2cead8246c192b91485734f55f3d4ab21d9eaccde0cbe135ef51989d091b7627

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 16:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
Size

625KB
MD5

19fa33e85c5126b4207c76750f5e2370
SHA1

72b6123a42783a6e7776218cb7332a3e9ca796c2
SHA256

2cead8246c192b91485734f55f3d4ab21d9eaccde0cbe135ef51989d091b7627
SHA512

d5c918d94c0f72753ddfda756077d5d5f0949715169b52a7d8b0ec9f22279a4e9d0e04918bb6edba7c186396d2c5334ef98908cc52af65ec82b6d701205f76a6
SSDEEP

12288:p2Op/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:gQ/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3196	alg.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
4516	fxssvc.exe
4792	elevation_service.exe
4452	elevation_service.exe
3300	maintenanceservice.exe
4524	msdtc.exe
3036	OSE.EXE
1484	PerceptionSimulationService.exe
4348	perfhost.exe
1848	locator.exe
2784	SensorDataService.exe
464	snmptrap.exe
832	spectrum.exe
4456	ssh-agent.exe
1488	TieringEngineService.exe
2332	AgentService.exe
3160	vds.exe
2620	vssvc.exe
3384	wbengine.exe
1556	WmiApSrv.exe
1404	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8a289fa81ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d434b32bbfa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cc2052dbfa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003120bf2bbfa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d81e02bbfa3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099fc1f2dbfa3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a4df02cbfa3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006571352dbfa3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe
3912	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1884	19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
Token: SeAuditPrivilege	4516	fxssvc.exe
Token: SeRestorePrivilege	1488	TieringEngineService.exe
Token: SeManageVolumePrivilege	1488	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2332	AgentService.exe
Token: SeBackupPrivilege	2620	vssvc.exe
Token: SeRestorePrivilege	2620	vssvc.exe
Token: SeAuditPrivilege	2620	vssvc.exe
Token: SeBackupPrivilege	3384	wbengine.exe
Token: SeRestorePrivilege	3384	wbengine.exe
Token: SeSecurityPrivilege	3384	wbengine.exe
Token: 33	1404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1404	SearchIndexer.exe
Token: SeDebugPrivilege	3196	alg.exe
Token: SeDebugPrivilege	3196	alg.exe
Token: SeDebugPrivilege	3196	alg.exe
Token: SeDebugPrivilege	3912	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4628	1404	SearchIndexer.exe	111
PID 1404 wrote to memory of 4628	1404	SearchIndexer.exe	111
PID 1404 wrote to memory of 2876	1404	SearchIndexer.exe	112
PID 1404 wrote to memory of 2876	1404	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19fa33e85c5126b4207c76750f5e2370_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3300

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4524

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4628
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7e5fb25d0037dc81ee78e4a2301e01a4

SHA1
a156761ea919acb2cc56cebf29597a1061e1f252

SHA256
a885aa3d0627f93b1cb9f6c220d53f677a0928ddb968605af181b3c1d5ea2f38

SHA512
6393ba96422b65a10444e6c430fd0bb561f71cf74ab7117aba79c01365f25ee0e35ba998bf45ba0e4ef765fa00fbeca430b6e5a6750dcc23c85ae11d653ff83a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b3345a780af67b52fc647d9359a0abcd

SHA1
76bb9ea8c8d026c518995c6848b6c2901397f01d

SHA256
86818c900c5592275d9e2dc34c9dc48df1be4046d8d21aafa84ad6d0cb8deabe

SHA512
fad9f0df52e109040dca5a7a2d02ba42c4c2665ff6e31f9a701e52d508467ba44c5cadf61f676be9ab9ee3601ce9d714b59d2323360da0b536713fb564dfbf31

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e627401e042dcec7f33e1534ea361841

SHA1
422906112ed7efa6e0cbe5730be0ef0e06282cc2

SHA256
da8c819360c23d7de0e4b382137a5cd1d26430bc3165a53197b08770656059ca

SHA512
0f1dbf1a46c5fff45f9fc8be99072cdae1ae9698ad2476250468eea9258ec394e6120e87581caf5ff0ff2e1f8606a670b014033d3800093e9fb33f64a4c77191

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ed50e5942f99e228c37cc41ce61242f4

SHA1
cdbe6b2e8ab90bcf4e03b30599c2f0e9b8c95760

SHA256
87fcf216d9fcf1d40536e8c167e79d4798187c71676ba5687fb54f9adee7c780

SHA512
04c87902177db1a2cf4b67484d390a0ca34ff17536822c3090a1dc2d4939fb12e6f3b8c95da338b08f2267cb4b785c7ea7dea5c9f4ce74a27e95886d323f4a92

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
16b6c976f21303195769305f2955a3ad

SHA1
b6b766989801d21a88b4d1d6ab2cc5d48fd86c4c

SHA256
b6585f6076492b5488113301c0eaa68eb85e918b43112a7b202345dd191ec2dc

SHA512
eec57c8ae39cceb5d6698c48364144a0f31e096a298d868ea131447edccf6bffc437d69841e501c25984870fcd2b626bb63f2ac849f54f2d0bf9bd2c8313a6b9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d256856fa0a0550daef83f0e4d17ebcf

SHA1
dde3d9bace3bc2905a10147ac2094c259ec272ec

SHA256
2322b54c586ddb4ccae074e720375f873a27b720ea95e371926a72e7747df404

SHA512
8d60a58542e74265be8b29484c2b372222f07c7e9b27c6be5c4949efba1d3c7cbc86f97d4784da468957a76eb8e4a243dd8def97b4cc58608954b45a77b17be8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e8a9293bb878ffa6f0f63191ac63e28e

SHA1
7672931866cf4ba888e5cb689904735fa1c57904

SHA256
ee2672012eac4fadd68731678fa72d217624dd92b82f8343094360f054256412

SHA512
73b6b72252663dd323d4c7cf486406bcf359b519674727a7ec08b039f305e2ee3f2e0a8f981f194ff6b23306f06b3e442af01a90caa65127e055f6964cbf2bd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bccab350fe32c973ba7193e9af911c01

SHA1
3d1b8fdc2d7f2529d516c7e43739a25fc39753b9

SHA256
d428d01b411abf0823c99a27c4458603d8997aeb756108bbadedb4750827de42

SHA512
2dc855c51e7517fea328b15eb3e6afbf3c50b9ed4c5d31d231d3645ac133c3723f97f32f7a35f50e38b75f2b4bb3a4af9e1521c2cc29ac391e4f534bc7558b6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a729589a0ff2c9a0355120b71dea0e75

SHA1
287c60b672f1fc64ec09fd85833653d6cea27855

SHA256
771c27c707e4ff98e5347ed45ff854a46e3a433a7881f06464ce555bc8a040a1

SHA512
0ff7447f812f37b82fe7fd5c3bb915ab70c022e05ebc56a9a50231cab4c7c72876fcafba502fbee67906bc99664787f89be856ee031d711c617a5d27f871e42f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f97f5c4a4e1699e6eee9d30823fb3a2e

SHA1
a212001b5a79f86796ddf6649052d04c9b021d47

SHA256
e345974842d37d7ffaf5fd998d018707bac1e37e4cdbcd6e1339bcbd6e0b1e9e

SHA512
43ca9035a569849771e707498d6de0c8bad1eb7dd280a3063347c6017621e70e5cd8bfc33ab101094a3ff9e05572bd14c65c953af2f1d977e641072ee6525590

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
76dd289e3d6bc2743f7785474334c319

SHA1
6626f302c2d73ff58dd722f7eff292f86b204f75

SHA256
4ec9213a8560d903d6b661d83548beb9989c5031f2f2c40bd7860b06c89a63e3

SHA512
03db4e7773f224d6a39d8e7095eee4784890d514e0263ba803015e5c8ecc6ba3636571ac1f8ad28f511df2a997f736e92c3aaf74ffeff55bf39872b4b877e592

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3a89d1bdfb357d3fa02ff84b0e72eca6

SHA1
2f02bde5aa23b20a6621f35b218c45c15ca2d000

SHA256
09b78429ea2bf2f4f0cce376c682fe7010a1c57653719f72709ffc07efc5f74e

SHA512
d5742eea646d726bf829739b3338701bcbd9a898b80865c8663199bbaa7842e9445b509de34912184fa7ad93ccd2e9625699cb1a491dbde7dccf57069a044461

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a9c1db717d222f32733299093ac7125a

SHA1
9c5e675c3417fbf2f3d370dcae051b1f629a4ca6

SHA256
e9582083aeb042d1bf4f97ed0904bdeb286a9fad16a6a132e2a591a71b316e81

SHA512
80960e8f72d978c5483413c2cf5af0e78ec79203952e765a1ee0dad5d51129660cabe5d1db9bd031817498a3b78c54f683a7ad5e917231d987424bdb4fc50152

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c1527c5190b0276b977e3889a18cbdbc

SHA1
278181a542d7cacec485bedf173c5c83702a2170

SHA256
facc5e6f06ea5233575c28256a7235a348b49a878d64445f2d1072696f6e28d1

SHA512
617c42489a1372ac9472ac8c02680ad064a7b91e4b284f643b713905023a839233e9eca64a4cddeaa51b05a77cc86fc05597a617fefeb0ac88f12ebd3e6c3934

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
614caab136b56f633a8e0ea76d7caa0a

SHA1
d829ecc95db345daaa240c81582e08f4aec8dea7

SHA256
f60e42464088d1be6863162319aa78df11812cd3b60bb7bc80bdd87d14e4709c

SHA512
0c280671fa6b47bb090d9222541dfd1a2e60e4d7c79d199b198665a38f1ab23c81aa94b530574c46b5545694cf29b13710b62c6bd5e43bd1300d1068d68858c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f4abcc69d1ff812ff801a3d6674f95a5

SHA1
6876539498dd93c112b3cdef2e2684b644a8bdc0

SHA256
bff081000ebc46fc77dfe8f2875ddd73b1af55c5b3baa4aa10978659e2bb9e64

SHA512
7415d222a43824726243dd430a43d20b89a43bd59037c0f6507c7a331f5b1573c80ac1590e7ef8e45b9390785d478b9c22a90e0840ab4c230ddc3ce3315544cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
01768e4cdaa0b2bd88fbcc9c51d32573

SHA1
dcee74dfc900d4f5db12b3997da7a8787cd56094

SHA256
0dfa7f51cea2a7d8487a54f47412eb0c7c3c09543183fc7674110a8820d81cf0

SHA512
4bca2f8d2e5073fad6204fb6fbd7bdf251baf207cc9d816e26bdbc342998838f190996d1497059a8e08bbb423562a854f7ab931c36255a8d2a64e684c72a3e5b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e4aecbdbd1dd48c7a7bcd3491dc450e5

SHA1
45d1e9f035ab0a0e2a78e7e8e40d7a5d871ea4a9

SHA256
22557c22a4bb41a1f05589d28054263fdc58454f355d5e619577e02753bed744

SHA512
ffcab16db306b218124dadbdc55b1b99a3a7b680a7fde1323a6165e937d949d0004ff234b7d2bd7faa3bb7041aceb613d87ee02d1e83600acf2957a3fdaeb3af

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2efb014b6ca8a91c755f980277b9fc74

SHA1
89602d2b1825e7099847bb6d034eb449617bc742

SHA256
760d63528c4f4cfd0d219e1275f00a65507e13545bcbad878b68d4243fb6d261

SHA512
0ab566d22a44501fcce4fbcf223692b9623dcd4f0b03269bebeb5d77ff71740ae46c572ec5113c89917b719fc0b606ce00282a16dbb8440cf7afe93a316f367a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
eece1f7c29d7a16d3eca12bec7da2441

SHA1
ed3793d8e9df8832bc6b19dda6917035f6fa146b

SHA256
3e6342350402174d95055f608ce5c67b10498d1468b3eb3f83b94431a5e48799

SHA512
25f8d761198cc09da6afc4a10755903b73ea21bb4272850d719390f2278747f79f4b5f40bcbe842d3a089dddce2abdd67f342accfd71a8ffb09ea12ce9c5b5a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e63b7ab2f067d52d1e0699d04dc6e475

SHA1
013e9e8f63811942b941992b802d8dc1578eee39

SHA256
2cd0ea23b49b89b2c071e117cb9208bbc065d9f5260e3727617186c72a71c03b

SHA512
079bedb0dcbf4c188b0f3639a2dc4371202c75fb26404f17ad2b22e8eeaf903dd23640b6305918bd92cbdc31dd2841eaf825c6c52e8ca4328d23c1c678ec0231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
784c550d3973d3631829354f121a2b62

SHA1
a2563832fb8c39c8ad0edf92e45c526a3fecc309

SHA256
c40fd938fbb03118553e26502576e998eb9170e956ef407e9af1e818da819ff0

SHA512
f0e07a9c1b9ffde801a466f24b3b94f5440ac7c2001ad029559c86bf55f8ce57c509bcd02ae4180e99763b14fb5cda75a81194ac7dc7982de44cc086d672dcef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
aa57e5fa66f23ec891c33850d76322f5

SHA1
19cd4611fb0dfbb5bd4c12f0bf8c2b52161c46f5

SHA256
a2bdaba3aa958de0b7a728690afed4b9c99894e80879acb27b2ac987862c7dd2

SHA512
4c86fcee6595c4da682e2556b1f39a876ee868e1a22cb23f4aa13e75179974801400942253f1b4a18b3b726c6c5a5044d44eef2b0f065517e0e81efa29232c77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
76b64c82a4fb9be5032791e79e417726

SHA1
c961737b728e955a0f07f5834b1f3625e78a9e93

SHA256
f3da28d42296d9b1254842faec669178b86964d7a86d1efb19f3e8fb0b9e3cb7

SHA512
ff13148c9301928f4617125cf48070ee84098dbcd33f3bb7d149f9772d017a1bbde206bb4c497b78dcb514e83f92e0571a055675b152063a246f4f3ad231ccac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e36005a7b8560d58dd1f26f97d9efe22

SHA1
ae5ec2d25b7e707bf30215558a1698418b5dceaf

SHA256
b723c2ae32bb12d01ad3741399ff4c802881786be7387147796213ad31d8e734

SHA512
6e037c276c0d56cd77459bfda49682d8cdfe9131ed0ed2ff01d0f9f997d7d766dda1c05596e6e53bb76979551a955e2b5723835259c8de8a114100b28e96c70f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5e74e3d52c0c25d3890992eea8b6359f

SHA1
0f7d44edd89c62ac69cb828cfcec045e4d2cb5d7

SHA256
05af2822a6ea5693f9ef0a08249f695f6c21f4bf7f26a3b10028c3a4340d6763

SHA512
6707d1f0cd5702df432a21214b31799a79b7752ebd823e5d629fee9e222d64101172cc46d46c666ec80cdcec3c27db7cdb2aa0d2264981710317ac291e1384b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8ef9a9be144428f3b91d0a2e174bbd38

SHA1
242299d3d04cad832509b8c7acbf82398b436322

SHA256
3e96ec6b7fdade85de6faf4812cfe2f94e0f8588dcf05def69674171d12c6dbf

SHA512
4e2058654d4a1337b04d79ed39dc05096c7b37e60bcaac6cc4b60acd50726e08e56de0f83516ec74affd17c21c56f78e072a0f45ec7baae0f075caabe5b8a404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f3476e6390a04a6acb2e7664b4843b6d

SHA1
9218a20fa69512e4b49ac840bf8fb22da0fa8515

SHA256
af5a1fd7b3f5d7cf99d7517a36e745b24caba0a27a37ad8b426423657657c60e

SHA512
9a2e6e73dbff1fbeba2c89a4ac2e6b663c0f3460ea47df16f53fc970009e35f89a5ba470e6c43d96f5030da054b011ad1ca26c18932526e7dd7edb9e1166534d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ae056d9e8ba0f2d2b3c8a541ced966a4

SHA1
46ac8b931fe8eb9a40957d7c6a28c4a8b6190792

SHA256
14661101b95d5e2ddcc1fc0e9b4de95f2d1fa474e4a9f59ed253727f081d32ec

SHA512
31d844634c02f005475b99bf9c1d87634a10b6facb98a6be94513e1f967e8d3b0393b13b35d0c6042567731628b7b95ea9144afadaff4206f6e6e8295d0aa4db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ce529e14d53548b795385094865fd98e

SHA1
5d6cb78b3942ec3933afcadc2d8cd3b337629218

SHA256
8807a426f3847c93f7ea7416778f25f440e521ebcd4743ad35f0f8ec2fc5d2af

SHA512
6f9f3b75cde4407a3c914b59e12c75934fa5c6f44192ba0100e26c665547393f5c0e0b7ac8c942d50d6d6e5aa74cd33a25c64f3aedfbfc21fd8edd9da253fbd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f958578275f73234e1aab1fa0ac8c0db

SHA1
fe85ccb5e0d99d5037cf6b90fdaf10a04135707d

SHA256
9f69746114f910e22fdc5e7944597c54fddbc64d33396ab94e31e2d4b805cb35

SHA512
b2ff25c381dac829c7d7b7ee475b79ad665d5c2bd5616fb379ab1d3b83aeafdbef07f4d42cf0a4f078477f54ec90f59ba7d18067172aa1c0b256926ce3ad2c29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
83778384aa0ce173c3c5d4b24c432939

SHA1
84777fb1a63965d564bd45f9dd88682623dea6ef

SHA256
d0d1aceb72bf32fa838f04b3792182e2b20157f3fe6db2a8e8c00a5ac62e6330

SHA512
7fe0f2fab8fbe58e305a1e44e22e8e25f16a00d7159655b632332388c4bf065e84af99492fcfbd203148f5b75f94c4e5a32ea46134508666c910ef8e210ec7fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
de1cdabe1a2fea949237a9feeedd9c15

SHA1
6e9afe2bd45b467ee9057374b026347eedd42be5

SHA256
072977de1902c492ab075b1fa5522a644bed995fec1da04488da3d115df23d2e

SHA512
3faf6f925d8fdc85bb46ff2c42799606d7cb0471f76267c81c7adb9065b695de126727c993b8a5f626a59b2f03b6f24148b3138947085664b30d7ca08aeac54f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0e6fc29596b4bf1f50ea0535e593b967

SHA1
47259c08f6dcf6c4933a94f3353d551e6411a0ed

SHA256
df30ce1a13b03778086dd045496d073831b57800b399029359de399478c944d5

SHA512
8d8e3296f0a03f2e9718f21144c8fc3a4fcb197e04da9bd88d4bae47bf38762c264af72f0880bf53b361dfacb37290ea8be8b165c14edbac4643be411f9af1ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e1703380accb40faac8d7ad2572a805d

SHA1
f8e9a87a339c3fd87a8d3ff551f7471e14a1f815

SHA256
76c81ad8184f0d5ce8c8ecbe458fc2057dca45ed358145115e50367dd6543d84

SHA512
33ced2482a687b4ba7b352c0bab1038b4c48fdc32ec3e8cb86e49af4d1f7f3d36226b76440d4e1868e12c721072773453f9c602cd40088883a6ee85ac8e71e74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
46e70a89095ceef0f557903a97d65c0c

SHA1
59441de1f559dd44212e1797da252411fae5b4b4

SHA256
1ccd7d7d36d76c50ff71d02e6f48885f8f44012e33174949ece0abc581b9ea5b

SHA512
8dcd85263ff2c233b0adfc573dd4e5c22426f0c181a9e77dc6208b040ac197c764b59d5e9709a0a0d7a89ebe93ad530b442896725568085173171585409ef92b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ff944573ba01d0ad543aac9d68b28e0e

SHA1
dc6e80287aeb54506e96a8bdf680aed6abeb9fa3

SHA256
de16fa3a747f0f73e3644e09b03387e300ffade1c9cc2f88f89ba7be3a73e317

SHA512
9dfb12f70502678b4a3998f638a817365022d5b895174905d1048ac2d317ce1e2778263d60315122150205a50436c369d4ec5f981387177f871d849d3df2f24a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
70ca722e71b7092c0758298254634e9d

SHA1
7a933d05d318a6ef129b43695aa2738628060140

SHA256
0714c1f11d7368af511caef55a91ab89d0b917ed74d7374b556b22938fbb8964

SHA512
043574fd3fab216d756eaa6353b973715a005f36db7c2df77599716ee790f7fe0705cc2d7ec5f3f2b442fd68df1c36d368a2572702b94335a9bb410dd0c5e1db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8e01d72ef206af9cf3f6922333d14f29

SHA1
648305b0a0858498ade1bbfd7c8fb5b8bf0938f1

SHA256
013d9d0a52a4c5438a1353db83975719016ae81ff543bf2a60b6cf9000279cb5

SHA512
1e4c600170f6efcc314418265b6f6cd5040e790acce471c454f6fbe5cf6cf7d3d919540e8836c56d878d6d1d843a5d1f0adb565d79a4b396399efbee2967008f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
552c6e9ab430292e2b79d14cf21b36c1

SHA1
8ef3ae140a2c92a5239e26c5328347ad8f02ba2c

SHA256
5adf9d3a880adecade91606bf48d0d364e1dc7683e6a8266793c06782fdfd66a

SHA512
afa77dd178427479d896cfafb1c011b9941404a667c2fbce839fcec268c3167b20d9dbe3573fbe20093300ea6dc40928e0144ba22016c90770cb48748d8ebdb4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fac865c760071a4c432f86db675e5b84

SHA1
e23a53de4b7d1f789852db64550d31e480b5fd6e

SHA256
3673e8740096128174441950d3415ce48ade81249b19dafbd79a8d2708166add

SHA512
ad0506d73bfab3ff37e96f4ab76c279ff6f8c5ea66663f333eebf6493ed379eb343c95928073d02b0e66420a25b65c311963218cd6dedcc75a94857870495462

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7fd76ea9781c1b5e8b1d560ea0a8e8a4

SHA1
1194292851037a3eb901207b70b5f33352e7aea3

SHA256
ca930416c9c475e548a8b1d4f64c09d1a17d88dac1509b5d8b8b3094b92d1f30

SHA512
da32a6ed4fd13bf3aae622181cb8a04c1083c8a325db97f5591430345beeb3bdab3a262b7611b66c96baeff4a3516fb8e0c9f72c30de1c89532de4dff80d98ca

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
830e5c60985a6911b57c35fca3a0fb8e

SHA1
ce2010f841a734f947e5101bcc552ae0979d309e

SHA256
fe81665cc999b4f0e84891db49cf9cc99fcc484ee1016eb26d336a4989d9b153

SHA512
c70fee75507ba641fcc477fad98bb355890e532120a13fc2aba0b2ac3c0dbdc02289269a561186221fbed9c8e4d01994787956c119d85a8f2c68c57b039a9a0e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1271332e7e1f7b53e88179b3caf54ddd

SHA1
ecc831f8093a67686bbac6c16de63817eb3d55ff

SHA256
ffafd8c3feba5eeb979237466ac6062ce30ae1499dac2533e28467c8149afece

SHA512
c82861ea8931169d8a36c12a11ffe5f0a1b8e43554fb5d20b980f30666d29ccb6e5557e76f7d3118b2c87396be072d21c332604fa49df047cd9b889dd4495de8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f45f8018aa24885ce59917f8f488cdc1

SHA1
de521b1ac05924059a8ee59d4a3498af77092ff1

SHA256
e923bd1a6c73dd27842f063d8a2072f492ab29cc5c499790d812c5f585cd2f65

SHA512
5a72ae29878720b4b8329c7d237cf40aeef7516bdd03090634b9ec430e9a5b027bdd44500902e0482990079ce6d57195cc5b6c02c89dfdc2bc15d714f6d048b8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
871eaf539b2dd826fa9c94316e25d921

SHA1
796d4fbfa9edfddc198559e0f6dffd3444be653d

SHA256
dcab50236fff0e08c5ae7aa44f1925ddf3dfe4d914d1001c8cb256105620620f

SHA512
8f16fa56ea7909312193e2e19e3b70831a72a13f05822fb6d8aae30619fa6c008ed46d22378ba4ec1d319278961a9f69b40e0dd8d6ab646d93189a4ecf894849

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9ce4648e78dda0a98e1cb62e83d90937

SHA1
da64822ee587f3094651bf53ccff92517741c257

SHA256
1ff059fdf3b05cfd51867c66f327349e92c61fb4a4c4b3ebb40d70fef8fcb908

SHA512
af0b6644af00a303e0c74442fe3008e9092bb7207c517934fe2b86fba1563774b7857a0e4d727ab3a52e320c15083a7314e868d46ac8593d487a86d45ed6a9c7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fe84642acac62415b70235ab26b9d1c5

SHA1
82917e7680873b47d8fc2537fb904fd636b1e67c

SHA256
f165023bfa427e5f990d3ace124a6b5b9a24f63eb20063854027d438e9b7648a

SHA512
d1208ea4020e8d641f0fdea90a1c59cb3794af2ff1bfc508d5b238cc910fe17c1fdcd5401cecdc9d786b7969d9bd54e91d4db8f87582a34d2e3f9308c95d745d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5887b4f9efeb46dc4d2a02cc9481fd42

SHA1
d6c05ca2ae1c7f78d5c15215d48ade3b261d7c81

SHA256
73409364229adc82f930b064dda33feb987e47219d05c9fa73f294d0c911cfb7

SHA512
ec7dc73ac4f2ea36b9e41d6fa13943f24e1784e59822e50bd0b304e598cad918622487b8d41a65c3e1d092f82f1dc7ce4a457273a0628d852f05b038b22eaf16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2f9f48fe4cffba48008e96aef83e036a

SHA1
9aa666f1389ca53c3bef21c89e670e116cd416ac

SHA256
a1c0d4d18e4d6f551f85c4433004c7d0700d215fb43c54201df839046d8330f2

SHA512
d6053863ae60cc9a5c4f430f7df59b53690f66d6e5745683ebdc91dc97a1a3e05416c4854638d376a405176b59ba95ca129f5d3984df7f6c524e288ab46b156a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
257b12e572cd8ee07383da43c36b2355

SHA1
29422bd0bcc96c4209dad989d26160fdef6009c0

SHA256
349a125988cc322a9cde73ab2a01edd94e9e01f92a9242f708f953173ff84817

SHA512
f9070b1576d6a165184a31a05d5098402378aa9a58434640ed2fbad2aceca729621143ef2134c32241205e3dc65fe264c133e4a4f78206e9f70bbd5b32c3ea19

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2cf02a2ec8ea27fe7d704ab5660bad17

SHA1
55c73ddc0ae977edc202376f30274b646082e737

SHA256
1ba29e2d9bacd20021b4e4b070354e5bcdfc8038fc35dd47c8052894bb1421e3

SHA512
2b40ccd47a93a1a38a635d8af1fbc1ea8d949ac5c4ec9a9ad7d414eb6c511db860292d3f2b9e82a087886c7276ded2da294eaacd4670c62f71a00dcf4c39cd0a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
afb4b1daa2718b585f58fef3b0df90b1

SHA1
603f6b41a12beb6ae3a6d5ed9d5eacc650022a9b

SHA256
ccdadb7c499eafeca25d622d0aabf723d8a60e44ed0fb84afc40afc16ebac04a

SHA512
7577c6241212b97a6cd1dc98fe9347fdcd64c9315c1f4b2cfc0e58d254364a85e32c7e2154d74cc081c0bbc3e1fd633fd013490714c1df1bda37d7dcd9932f77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
abdea0740aed0618660f466d6effbd58

SHA1
f15135d7449711ca7701c744b3e927ca1d4c39f5

SHA256
72bfe9d29b00909111848792605034721e0b1ce269aeb206d94c6ad7af8842e3

SHA512
859b6fd7129ef6b0cf52e05610608a5855478b937fac02bb5b602a08ad8adbdac6bea82812d6f4d032b971b0d738ca001e4a3fb19b3f9951b95a7cec06791cb1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cc6a840d26d1577958865b0e4b6d5a29

SHA1
f8eb20aa44fec88d7f7cd401a18075552574d74d

SHA256
bebce824dbd23189c79553a1fe3b45c6ca986728209123cd8a200c88156fd8b0

SHA512
938d686e81273395ab9bee05f09773e9f55a4fe3f5fc3e7171705c76d4146d79ffc1a82fe2dd36d71ae5d5a5e771c6dbb34aba52163e85c035ac8a08ea22f516

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4841e860d26a5643804575ef4c594924

SHA1
83f1c7fc1aa8b7d7e279bf50c5f235a7fde6560f

SHA256
3378ce252d82d39f29d3698afec02894ec644b624ee1cdf976ce4ed086afcb54

SHA512
740613bca39d6484aca3ec92e2603ca6d40379202737b47236b27f702c41899ed67328efa8d408d2f001557975d572b07cccc37cb2d70b2c6a1c8804517366f9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fe34b3b7f042e662a33716f09255db2a

SHA1
bbff862454d116bf4e091d709bd6164c8b75b5ea

SHA256
3d6578c137053afb1082b37ff018cc6fffa5ffec37fbe20b696cf7c71097467e

SHA512
f887ca0ae384955df735f1cc01cb888c8792f880704361ed2736901bb7828b64d1da20917a5b6e7bf5d49f44752e7238c1106bd095357866fc96a60ac1296f24

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
159e5b6e26f698050c0b45e70939e079

SHA1
772c23eeaaf512395b0b6998b7f5410c79b5acce

SHA256
668e73c5e910b1f35d5bbbe5b9d44c6dc9c53edcbe4669d2ac03ad258aa48ffa

SHA512
c50dc074e8ea8ad5d42891ae4ce372c657e034b4061af7f4b2d830ed9add378ae3e3448e03603626116b8116f7402f3bf3fe751cc028f20d3e16fa380b1acd67

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ffac8cac61217102f5a6f25fc250e19c

SHA1
151ebf5cfd90c6d92f500edc312b3dbf4ffc7bc1

SHA256
ccf647d339027d1847e4a21a72475a389aa8ee35e28d998ac90c8c500b02d059

SHA512
f401f3a46b01b896822da5caa5cdfca3a18598522c6f64e16aa37446b81fd8b56c039248afa707577f149bd262520f93c6ebb9705a34a0eae9b1f85d507e238d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6a3bd111492390098cc720d52e9738ee

SHA1
61a1d7f2499d669b5e5bd11a48dedfeed13497ee

SHA256
bc6e4eb401bfb4714fb1dcb2b38a553ea6752321a64b193e3f9aac55bac2add2

SHA512
419f857e18c358badbf27e284ade724fda2ce061467e1881fc0eb086f13fd64afdbedd2d7cd46b4225eaec0b4743c9dba9cdb510c6a6a3e273aa932dbceda5c3

Download Submit
memory/464-432-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/464-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/832-614-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/832-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1404-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1484-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1484-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1488-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1488-616-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1556-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1556-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1848-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1848-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1884-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1884-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1884-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1884-439-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1884-82-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2332-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2332-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2620-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2620-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2784-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-613-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3036-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3036-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3160-617-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3160-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3196-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3196-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3196-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3196-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3300-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3300-73-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3300-79-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3300-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3384-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3384-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3912-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3912-31-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3912-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3912-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4348-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4348-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4452-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4452-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4452-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4452-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4456-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4456-615-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4516-48-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4516-44-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4516-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4516-36-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4516-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4524-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4524-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4524-85-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4792-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4792-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4792-57-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4792-51-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download