd15e

SHA512
8ac9e9cf55754b35398c32da05a43bc03cb3b16c2fa1668f32585ef048b0dcfab0a34d8b118492dc19a2a8c5db158145a3de5cfc8a6dbd8e2451b5802754c88f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1272fa2664104590585cccaf6646365b

SHA1
f04c774c5df0f3edc37e94a50fe56786d81ff477

SHA256
caf334e685008bec54aec80a374fad9e9bd0a4163ccc24313a9e5ac64e003d7c

SHA512
5689b37e0c7229041079d0983b643b399c0d3fa3dea2a7fed836b78dfec11d13b9bf3b177b25ab16f750626a627028000201bec445ca2410e56104d43afd0bb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
226e78a19e38ba10ac2b6ec9f42f1919

SHA1
041c48896003ef7e4a04c656e2cb96ff84c1409b

SHA256
32c56517a18ab2a6c11be0bfc75db810aeceef38a738addd57d2a39f8f8872ae

SHA512
56378f8aeb68778192edee2f25df957530752e4871431d1109b7bc75d1f7429aeaec3eb3537482892b55069a49c39aab3a1956d14d7f063ca0de62752643db51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
66be0aa2c2c88d93ecc3722deb225ae9

SHA1
e3ff99e6ea49fb64e586742feb1d3e2166b8c90c

SHA256
363a24ebebb94878b6779adca0a9c3e87bd85de43f349e3538e6387e5003ba91

SHA512
21a821cf6afd221173b9dd594a2cc09d7d583aede4adc28298e65976978f120f20db03448656f597a3b25e25d3c0addb69e0915b3c109091c14af46517e17963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3b7aaafb8e6342a7d45c0160e8a1bc55

SHA1
c1bcd1934e743809e3d2352e01b97171350ee438

SHA256
1659764e7b066afa69b7d8264eef6f074ce8c27dffbb9a260df88441ebb2d9d0

SHA512
37c38d5d7b63e84173b60573cadfc8e42c5066a099c4b6d8a74c8e7f8faf7f61317e1fea236c85b6fc65f2e4ea09a7b6de6a18eb5af43fc91ebb55d1d7609a4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7070d76b2814f0a3fd6815659a16ba71

SHA1
d91a9f7bba8156b1951fbb92bd8c251a9b860878

SHA256
a4b28790423bae4f65143656c82648151bf53dd582c4e28379c196d11d7ae4cc

SHA512
b823d4d002f9f5affbe884a7bfaa5c3a1ba82d50ae6bf1eb9ce1f806dbc01574fbe2d3abf6c28bead7a8129aa2c32bf4d77cf41fbb596d9e67cc775b00520b6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0621937eed76c1ea2f05dce380251fc5

SHA1
218f83f5f3f9f71c7e44ac5b2d8f5f71df6171aa

SHA256
49ca5b90d7b32a8d3d5da3e6d20db221890e8ce1dd919a994e17aa51d5949d78

SHA512
59e406fdba18b07db64b1a5136f9ff7b524afccfbd9ad14ecdf8c4474de4f099c684636daebbb688553bedb572ef5cf3ed6464ebd76808602455d1dddd2461ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
24a6dcbcb6700649c32ca4df1b7e3de7

SHA1
5cca31bda20b9d6f9f436a87d2f0179e055ff73f

SHA256
964f0b695909d1d2d89d1689c0eff1ef1ef80974999d9a7fdd300557751d6c9e

SHA512
ffcce7c9e5ae487c8e8307f41b532194d919bc27e509fe8f4ac8f2c788c2d987a9c20658df3e86e69163292a842f9ebce5ff2ad0f7979dd3410425ab68302f7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7bdd374dbbd427fb502b288dd12ebb42

SHA1
8b02eb1932e18272ffdd7b99573ad674d0cdbcab

SHA256
19ddb616649247f6893785c90b31055cf5191dea10734a6dcd77d17298316aad

SHA512
7a122ce379b4be9d4d3c895bf456a2f8a6e181ec1407720127231f8f54af872c2728b51942314eea4193fc0391be3e0abc87b9b6005091860600cae629fd3066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
056e83a9f043fd9d9ddc8568cab4cb8c

SHA1
1c041e46b155fd4696ad410feabac2b83966b51a

SHA256
1458ecdf1818f9c6a934f08013e54c1241393fb568fddb0eaf0213eb29a137c5

SHA512
6fcf4b84f25658ec837c056571b7a6b1c1293fed5f4e6fe87a3c00553acc87c04d818b073b736e65514665f4e0b696396ffb77ccd912feef859fb8e1afafdf9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
3cec79028f793ab7a2dcdd11a873ac07

SHA1
1ed6ad3c10060fd518ce7e32e7cd426183e108c4

SHA256
a5ce3b2201d7fe12dc9b1aa39d605bff67b4cdcb7ee0fb7b87bb44e2d1714630

SHA512
ce58b27fb45626b85bf27035367500b6a9340c4821d0ef36daa39445b6413c4d511f14bd16e65234334e2cdc1dc8df87c7532a15ded0448ff1b26de9f13312f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f72dafbc2f1280ca87d918eb88513b18

SHA1
b91fed407a308549d5ceeaa6159df75814b0bedb

SHA256
5082431414553e93bb1946b7f9dcefbcc11b3b13ca662fe14803e93cb2af547c

SHA512
58b8254f12e07623abaddea51be4c793b5b91f152b93919f28c95e621dca3530838b591e4c1f86df796a035b02f666f69f690d8dd1d1c90817213925ac39244c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7de5e0a38250f6430c4ab05d40afe86f

SHA1
5ff9a419e356c91b43466d2909902fa0c2a5f0c9

SHA256
4ba551c13a7492cf0debae3d418f45154d7d6c38b49da5d5871670246016758c

SHA512
0f831bd2e72a41082748a99784261aad6d9aa39ff67142c75350e743a5def76e5661d73822b2b8ca55cbcb3a6a98453d5b7151a95ddf3bf0e7191bd13728c5ae

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e61bed13f8e4477c212dca486c9e8707

SHA1
3b8d9df43eaba5fed5af8aca7cbe9b53236486ab

SHA256
8348c6a5323b2c570d27c037e68ba5f9824e025265b6c82c7c6cacb10c040ad5

SHA512
eabdf90205f7e63bfb48280e44dd6282722c66c890bbe0e8ce4ce6a3ae5eb65a2f5a1bf6f0671e9fd90d5da67b7c3b12094733589c90443e0ee9e6b3da22c40f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2680b45af340135fb1ea8d45b7532afa

SHA1
357bee49723fe08a24a2deacd63729467aeeec0d

SHA256
f1866bfec8e4257cb91eba9eeb458cbf47bfecc29e13424c5009367db8c8faa9

SHA512
0470ef10024fc0cf985f71fd73559deb739e9f2b8eeff4d621a8f8dbcb6573d3f40c168d03221381bc946d6df747bd1a8e2e5c3a756db0e3c5d8aaf5f37bb9ab

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aea5657589006c92ec20457be18a6da6

SHA1
4f07467717381aef4a49b1ac9599e02f8d6d75c9

SHA256
89c5c19cb1ab96b1c73399d8f64229f7b8a4ec1538f3cd45d9b22370230ddf53

SHA512
e3b411ddc8645e36f481f50fb1950396d3616f3807c3a23314475dfcd98a8b751e760e81c2758ad75060503e09a3950bdd1f33c3ef8cf6d55e4de60d40f4556b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a9854fb0b8ead30fc9d5d43f3df8409e

SHA1
d60554582998b502efd51ac2bb5d0b91bd518928

SHA256
7f62fb9cf75a7f02d9d771bba59604424e4a87fbaae81deb730a16169534d10b

SHA512
dfd5b5da67f0b6c0f04930ca18b97bbe1512a0985971cd5462328669f465f58deb4f94fe0f8a6fdf4acc292a4ad830dbd18f99b1a598461930c2232329ae01c6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b7ae5dd74f6f64beea15f5b6a4993738

SHA1
dd9dbf022b9daab5592b0c4784afd8a2ab79c5c3

SHA256
9f34cbe7fe8a90bd7b5f704e0ccf70b10930fb867bf12a65436fa481f5fbf7d4

SHA512
42c5ee92e13cd8b83211aa8d332092c390b535bc7c10e4123a3e8a99dff09c9250d24a35c9e0a0167b5942094d4f778fd4adf9dcf3f2a3ccb36e730856b76f00

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
da21e3c7262b035c9009726f19a7e618

SHA1
59d8cef8048ded73c25944713148b65c046379cc

SHA256
214a9a5b9cdbe94edcec4e2884b3fae2c820bb28434ba1da859bdc7e66a0075f

SHA512
2aa249664c1976052859aa42148b427e8e688778e25e192f724daec11521487bb9862dafb3c6589238bfe4ee5d771477102a5012c0b012e4e10496254b6e9207

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
344625a42280c41ae1cd17d8288e35d6

SHA1
b5840dcd867b0e033deea10183b930c866ac29b6

SHA256
0ea57ed17cebd1544722c767735affbabbdeabcbaee7344a3a989125efc36f79

SHA512
2548e7bdafde182a4aa1431ad962500834e889ebec05b0aea59f86697b9caebc9b54914c079b1cfea7b57e597d3723d27e2d48b8d49809e05c27eace675cbcec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c4a9fd648b8377fe3a26d891ebbaf9f6

SHA1
a3d2bbf482c0645340835c590d2e9d334405e577

SHA256
c5f77b6f64a30486c4783cdf5a2022fb450a762aad92119da05d27f13829e987

SHA512
0da7b1979205c036fcd577f79c36faab0e93dbbd6acab76166dd62f26ec1465cb87dccae021a3cbef0ca3b9d609e8303721cf2d35af072c6fc64d2f5dfad3168

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
50aed84ec8ae09480cd001c6ca8c4026

SHA1
ad5d603b01752f8cba008683a42d0da8267e4a86

SHA256
3c88101045365bd7e7771baa9ce3dd7d84e7422434298b4493761c82d1f4f7ce

SHA512
8c139a51dfe60d1da6c8f7247c1a29761531615a7fa36db52bde45248f0be4db1ef4743b3990ec00926bf82608209d4922148cb7c05d401ffdd4014342f1b5b5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dea02478a6c404995cd5865accf3c399

SHA1
7c8d8a018b28adfcad5e2a034ea26db7484fb7f9

SHA256
eac8d3fb621cb5167489a81ec8eb8fbbd5e821c0b89403753315d61060b3df55

SHA512
dced662de8c33868ed3d3ac2242d77c0670b2f90b350ab54e62efeddf7f28cce43c21c606b06720fb32d83db14c63968735c7338c5f454a57d9ae89372c98b48

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc42e7982efb90223581c614538b5722

SHA1
5c7390e8dbea491d66b649f92835d42b0910a0f5

SHA256
194a1984b6bbfce0e223c12607718e56947ac0f1399cd2a10009c640acf26784

SHA512
ba44e532999dd2f71e175e337d3a1864028fa1e3c099819189a6b15510896431ba2790b2974b521fa7a0ec795549ef7448ba8dc6e36ea030d2caaf9775e4fd18

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f589bb92d0a5e5ec7b39e12f2c74a230

SHA1
cd893e85ad122ee677942786a81a3f5395ce1dbe

SHA256
0f651adf65ee39772c378f0dc9e19ec360453ee8d982068235378a4bfb676ab3

SHA512
a63b5139790c2e0e08221addf91a392603981598b1e673c6925e6cde1bd54de715eaa562bf158fa775033702c5095d06068353b390aec5022c68f90a1cf02078

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
33c2a6de8dfabd85c67c816aff45a605

SHA1
63d28877b0ed894fd118772e76681d095a8ca5eb

SHA256
f3e1e9575bc85a789445e025ea089dd98f4aff83db178382adec6e6f241f1b8d

SHA512
38a4526c227ab32f2aaef475345ad1dab4d268ffaeafdcf3e595f7687ec1bc9c3404681adfef7c948e4820c7460dd84542d7101d7973fce5b5879bf3fc734c87

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a542aab4e7cf458405f8727b6f23c71e

SHA1
315910fbaa205bad4f33a003bba93abea138f0c0

SHA256
7c27f02d765ef3d17bef9f504bfaac67920b7a377592dd25784f2aecf8ae1583

SHA512
e6526a0245f3f58fa6d9f7d872fec2498bad43b5d8c10f6495bae458bc055b2f593398a3e8ad8bca79c9eee9e3bb232a89a9058c16a6b7a41772cff42b2b4864

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a2cb2d66b504e97f3d2acab6ed9a941b

SHA1
86502b501bc38b782252731d27a25e107555206b

SHA256
043890ee38ee90639436a002334835b94f0227219920c459e028879d899baf35

SHA512
9a98407f32cdd3a2586d2f6fd89408381fc8d73bd6100382564a01380d0855282bfd082716048391c56e4cd97c3a9f3c3311e6e60b1f61de90fe5f4097328980

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b73101bcde441d02a38331b8ee9820c2

SHA1
96fb2a89e1cf91e738d3a802dde55e6ada9d146b

SHA256
349c23f24f53163376d3ee86111b4a6e60c023d0e1180478279a67a8a94b4e55

SHA512
850f971222eacc0ed3b2de8230a6d7bb2be2fcf758084458e5dfca9de3ba281663ea7eb55576e7c5f26ed5720b71da7996fc9edaf4778776759b272376193a4a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4e09bbd26a6070d40a204695e2d5fdfd

SHA1
1b82aa3c445dee4877ba28baeadb1efa5a41a4c7

SHA256
9e1bb272a5f2988741c8e43c9e807905c08f2663b61e8e75531c7882ccc41a9f

SHA512
564d405d21f928191cf3ac107dafe54245541c9054bcb64144fbf4b2e08391552c2d28c3ecc9bd69f27c2ad4d60c3c7acc15dc7eb6ed271785920612a50e1fd4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
23e88fd9bade237fda59b56bcc9489b3

SHA1
39ca703354e043a668268483a61897c11f434ef2

SHA256
46766c827a909a779bab51abb7d0e15c0b175b9729af696d4c9fdc6af7fd8401

SHA512
f4822de21e27715cdd5fa51d2630b03efc4d003fd9cb0a30bd4786e0269852eda6308cca474fa9124450eac5f3c606f5b6eb2c1912c1a6077b9be6f24057cb33

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
85556004640b9498e312717b8713d4b8

SHA1
0f26c333499946ba1bccc0936d879640bea456b9

SHA256
38e2888e44c5fcbfcfe683932dd4587f28912f22b83e4c04e6e65767079925bc

SHA512
a49c05b9429fa481f1b6f61182ea46fcbc7784b8970482c6e901125a667eed78f466a746e4b0d3dad0251c7f0e6e3f0b6e3340fd9b2835c51c82ca181379a58e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
33c8d748ce18d3147de2c0b561a3a54c

SHA1
18e1a7835844589ab130aabe79cae011ec5f7380

SHA256
26681841e179ef8aaab4710443ac9a77d7b6c2e8893444581dc388939fc62cdf

SHA512
c662b90be8776ac28aeb8a8a9e8c923d7aa474edb7526a5a39168b2d1b0348253c002bc942735a07ff4d9a48f3ab42f03b36c5b8fc4d276bd629dfce12891f79

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d4ca0efed232a93ccee336c4f506dea3

SHA1
e4238f1eeaea9aa1485bc7e4d97bc0d4a1f6e288

SHA256
34161f74dc2d86745000efcce550ea1f2e5a1f29f866e000e003a8679337d54b

SHA512
602d112a5b84cc6d47a2659e906acc2e256e48c927f94af835c7667bef72311e94c108e78cae9432f1310735ecfd7196dee7b34389cbe9acb4249830fff6b8e6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3a00be5e164eb89552c5d0fb3b6eaa13

SHA1
f1a6fbda3555d6ff87f4810199387479bb6a0ac3

SHA256
04a317761f4c5225f004e4163988d70ac696b870883d74e285dbd43cff35e1e3

SHA512
92e7f8e9c83d7e9595dc97b0079d6fd6c9cd80ca628b1b6028ec1a4cb448dfdf52fd1a89e14b66cd263f8e8f6475e68587f4e93bc10f4d8c6a574bd8dafd8646

Download Submit
memory/372-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/372-499-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/460-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/460-56-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/460-69-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/460-67-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/460-63-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1144-98-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-96-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1144-163-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-90-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1208-155-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1208-72-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1408-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1408-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-82-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1820-159-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1820-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1820-76-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1960-144-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1960-33-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1960-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1960-39-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2796-0-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2796-8-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2796-318-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2796-71-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/2796-9-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2796-330-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/3192-496-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3416-103-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3416-104-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3416-167-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3416-109-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/3468-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3468-501-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-117-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3704-169-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4264-145-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4568-492-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4568-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4768-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4768-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4768-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4768-102-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4776-491-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4776-120-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-14-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4784-101-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4816-500-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4816-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4836-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4928-493-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4928-148-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4980-121-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5024-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5024-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download