263a54ef92402be68c02b10fd053815b776e8d24d1088b941dfe9da452a97b64

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
Size

1.3MB
MD5

0249a95b48a38a775bee55c84245d5c0
SHA1

c38a4b9b5778a16ef3e7ab9f2ef8e1c29c3509b3
SHA256

263a54ef92402be68c02b10fd053815b776e8d24d1088b941dfe9da452a97b64
SHA512

119c060cb9bf4fa497fe14298e277ba4e47baf1df78e9e9111d1ebf12cc6fe98485f38aadb0a75da84fe41df191091bf197790cb8b17fa46efdeb4be472bfe66
SSDEEP

12288:XQ8Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:A8sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2704	alg.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
1216	fxssvc.exe
4204	elevation_service.exe
2772	elevation_service.exe
4012	maintenanceservice.exe
4236	msdtc.exe
3512	OSE.EXE
2308	PerceptionSimulationService.exe
2384	perfhost.exe
4420	locator.exe
2996	SensorDataService.exe
1212	snmptrap.exe
2388	spectrum.exe
1216	ssh-agent.exe
3192	TieringEngineService.exe
1208	AgentService.exe
4596	vds.exe
3984	vssvc.exe
4984	wbengine.exe
5000	WmiApSrv.exe
4100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\108362efc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077e06756e7a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fb77f56e7a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c304ad56e7a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063271157e7a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe
3236	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4728	0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
Token: SeAuditPrivilege	1216	fxssvc.exe
Token: SeRestorePrivilege	3192	TieringEngineService.exe
Token: SeManageVolumePrivilege	3192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1208	AgentService.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeBackupPrivilege	4984	wbengine.exe
Token: SeRestorePrivilege	4984	wbengine.exe
Token: SeSecurityPrivilege	4984	wbengine.exe
Token: 33	4100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4100	SearchIndexer.exe
Token: SeDebugPrivilege	2704	alg.exe
Token: SeDebugPrivilege	2704	alg.exe
Token: SeDebugPrivilege	2704	alg.exe
Token: SeDebugPrivilege	3236	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 5604	4100	SearchIndexer.exe	120
PID 4100 wrote to memory of 5604	4100	SearchIndexer.exe	120
PID 4100 wrote to memory of 5628	4100	SearchIndexer.exe	121
PID 4100 wrote to memory of 5628	4100	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0249a95b48a38a775bee55c84245d5c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4024,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:3408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
26b4535fd027b00a4b2145d8766d47c2

SHA1
431fe1ed85bce496c034c9afc3e274eb85049320

SHA256
ec9cb108efb05aefbb0caeed94311947fabbd9dbe69ff4fd20799f9461177c0a

SHA512
fcd02b235763f4dbbca2c176bb2a718c39e7e4a6dc8a6ee11c3f32241cb2a510d5cdd94c7101929612ba6dc21d9215d3821d37748424058b8e5278aeb53b9601

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
c25ad99f3420e0a49e30295822e6da97

SHA1
01e369d6bae896e3dbd3c2cbdd244d6ed1891d82

SHA256
6bf1d7c3407b105c9ffa5a7d98544271f16e950d87cb8234e66208a3b8a2c7a9

SHA512
f917c2fd58d5365d3c4cbf1f62d84c68c966e5fa064deaf5e0355a9a2c117c138ee7baabedf1ee3f8341268c85b494c6b39e70f2964a277af923072dc11c8984

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a458148027cb9b1257b73ed753478e97

SHA1
e17912720cf10bbc136944124cf15167902d3d2a

SHA256
b05d26e46eeeb792de6abe9ccc37b2885391776ab7db29e59450e0f477304d50

SHA512
429750a73b6348daa4eb5fb2c6b84457952b8cccdfa06437f6bec55ff5bf41e67e84798f7ef3adf62e25b8bab19469821ca3fdb328a7e74c561a11f35aee77f6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
696c71d28e8a5d8a1744cbf86e36be9e

SHA1
1eb108ab8ef5edb1e5d21deac7f7a3af0ffe7a8d

SHA256
d109c883fa05beb94e909515388319098b233dade900bc73af2f07c4799436cd

SHA512
ec4655f26ca05f0b665f5a8fadfab761725499bca77f53d2b7003607d72d2d62956afa3115a88aed6922350a2ef75943d5ad2dceeec75b767a162a12e3f8ce05

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
e0b303b4107c14f67c75da488152b874

SHA1
c75d60026d6bc51bc688c9257286071eb4f62d91

SHA256
1bf765b95b94b45bb3b505a1660c3e3b49be1202bec7523279deccd73d74a5a4

SHA512
98b33d48c61ea098dffba87e30fcf827eb5eff9b71fc4aab41d5bb7d02d8554b0a4b4500af9e40db003544f439a9c916f51c725f101a837b8a30f6540229b26a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f2f89f9558f21de3305ae80215a1027f

SHA1
a4eb22f34a290f084e1df45ada723491b724db15

SHA256
81eb92684264a138fa5aab2436689db35edb1f5637514edbb722fd357279164f

SHA512
f093793cdb83eb872b9764500dd9910df5a32784bb20dd4e1f06cd072b154657217fbf4a72f588350f871fbbad2f0db8b2b8ffd54ff5a97c30e91f866d7e0c65

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
cf6d3b025c21a5ec0320013d5cb3e59b

SHA1
1b4c2b7161e6c858fa80a826083141db6c829cae

SHA256
50fb8433e9792e421ec7e6cd194b7fbb0c394cea0085f0f1f673ea9256fc95cd

SHA512
bef4e2b289d9f5f17e1519b31c24a063e61a772869098ba46ff19a17b46a5d5625707c448f2e982619554c6061b61f24562a5b506a4a9b13406c73b497266304

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5ebc4c03da8dce7ed2a9fd458767161c

SHA1
f075c7c56acbb06e630c3882a024ea651267035f

SHA256
d0ab4d2a2c303c6d7b58d5af02fb7186f9c840327dc3c0b8887b674a8d57a2f3

SHA512
a8c64114aab72b1ddb523fbed5f4ad0f2686471f56f78364cc44e9641c43c31f5a8d3418351da8c3f6b339adfcf1b389c3b229ac53c1fb5b003034675f63c3c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
dffd9023979a5effe285b056fffd4633

SHA1
ac39d9c6c783fc18068c3a2f50a11914d18b620f

SHA256
74fbbabd01e6ef57f2ae7189537161efb410a5119e40e75f0f5c7e2ee0ddad03

SHA512
429a1a6196c53497004f8022bb25495f265b17818647bf41b89fcf9492e15d3ace64c8b979e43e0b6ae4bd4d1b307a07fe5d9d5c3f27d376482cc06f448b14a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a082a8273f6871e091dfe46b40ae0563

SHA1
b5078c28446c99a5324f6b6e336d6b83b36567b8

SHA256
32813c70744b4688efebd5b582a7cbe49a6b1a1466252d385333c233815b46fe

SHA512
ff76af5d0b801cfe7544b9d8b1f63982c53f7e5dc860c3fb3ba45e94d1191e6b298ff579194ef8470205c591da8d22d9e5d87b2a64f2a8fd1b61fcbb1370633f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
3a984d14a029a759b73c555f1c5a201a

SHA1
2864dbce908a3cffa683188e5dafc1c987224671

SHA256
b828ce96f4661b1ee4a495c8ab2070ab6c12b7bc0336da7d9d7cfb798bc6cdac

SHA512
2b140056a04a0519cdea8d0062d901b0cf46ba7327428cb1d82b469d020d0e7260f99e4c632707be20e6fe658225c8c912a143ad97f830badd15e5397faa7578

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
07e7f71da51bb1a9c3566f118d7de2d2

SHA1
378ba65d05e7329e1954eb07b1afeff1b5ff4c12

SHA256
860f96baf9b3670e9122f24f3eb53b9de3efa45f72756509ab8e059b7c7823c1

SHA512
63e68d368ca1c8999ffa38f3e3596b3b6f6c8938e811b64ffa9b85001a5273cfd3ee62503d2a341c42576d8698cdfbef70bc5eea181f58904582d5861a7f48e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
15e0d6f2ca730a7c1961bc3134bac6de

SHA1
34a8f0161e0e6968b74818c1c4d953a668c6eaa5

SHA256
8c2c39dd4b10f45b4ea9546d5e1fc623b01e0b1b65b837d74ba7cff827058cf3

SHA512
032d0514dc0b1f5c67855a64e9dbc2fb1e4629e56a9e7a6c285cc9d6d18bbe518db7b4974923d8c4ae1ea6bd99c1cc874e1b34ea77bece766cd477bc5ebc50d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
e7f1d79c26b1f9e84a6b970d3eefb9d9

SHA1
f188368b80f2081ecebd5633b14803ffdb03bce4

SHA256
44db01774453dd26415a64a19c2e81b935c6bcd3de32de122f9ae7029c845c00

SHA512
d58803958d5e9a8b0b47a165be707632cff1e1b0567a5d01fc2e82ac7a008364011033e6ed7fbf609bf9b00301e92a144e3e5b6f80ddf4940a89935835ebc474

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
fabfd66bd7ab146bcf918dfaf22843bb

SHA1
f359d46464de16613b2e50c5aa35a433c64cd581

SHA256
9a611bb4107693311cec6b43145e420ffdcac6f2a03e8def1405910bd931c5e7

SHA512
d29debf5c61386ca9168541cf8ffaecba793c9cc5efced8aa104c84f41fec6f7cacd772169287576984d5fdae44986010899294ed45575642c5f226532c9bd5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.3MB

MD5
b7c0d940cd78734af2c8c9a1eee457f7

SHA1
1f821662ced2365c39fe48cdbdfb4dad9ecfc943

SHA256
efca156443b25221e8990bd651c93a99bda5f0bb1f0d435b37c2d4ccfdf4f273

SHA512
73f1a4684267dd5f802241e1860384b94e4346edeb5dcf0089fc4ed0e0ae0ba4119328eac4936637dd819bfd2d3cc1645ea4583ff69c3c2d23914bab88ff6d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.3MB

MD5
9771aef85fa0a615efb7fc935437c0c1

SHA1
037612718e906494eb109940c4d83dc78f2c59a4

SHA256
9932c6471ef58dca348c162b47f04979c8423f48fddc53cfbb367c763981238c

SHA512
c2cd95daf0de9b57ffe893c1d5af26bb92983085220729fecbebb12ae33f8f20956404acf10c6d1b8bd41a5c42bb66e6557cd42a23b7ae0e1d2686359405d6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.3MB

MD5
372c8085904fe0d8184599995a485266

SHA1
31a6fb96094f73209019aaac6e8f9beb125579ef

SHA256
d6eb9ed355a4fbf10ffc3fd75cef32c8b06fd078163b7cc886515ed38dc3dfc1

SHA512
44a0d816bdc2c547ebdc46385e4a687632dcb886663f19af1e8342c6eaf9556a5eedcc64fc8925fb81f4a5f85c967d55fc72883406682f77e955c53945153b2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.3MB

MD5
8c908aa1e10864e0e6d09021e5d69513

SHA1
ded32804b459e51389a659a0999193624664c365

SHA256
30c32b59fed509149821497cc22754687f58af4e13fbab20a661b65c33f70093

SHA512
c224b66e8b8322a38a42ae58143e89c0c6df4651268ebccba4da23ea2dd30a19a13be2b0eefb63442759c4bd19f6840ec3648018bac0614f872bf1e76b7af58c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmid.exe

Filesize
1.3MB

MD5
646b1205c2886d339c17499231bb582e

SHA1
bf3e6a148919beb394fdc2c9f27a365f9f1741e3

SHA256
020c5e003397cec6ef9c8f5e4c848d8827ae41c1f5194b82ab268a65f3e4f146

SHA512
014517080122d9b53597d7bebae3bae55b39b2d0b72819f46417b06c4dafa05d8593d094150b8df60a68c133f399f7e5db5a88dab8c2be86570fa9afcb94188e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe

Filesize
1.3MB

MD5
a4ff0317e8e171c6df94d276246f50f8

SHA1
3e32a46a08bed579d86d2f95789fb406f21c7553

SHA256
691279ffbfd00018da25cc39c2773329f8364c062469d4c083cefdae11023d0d

SHA512
507f1a434f3eb1aa2e42eacc7dab98cda1e25fc5a86f3312bfa1e63bc35506cabbd5069b2ffe75be7abb90ffa838e45753c8d0ee004b2fd26b354c6facfd397d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
1.3MB

MD5
1cf58d3a5ea53f5a2b68272bd2e6a0e5

SHA1
7e8f23d262a7e56449fcf68ba541ea6af3dd0acf

SHA256
00fe3c625449509abec919a5a06b4ec324e739f4a33c3bc56c55af0df4a33eb5

SHA512
67d492f72fe8fd0203db0d68b3c3d84fb2e090cedf2e511dbd410e4cd6ab65a2168c2b88bbaa3ff670cc1db563f44a6787b7bd82a4488836264ce543310f6ac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.3MB

MD5
1a4c5b7eeef896667b283e49b489193a

SHA1
5bf339cd897df062d2a59484453c000cc99ef4b8

SHA256
5a2a3e5681298be7cfc4b555b1ba0a7344c296877f2ab6d1a6ed8a502db452c6

SHA512
3fd08f4f631c4da9a33ba35b78ec4f143bc78498abfc83da380feda38a80edd381a4dfa92253ecce69abaeac42d9306f041660279f64b8e572e6bf60c64b5004

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

Filesize
1.3MB

MD5
8d5561caa5fbeffe529b7e33d7cb2e31

SHA1
429b5eb54271c09bf034781b49351790f9e0d6b2

SHA256
cac8a0ca51a0becf3691e399a714630f87e1781536d7df062a316ac39b113065

SHA512
e16d58fde1bc128e4c14271ebf92586de681312ec5d790877bdbf66110bdf6e51772da3522a1ace545d0b9ce0a14b981c1fde43656674dbe9e8ad0ae68206cfa

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

Filesize
1.7MB

MD5
168d23ec270b3e1604676a8beed639ef

SHA1
42bc9b17debf446a674523e03943093105ac83a8

SHA256
849a9b0c54c2632cd8d0a1e047e53158d583fec31b3f06104f296b650b7f9340

SHA512
def5de3d6b1358ac62653a05a8fde256daea0bec4cf2825caae9e01580b387d98a2fe9a4da79239a18d72d75ded4092c25635a9bb2477abb3937f5187b6bd333

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe

Filesize
1.3MB

MD5
c66edf3d8b1261c03bfbb2b4625430df

SHA1
54f65083e163b81f14478e515695a5b1c4c02811

SHA256
c099f0ed46cf4205299e31ebb9d9ae4e4d6f40bf478f56b6dcafa1e72e6ee18f

SHA512
86e631f206f816325ac7163c9dece5f2a595d50d9e991691200b0d55c1e2520b3fe7687158abc19f9c45941e7bd05aa3d39d65837e38adfac037ca29c76b6c9f

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe

Filesize
1.3MB

MD5
9b7426311619ccf7452fa35ac962332d

SHA1
7d403be30694c52c0ee9174ae6c3f6d8070ae052

SHA256
3a9cee705c4aa19ccd9aa0075ca688f360567e35d93e538a11536e4cd8ee4d87

SHA512
c9ef1dbb5a7f22a5ada998437e53120335a6e630c1c6f612fc0b00b5e2975cbfd753dccbf2228e5235b413b8288d086527ced66b0c4e27ba7bc83850a9673ae2

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

Filesize
1.3MB

MD5
918da206f52af5ac34609849418b1973

SHA1
ec006bdc0caae1720c198ada2008231ea7edd5d9

SHA256
3fa61196af45bdca4e02714f1230e9b6d6d4aded978d5f852c514085f2e478c2

SHA512
e2a1ef91425b16f5b4b2ceb3b6d6d9391b0b79832c5e1ddd5a1e7f5fe6dd5a3753c7d1e38ee3acbe419fd186806b6d5f4a9625eeda2c5774a93f0d11f9c328b3

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
1.3MB

MD5
4a95eef88020772a81498fe16ee2ffc8

SHA1
a4e413bd4016adad715938fd848274d5107d9e6a

SHA256
3161b57f510386fcdf6a301847533edefd6017e4107c21a58134eee9bb405483

SHA512
ccb22a6572020ddf12f8dfeba75aec20bc813f12676c650c5117e3f7e3e55a9edf976202e3c0fb97c1f0fce4f3eb1377f32e2bf233ed11d188c01a1a7a8c1c18

Download Submit
C:\Program Files\Java\jre-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
b032d387a2f4fa9b5cae9e26fb96aed6

SHA1
d4c457f0a1af029c762a6d32d0cbb00df7fa8582

SHA256
cd7b6ae8be65d06a1382a594d196fdef53a4d3d45c1a05e7900d65f8dddb70aa

SHA512
149f5c83d97c2a4f279aea795afca7b97a0e756271e923580aab6c393b89cf65fe1e8866519a1ad842d85c7d20f226b033a59498308f25ab0a7afa6da52c16e5

Download Submit
C:\Program Files\Java\jre-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
d37965095cad34ce56cdef70bb4a92cf

SHA1
2d6d37377e3929e3866dd81197dee132fe3f9300

SHA256
98c71ad7e463adc04d47de7c7df24cc6e6aa7045eca45aa5b04e86e64dd648a9

SHA512
5ed645615ffed71d36bce3fd63421ec082a0ca880f3ae670e8ddadc901653234e6c98148778bdccd10e483d7e74457d96c278f4f54331ecb1451d688d4ebee73

Download Submit
C:\Program Files\Java\jre-1.8\bin\keytool.exe

Filesize
1.3MB

MD5
d8574d09d3fcfa1282b99d92beb8f540

SHA1
b53022e0bf10ac2daebd47592155b52af9e1ae7d

SHA256
90dc35ac15ec94dfe8d236d1d94c4e809cd732b9318a5b8a33d3e320239d848a

SHA512
90d5c9615dd348396759f8b8fbf13b1a341f77fc1207728cc0c2e0412cb90269c9fde8640ed3effd5c3538b2c3150b5c64bee80f9aa3ae0055cd5d4b75247f98

Download Submit
C:\Program Files\Java\jre-1.8\bin\orbd.exe

Filesize
1.3MB

MD5
a2c5dc8b66d141a5a03436fd94917a27

SHA1
6db3581b9dd3e3153e9489c236135dcca18eb84c

SHA256
bf64b04291f4db345e549e4c89ff7f583ed453666b866373c3f56d598d21256c

SHA512
974cda542da12d3e5e0e10b18d8304df1950f0e1593b5bfcea6476b99d60449a8248b74028347dc17dd0963475922f6824903b86a70d1f336749fd0dffbb5921

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe

Filesize
1.3MB

MD5
3cc1eac04ff49c74f402e374d52836de

SHA1
efbd558e6df4ab7e81d832b2f57a26442e896277

SHA256
8eade3acb7b53bbf95127ab9059a0f2d8e4728cdf7869099d530a47a2dba4581

SHA512
196a7f4e2b4e814240f9212289e5407057a9688ad99f6124ae9be982f1c5c9008c954be72255efaedb1c51ca64f12d8882e7501b932e45bd32c780aec52398ab

Download Submit
C:\Program Files\Java\jre-1.8\bin\unpack200.exe

Filesize
1.5MB

MD5
46c02d31531170c4fce2d40b508e2336

SHA1
886c4d09e4347cca1de5faa8e99b5cc327436741

SHA256
201a64ab80204b20a35acfbf53d00ea2aebd043c4a36b55b0200a23d91f3fff9

SHA512
483294a4aedb4991e4d4544cea65cf51698ce63b4d3051484382ff648c8a96cae2fa4223d89d3e91c18da152a6f58a4624403f98b43772b88bad6ba0bf1a4472

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
cef4abc5423469f033500adfa36248d0

SHA1
3fffdf2318ccdf806a12eaa9e506f3249aa75388

SHA256
43c1cab32d50a7062a09c4e95732efe9519830387605bee95221057f556541d5

SHA512
9c74211315dc4f180e4eafe20ca64563e0f0d14b250e2a14992be2891ecd8e1dc63190d26bc1cd13cdc700002dfdee447290d0d84bd63559c425588a27539f04

Download Submit
C:\Program Files\Mozilla Firefox\pingsender.exe

Filesize
1.4MB

MD5
7149336b6985b3702b1f6370d1bee805

SHA1
e3512d7b31cac45382fe7f901c8185b3eb53a74d

SHA256
35630825cecd134592116d96b20089a6ea5ab16c998f1c60c6d63c8c42f95e9f

SHA512
c114f62270ed398b93f1c959bb8da3c33fce042b0dd0cefc6f98664178cb5a4d20b47a431058cb4831e7935933267036a0504e35eb5f0ebccc38460b3d0b682b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
24c45c9a74080869af215a96f9d9c694

SHA1
06bcaf071acb96cd745152b11a955b1113f9be5b

SHA256
ea7b4c3a24ccb6a5468cc2557cb8b5f2c3d57b758e321de82832f4197b24edce

SHA512
ad0c999d3c65ee246c8842307764c3db1677fc34b112d8efc6c2c4b22ed06daf1c21adb128bdbf45e3dd46718754ae234df39ac0175ac6ba702cc3cdc45ec96b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
aad977b2213215564d9779d1cc730498

SHA1
c9d7c1cc533996d3d92566f2017d982187ada622

SHA256
d9367482354769e9d46304e0efef654bf391823c2a1628ca0d4a71f27b527ed5

SHA512
dbcec4f533af5673c367e308b2b08ab18f2561aa30a721c02546ef792a7975b27044185c2cd931cb234d12237c8f2f84718a9ed277e6923df7b9e1edf33baf4a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
ecf35dad6816014b9091ab2fd9ac59a5

SHA1
abf186cfac875fc257242e84fe1b64092bc6a82a

SHA256
5d2ce16f834f91b419ac3e75e092720c7ac3167ac6351b82c3331b784f9a2b2a

SHA512
bc068a6850cf30d99abaca6770f07983f6d34dd73567687caa44f3e87f572a760c85a084d5ae79339bd50b6206cb8401ce31aae8e46e78545fe1b1d7679b740b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9a49be331b2d2c96ce16f7bbdbde2ef0

SHA1
2a2d1176c80039f2a9d962954e9d2e72dada8986

SHA256
d2dc5773195285abddaa0969e78511229c9208fe961ceb4f565dc0c026f93d50

SHA512
acce3a651ebf6d2208c2ce2425e553bb88f8c4f4fece2ae20c685650c502c7931a0a73281b08fc689bc934db04488213d946d3dc8344a89f913d96d426d9cb52

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
8a5db521a0d369ce024fb54fbd1ab73b

SHA1
58f72887bf30841fccf9416a7fb72b013058f012

SHA256
2b7d60a94a6b3ee1a569ea092748ea4b29e690c2a5ade57cbf245d09c9a77046

SHA512
0f2bbc604de2dfb2d31605c6e16720f09a05cacb80091a0d6b44d79ccbfe1ab416889a57a2ad7ed40d1a39f35f4d67a61677a995eb87441893f97a64e9afbf53

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ee0bc06822fd809c77506854eeb12be0

SHA1
ce2347feaee7bdc951f810cc5c9dc83d7c47e9b3

SHA256
1db280fd765f411cc7f477c5dc4c4810d03fe82214e181a9bd72cd1f11493719

SHA512
2bfb065d18c0a70259085a9678c0b583cb65a0eabf1edfdb86be7c09e54b777e66465c078e16c01417a1388a2c96efc5b7b96c3a48de32fc954564d5f4c02a73

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
872460a27ee4125fb9ed3056aba17803

SHA1
c1d44d1a1b23c37a160c07899167a2aff8dd090a

SHA256
db15047a8f9a4c30f50e65d879835d57f84df79f93c65561e5122fb2aa77c3fb

SHA512
dac3844da3379dae38cef1d95f13350570f345749944876a0e6411ea5c5bd2cf725ab3d95f37de385425620deacd7519669ad880a97dbb03ed0b060753395c95

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
2e1221c18205bbd1bd639f9ac515d8c8

SHA1
6ddb53328dc591dfb66eb2ba8a8746478b7834f5

SHA256
06471b0568ecb805f20d4d8ddbe152ebd55dec7d3bc71ab0a067508448a1e613

SHA512
6c8ec3ea022bfd9d6200cd7d7cc16b35289127f84e2860f20adb5c856ac5c5cf535f8ff37e5e5ce6ee2daf32c1c2544fe0a38c2b16773c3c378225012a0bb36a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
d8d1747670e5618b545b07947d93ef6d

SHA1
c50b7be750699d3607f92f2852f3583a40612e8b

SHA256
35ccaea6c97dc2cae6f6f6ca70e46e460c1d946ee3d798d0ffd919ef66e40a49

SHA512
09377a87f6de74cfaf8833f9fa7146dac8681bd273061c9d1b018e903b59f7d635e117b1b46708b763ab4e0c2c88c548337ece464787df304df16fc150433ff8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
464af4188ca5045329a648d6e3d900ef

SHA1
ab9b8990ef5f11b740e992b9b7238ee048a5ac14

SHA256
1f04d6763b58f729522a5e5f1edf3dc3615f068f4b85977a03ddcf5f61744af9

SHA512
87705438b5ee31b17f25d0029245fd154b0ec525b05ae255d9dc5cc02f43dc95c1f9f0d0740fb7d819f212bd6478b33c73d26e857856fba701e99959d228920c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4f4773c7169838e11c28d1a5a479dea5

SHA1
f806deeb7848f434c39828dbfe75df142ffb17e1

SHA256
c0ca35c5aa32aacc62b95ebe583f409a871fc4b445a6e49820ae108722d2d645

SHA512
09facb392049b53df8ab469e099c2f7f72fa2f99f47c6c7fd46f44776706483fa8402114f78c60f026c8f8e494c12c50730010db3616d585067593965b99693c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dc04ad8f341225f6e99ed0c8f8923c64

SHA1
6a17ea75f65812fb41cac85d8992e7978a7874f3

SHA256
11e9b629d3bcf4e0c417f2fa061b5093884ddded2b9dbf6b29805ee0c9c5f7a5

SHA512
ca49821e0bbf014f2b3235d447139f22ead6e1d32f05bc6f7bdadb37398a52c1cc6e848b09173d865fd8e4daac4bf63857d270443cafc6c8ac1a25ac8fc9a8c0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
2c4461368ad5e05e759499b4f39b5c3a

SHA1
08e933827259f6fcdfd19921e5130810a62088c9

SHA256
fe7eda665e8a577484ed23e8b7656a20fcbab28cb75cc832e38d4e0b0e38f0fb

SHA512
cf5a508c5fbe85784e36f0cce0b7710725b4928bfb0a3a0d13685f087e28082f906be1e6d7152643106e3c0b0badee382e7cbba123875c4780d37910f01b975f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec0121425c2246d20b711a6b7e147df3

SHA1
0f3ba3e7a6450e6002c9418f1d7de86c39653dc7

SHA256
34947785bf0ed6e031c15e4d4ac1300f767adbff0f891500e1d64162c68da95d

SHA512
12a019410a9334145bfee504a7b613cd7f28c9b48ce9b9729697d80aae4d4dd3de52af624ce1d58507d972b3870502d9f05040ea24a1212671bbda2c76eea2e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
196a4172952253bfab793029b5c9ce00

SHA1
96f5f78bc76995dae8d292d9ed10a12edf4f987d

SHA256
f75daa4a18879a609c45823ce9c15e137b0ecdb2df621b558f92d0b6fa977737

SHA512
dc6edf01b3c303d2e65fdd77cf0faa32172bee74360811d64378cf337011002a78edcc491198a89e996c04fe0ff8e69af6df174d31ad8ff08d80cdc18006d60d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
32dd75b545d774c7e4b145f77593554a

SHA1
bb7b12c0d6deee90d4b3386d0a961a73d2619cf4

SHA256
46ffdfa4a2d60713a32f77c7a62e924871eb4ed48ac2a9f9bd16f48f06e3d166

SHA512
7bbbbcf6b2a0cd40f76f86605aae0568988547c0b8d8aa2dd82ef53284bd060b8bb970988451326b524369f735f85992e558cc0d4c0a509610c2534f179bc900

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
b8cda3b7afac40d0e51246b077872678

SHA1
a82432a1034b4902bdf5f2fbe7f4da760503c818

SHA256
5f1743406003553533e82241fbc406ba7eddf39dc418d1100eb1e00183a0df97

SHA512
c9b236a13b4210502f165dcd2ff2efb175800e9d92db3d2880ffe626f57484c2ae7c991c35e7537edaa57f6c0cb6395fcb66b841d0b9b8f4895410d5df6ed1e4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0def35daa56e0eae75c47abbafef8246

SHA1
3ccaf4a07cb17c1c7a1e0e29261c95bbe1225276

SHA256
edb8fd6b1d5232df30938564e4340c5724f5c1015b75034608a0ed5166c35a11

SHA512
0f4ae7b9230b51e00f964bedd22aaae46c89fc59a4950b96556b3017c1c042b79ed349273fd0a0b3c75088d4797d1123b88a7b8c9ffeecec94ec581103375f62

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
6221f671b6247706198dfc043d1d8d45

SHA1
7a2b299b17d6d5c86d601ee802a0c4801facf855

SHA256
823311c62202434b2f0a1f1d34d0caccc5c8d86e5ec482a3fc115ed50db7bddd

SHA512
7841cc8db260148a5bd9ecc7ecf93baad8ad0159ba933bd8cbd42253d3325ecf3b65a8cb6cfcea75f655ff2441b84671770f31e8136b23d37464fe4085fc82b1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bed1fcd6a167a6efaffa8ba8df62cecd

SHA1
726b3b44671ff0a5c527b68dd29420410c23e33d

SHA256
c24f188d8844e202de909e5dc9373b5bcab32bfe7af7f0313884937a929dcaa9

SHA512
d8e4b1cfe37c8d6d0a1d77f7314119b2b2a3d2d4869abf96e82e13567127fe547c4b9874a4d00801f505372e3c26b4b0f12031179b0117de54b227184a14b832

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f265a43e371927cff677f149babacc42

SHA1
e1b0c754380368a7f076dd6e17c8b4746a1ff75d

SHA256
38e8f8363fb5dff8ed1e9a8c655685052a55a5d5071bd0517a4a029933ef2c13

SHA512
8a4bcfe8cc273d462628642abb773cb2b65b17f372e76cf918047a6429f5dcb9cc16bbf8ae2e05d06f507fbc094628380558187a5efa2444331003bf55aa1ca3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
ea3dcd030b5fb11e79a9bd141cebb048

SHA1
d39af124de76002c92b76dec9f05d75cbd63dc6b

SHA256
9267e33dd2cb7e760d68fbc92d91ef4279d4b0eee8a4aab9875a34d3538cf3fd

SHA512
c0d2a065dc99e42f008cc5e23ae5644838eb0495e16052bcbb69566098f00bbad576d19fd58b335495d5e808c2d92ddc727526c49e5483c9c8959c2a087a1eb6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
0a7cc5be20e2cade8fc97a7dbcc022c0

SHA1
79711edb756c4bd9d89f8cd72e951d49dcded94d

SHA256
c1ade073c83f62675297c3436b250232e05d2abda3ac30e37b119af2b469021a

SHA512
63d5e80808a1c0fbbe46d7561c50a534fbe757746380def1f0a00a7a503c3b3b46f529438211ab3f0d0f3417c498184d481f948118ef7ded84fc06dc60bb3e05

Download Submit
memory/1208-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1208-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1212-154-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1212-443-0x0000000140000000-0x0000000140153000-memory.dmp

Filesize
1.3MB

Download
memory/1216-496-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/1216-187-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/1216-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1216-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1216-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1216-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1216-58-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2308-117-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2308-227-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2384-128-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2384-239-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2388-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2388-495-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2704-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2704-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2704-116-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2704-20-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/2772-186-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2772-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2772-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2772-71-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2996-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3192-198-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3192-497-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3236-34-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3236-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3236-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3512-215-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3512-105-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3984-500-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3984-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4012-97-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4012-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4012-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4012-83-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4012-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4100-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4100-503-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4204-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4204-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4204-55-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4204-50-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4236-98-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4420-131-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4420-251-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4596-499-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4596-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4728-0-0x0000000010000000-0x000000001015C000-memory.dmp

Filesize
1.4MB

Download
memory/4728-74-0x0000000010000000-0x000000001015C000-memory.dmp

Filesize
1.4MB

Download
memory/4728-1-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/4728-7-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/4728-6-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/4728-354-0x0000000010000000-0x000000001015C000-memory.dmp

Filesize
1.4MB

Download
memory/4984-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4984-501-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-502-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/5000-254-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download