3daa4012c77e42f063cc6fb0328c04fddcc271f3971b19f63661123260fe17ca

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
Size

625KB
MD5

20a6ed4525c759024713016c1f064820
SHA1

88e4d9e3a6f6c656fc334c5115a865aae697796d
SHA256

3daa4012c77e42f063cc6fb0328c04fddcc271f3971b19f63661123260fe17ca
SHA512

59fce75f0be219cc0063c965a401f9227c8bd5150c329296e056f9b32edaee5e5d5eff67f91d8d5f01dce764fa7737ee95d6e13f8bc617b2fb43f132e76ea118
SSDEEP

12288:Z2HGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhD:wmt/sBlDqgZQd6XKtiMJYiPUD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2028	alg.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
740	fxssvc.exe
3720	elevation_service.exe
1504	elevation_service.exe
2280	maintenanceservice.exe
2636	msdtc.exe
904	OSE.EXE
4744	PerceptionSimulationService.exe
4616	perfhost.exe
876	locator.exe
2748	SensorDataService.exe
1148	snmptrap.exe
1600	spectrum.exe
1892	ssh-agent.exe
3188	TieringEngineService.exe
424	AgentService.exe
2920	vds.exe
3340	vssvc.exe
4560	wbengine.exe
4308	WmiApSrv.exe
4800	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4573d9f5c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bf87273c7a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000929c2f71c7a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec51c470c7a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecb4c670c7a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000773dd070c7a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000929c2f71c7a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
Token: SeAuditPrivilege	740	fxssvc.exe
Token: SeRestorePrivilege	3188	TieringEngineService.exe
Token: SeManageVolumePrivilege	3188	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	424	AgentService.exe
Token: SeBackupPrivilege	3340	vssvc.exe
Token: SeRestorePrivilege	3340	vssvc.exe
Token: SeAuditPrivilege	3340	vssvc.exe
Token: SeBackupPrivilege	4560	wbengine.exe
Token: SeRestorePrivilege	4560	wbengine.exe
Token: SeSecurityPrivilege	4560	wbengine.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	2028	alg.exe
Token: SeDebugPrivilege	2708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 5340	4800	SearchIndexer.exe	118
PID 4800 wrote to memory of 5340	4800	SearchIndexer.exe	118
PID 4800 wrote to memory of 5368	4800	SearchIndexer.exe	119
PID 4800 wrote to memory of 5368	4800	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20a6ed4525c759024713016c1f064820_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
8cb1a1f5cb41ac8ab1ae26db47d974ad

SHA1
e680d557dbdc7e27cc4144328744dd54a92d5528

SHA256
9b158ca024bbeaeea0aefbf392865c92a818eb8c76a24b1c0f90aee7f3e2bbf4

SHA512
c81b6472c2c5920ebcc45724daa64f3e5a52a318d5a197b4edef578db6d3e666b91afdc40a5fb5e5352210402977cd8458588d5917b4e0c3ecd343d48fe21697

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a630a34741560f5640497888bc76a258

SHA1
49a87404fd5370cb897195ec4847841ddce70509

SHA256
01855f4d705e7ad87e9694f5f0a991fea68036fb3f4889409c816dcf71e60702

SHA512
78e3a17495755f1aae860f0df8eb74c4224aa0c1186f3957e075150d9255c9db6cb77724549965787f8d6048ba99297e89393de38e3e8943b9aeea19c224dec1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ad18b9ef8162dc61017e44c37ef0a849

SHA1
aad4d4229f5def4c0ab5b461003b9e7793bcfd98

SHA256
a0d069e3e464e17ad6acb1c55cf5563bb9d79ba0eb0a07f34822f18108964467

SHA512
7cc2b4c562966dd38e9a6e4407dafa2890c85fd405b8f2d5e452a2cee76425e206f250b1aa7b674dabbf0e9801419d75660ad9809af01fb087230c3fca3b4651

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8b665cccd5d37afc761b557e559096d4

SHA1
33f335660647b5323eea9bbe1c6b5e9788c4cfe9

SHA256
9a029b08e6000e1454bd696561e0992e7a6459cd431c57df4cc42ecc4d4c2a80

SHA512
13d69803998547c57bc29682cd632f165ba03f8c8b9865c45bc11c7cd86878601f4fadc1fc98bb4ca34ff73ba3aa70a889f4a571e182b792234bdc26b33125e7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bda2168dd058b21debea1f67b1af3cab

SHA1
28dec9932a6dd0eac37c48a094f471bf4458c8d4

SHA256
9c7dab9f188a393af0c31b8719dcae1b04ccd00ff71a43b5ca4d5bf2da3460d2

SHA512
46e9f50f9bd8c64af45bbb60d8b4409e92273fb921062e38760afae5aa9ee106c6afa7bde1be478d9f9b8de4cfaabeb14c6eafff10052f1e158883e2d9af507a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a67a2d35a4f02601cb63f154514673d2

SHA1
5df87fdf11595d63e23431d09949f573bc863e56

SHA256
b921b199450a096c779f8e2848b0c5202bc4ca1046f0e9add01db134d14d4913

SHA512
de2bcdc1959f2404bf163a76eb00f994a9b2e34f6a2b0609fbae134fcadb3878505aac94f3e0958b6c07e95ba0e0e6d5067849d481ca993b3fae1fdd3aa35191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
dc96f73849abeb797801ce8a48ccafd2

SHA1
85bac3af19d468138ea16ab94a17114828afb55e

SHA256
9fdcbdd037434abc5df43fc7d3ebfa96b3103fb781300c7c97cd6bc15045f106

SHA512
3ccda6505f149275505e0a88c704efb0e684e2c21559968f8935ee1b608e253840d2899d8c90fc670ec894a21b80e0886a00cc385b72f09325a38dee2d3ade7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fa38a660088554c9aead9cc04429821b

SHA1
f4ac330c63a0c5e47476b36fd8e9342474b7a3b7

SHA256
ad4d6f753dbcaaff701d0070567b511d4842099da10e6829590c223866a6d220

SHA512
448eca2d718c71b190ec733c095b5ec03057c5c3e7bc21db43b87ed4087f7537d736c35789f5d7b42f5999f9474089cf0d4f70b0945d162260a48826323017bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
db1f880305bfd9b497b2e46773a9fa67

SHA1
f9daca1acab8e18e043792ee3f07c409213b0d59

SHA256
9dbdb3d1a762ca39c78815f6b2fd557689222cfaaed136912643dbe555fbbb23

SHA512
599af63215c8ec811a2f33436eee0eab06a54e4f80ce963b2523a32538369a202fb0dbc7df3462fd537c0cbd7222f75c2c6eac1a66d0558a69faf68be9ea4bb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a8c27f41af6e564c8c3594f52ae18b8a

SHA1
f66420d8694eab59276e5b67fa6a02ee6f4977e8

SHA256
3820e58b2fe9131606cd5e7c1236d86ee7414969f7739fe726f0f498b96784cf

SHA512
6986a49274001d6820fee3b2db81603b2210bd84180a1a1a53ce1eb53559f42ec0e97948f7c77d6ce374246b34ca739d723f95bd0ed4f7b9aa1f36470b92f95d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7453ce6620738192c1c6f098a785ad7d

SHA1
d03c2c59e90e1e13a381c19762bdd443c5674f29

SHA256
b8c073d4b0b56de0f7bab67e4ec3483dcc4c7a17f9fde915fdb667a8a57ed27a

SHA512
4eaff43c5266a39216d1ef40bc3588a874cc4ab871b3754a04eafe530f971c150310fd86be34c1ea12baad108322b57c66fc21d77b3a6d75c4ccd0ac1e264e49

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d11682ff1606b4e8666e6e9f07faed56

SHA1
d6cb0e97a9299068946c92029fa0435f74d09b79

SHA256
094a81d39fdcd4c8478ccf340cbf4b41dc90b9db03b7bc598e19be535f0a5209

SHA512
9fa74d25ec2b49d79d1f99e8841de0599f050eddbe34d3aff1d667d31538a1d1dc3d6f87616d67df5f57be313e3a723eefa973964a95362055139f9d0ba0f46d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae4b265df61377c12719e68fcc02d060

SHA1
1b66284a4d9be3b90dfa7060f300d027b95e6060

SHA256
979b27bdb5ad41e3e5ed72f6e05b68b1afaf361daf8398255e85c31ceb92061d

SHA512
7a66c48511449227d9157fbba936670f3123b717377f958f501c01b597da2bb47d54eb59038bbbddac4d7482a123593852f780a07c3dfb4fcb37f0fa8a253ddc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
28517731244459ca17254cab6bdd5970

SHA1
16d7ba83717315990025969c713db58fc9cf4ca7

SHA256
9ecfde0e287d4b893f1bcf59d7ea6048a30a3502670c4983e313b5ecf435c12d

SHA512
845b74d36131ae779d04a1f5650d2f52a86c792c6e0f8ffb0f2f18cde59934836cf547139f46f02c8c285374bb37acfeb92e22744f7f97752c0561cdd61cf626

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6c932cc31db4ff89a2c2f8f3bf89c53b

SHA1
76a2b1ebdc74be50bbac2654797050bce8de7604

SHA256
afd39f812202a1cc7e72eab6177df65174836ad1cf60e232873f2bac47b042c1

SHA512
a0b39a6107e520f9936b5f94e454d1c8ecffda22063a09a550d0f9c58521b52882ba051fd93ae413c198dcdf7bd9fc403e097018325eb59f696bb8e52d6883bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
61f511309e81b48ffa5e55dafef1a57e

SHA1
bd925be5ebab77d4a66d093561a023a45410e2fb

SHA256
8738ac860d44344ada30f0eed0b1a15d9544252b039e2fd0b3bf573b20cbc68c

SHA512
4d6548b1db5f85f326c16641ff5eb60bc56f600105c3fc41ca57bb9f4e8c56ef6088a39c76936e5ffbe4144e3851cc08cfed93862aba50d729829718d04c0ee2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b0b2d7532ae77ba7a2f491affcaa5749

SHA1
9d18647bb3f1a3470e940765d5166ac661366535

SHA256
0af2aa51bb36116909759098de12ae1e8e762a724861d7a90e5f2ad08aac53e3

SHA512
cad79f4c5008c80042091c08d9a8926da077fbe887a099ba113d169bdad695b2c949570715c82752f034cd24afcd9effd3443fd656a565835191c57093bab00d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c14c283b315f0432b47d452b3044b5e

SHA1
8cf43efe991d7e3cedb07f4f88d9cb8d63ac7e9b

SHA256
d8fb25d4bcc92f09955fa11e709dcca8634ee7442813ba66fa367cd450c61bc6

SHA512
b5f3aea181eccd9af566e42fe9cead21a46f960e59ff15e79f32bd76efa667c69aefb8c9017f941526835122a60f0e5fdbd56ad8b34453d21cbe15e83d81c452

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
cbb9162b3ffa755386c669b0073756f9

SHA1
7c89410df5ea0d97f58de15f93ccd5bb3aba5551

SHA256
a3cb6ba27609728223364470817ae4432a49f5cdd58ecdeb470eb11462e7abd5

SHA512
6b8285600e439a93511a70d86722519bdc38432e51785f7bcc99e207367511b7cb14829444b0d3311b0d73900192cbb6e534be7a2ed4bea4268c557e9cec5dac

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b9b7a53d74732d358698511fcdb6d17e

SHA1
e7897bf2b622f53e9e875896662617980ab59d17

SHA256
42d33957f96be8e4faca691df4a0e131894d0db469a1eb6ff056b5b8dbd7d6ad

SHA512
dd268d55dfb690e05db96ab44fc6170cc910bc148112fc91017985b4e37cf3fee4a45b3297481e03e958e318b578f33c3b345f2b0bd0a238c24caea246c4fdb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f40da46244f2effcd6c2abe98002c995

SHA1
f5e9df7359b0c3b82f8a4815e84c93f1853eff57

SHA256
0857da1bdbaba25d834bddb533eea17466da0816858e3454a760c7cb1ee26463

SHA512
60f300784b82c9b86976f2c1c478318ec41e2fca0213c43dc935c94e5ad2a97c2fee0cac466341ad666d8f1e17799a395c89cf9b9f2a0c9b20ef71347e7009ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e94e1262953fff5c8243cb2f8ba499be

SHA1
ec03560ddf67d386ebd529d28cf585ad2cb0aa68

SHA256
ea2160ca429bd054639b195f3f57b8799e16ce40d7a8b702d71f91ebc87ddb4f

SHA512
153347a34fd717991bdeb3a8814192649ec5a6587df414306badea2b80225a47be4966a372ada14339c32e9c5b81407bced88f76a07f5084ca25a1413d770bbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
77f28289d1dce8ab56f602516dc2548d

SHA1
32496a10a066b96e5d6d9ccf87383cd000da5b1e

SHA256
de4195911380b626b1b7d2c47866d56c55eec98e32e180cdbe0f5281fc1ccce3

SHA512
454c1bfcbbc8a2b65f3a47bf23258022840254412bd0cd7fbc1e6ace0b07481947402f34c4a4679fdbc3597164de93ea881be1a3c3ceb9b979767a6be8b56d74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
521aebd034519db0aa8790bab2c99f61

SHA1
4445aad57f4cb57fc3121a534039f4b03f938115

SHA256
a06408bd157358a5ff95399bdde3981e0c25baff02fcab458cc25077fb49a396

SHA512
6ac11debac0c5cba5e915cb533fb1201195c6257694e026c85ca440cd18d732a910b9de8ef0e9e49b63a0724e050c32fa27a65d7c7f119914a3bb1e5bc6078dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
63405633749eac5adaec6fb8522208b1

SHA1
7373caf68b4a2ed021215f41beaad5afb6fa132e

SHA256
d91a8b4491960a5422aabde04b767f239c0c9fde50a637911421a80a8f81864e

SHA512
05c68df214543cf40e8b8f99c6155e72f7992017d78107bc4946c8d77bb30bbc62cba239d06e6476a26ec56a8fb76d4c5bec7c6e0698505f478f7e9ba8195dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bd407a9478b6c4b8ac568fcebe9034e2

SHA1
9508bb45197cd6a64dd1bdd91432b358e61cebbd

SHA256
59d7d2531781179a1814ca8c3b588ba29604dfc1166ff5a9a16fb47941c9a59c

SHA512
6f58ebd16cf1ee84e35ff4839fa21de31a69b3c58fd942bf6e28390a64105331c14d70b32b026b758c90c4c032c04e3f32df000c069d0d53675e7db144e823c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1110496d2a89adc16d3ca87c3a27ad58

SHA1
462898101b5dcda3432afdbb85a036b7ae9eaa2c

SHA256
3bc32032d2501bf67a2cab827505f28b84e27171fd2b486928e7fcf1c0f29964

SHA512
dc35b00d36fb606dd18dea4e694021d94d9ad1c4b1510133358447b34685942d6b9c33f492c76ac107a1a5de3aea42afd2d8b968108e5ed7818a03889aecbf26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
81d94d9f5bc7fb7d0782c211534130b6

SHA1
4570d1c452976b93890cff02b2382b0319608e02

SHA256
9484bb9453eee00e967059812771c5f09df0b4049898e1dd42aab03088489165

SHA512
f11d1b303412b5b9531c3f758a223874994d792083cdcd013c9d9f3497337f0f8fd309f17a8eacfa12307000dd89a89ea17707a479248d5d8cae9bbe0f6bd213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
af906d21300b41af8cd449880915ccde

SHA1
8f37fbf559f866ad889d14cc834d486daee98dd5

SHA256
a98ae76d7fcc1164815707b5a04629e67cb21067cafd008e3416a2b43bb3caf4

SHA512
9eb2e336f5c61ed9707b653c425703618658b838ab2f83708c200f1a160faa42655b3169c8b2cdcc29e058c620993b5a09f26931617f3b5f66be5e81cc35379d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
390bb9c458bba7d4818f71a4a20b1a64

SHA1
7a34d749cf115bcb5f656367cb44ec980dc36345

SHA256
39e3039f4e319820477d0bafa38365bcd65b45e5a3875a953152bd5c043f28f8

SHA512
03469ebeb106eb083239e646c5fd865f0a4e282f6bfebe61df4fc9cce8ee8e9cdc75d2b4f8f71d1766c4f06b539322954d0d47f3449cc01daebbe0df889f0f7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d3e4c8ef47764a4a7da3e8b25c8ad6e6

SHA1
4aa1c2d23e69aef7eb34d221e8038246fe599c27

SHA256
36ea4c377230bdaa90f4bf1a9430a73b1fa983e370e39294c307b509cf69f585

SHA512
c3aeb06b8d364b56515b68ef21547c95fb8858b8a580a3656d082d96e52fe2abd5f01d8d837bdf8165ab080342c04b7c052452f73a1f0f4814db43c3a3a46823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c492b118aa1623a2bb34fea9366fdcc3

SHA1
edc330cece38868dfe5ae72e388684d7207dbb7d

SHA256
3e82a8fff880d33ce00615cb5c175aa6500eee4b200713e4065935dffe1b544a

SHA512
0322ca5895d94377afcb4d2a5d4846a9002b0fd4dc9797ddd65cfeba66a040379aa75715a3f1f54133cb54ed8470d6a39a840ce23d56c2e8c643b096e8bc887d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b6c36e04f0e8094689f4d9ec58331958

SHA1
4a104a31faf14895b311abe1ed1879e703fe4b4c

SHA256
98d7875a3c96945c815c3daec5fab7ef9bf5075f965317e24bf498e569a5a17f

SHA512
9f319008b24da8457a27eb733cff77397810ddff7561485b9466b5f9fc0de8b9a244b901b6bca04e1be7cff0e3ee631e7512a1b87c4ac6db553890f4cda73655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2292e6c1eab28593777eb7663ee1b30d

SHA1
3da88e6cd9447f9757a1eab7909a6685f9f9fe86

SHA256
69bd612eb3d0cddf663902619638d3fccd34ef85d51e54f3db5441ecbe35369c

SHA512
e25938b77e925660c12661c512fb6ce9c001162bdeb4df706da6307a851f7206f0edb7842e395e32598399ff3375852195641e892a215f55ee606e35bb96ec73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a67c9d6e92ef92c8979feb64f9661d0f

SHA1
ba3ce7b608172a1eabdb57058d4c0b767395b339

SHA256
27236a9e02008ab6a688f48d1477c895d971e9bdb4cce2510d81ccdcaed9219c

SHA512
cfeda1f1c486522e27b070d17b21f4bf7cbd089d03794bede5160f36fe14adda2848ccbf0661845e233394bbe7f0d2c104f232bb596fd8dec8db6886cfc4f5fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
2247558c23a170af36a04ec3909dcb8a

SHA1
f6f18a55d808416210255ef541d71959993470d6

SHA256
1150b5c31cb6920dd5221f942bb7b29815d2a25a298dc51700b7012f9a32f2f6

SHA512
16bb793dc5d2bcdad616f7d78686c01925adb0e162c0affd9a603cb8e3609cbc932e5f855c3ec477ec2fbf9174e8b477375a0f75a1dae1f1c848a537aaeb0149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
db4c6ff39d22f8e7f72fd962545311c3

SHA1
e65bd46779c581cec5a86e2a39be86b29c51d4b3

SHA256
f77d957ecdb79531fe502ce5af829b41a9ff7e13f594c600ede4b1f52393cf44

SHA512
91ddc663f0c067aea435217028276286cf8e91c4dd2610a9577fb9332bcb17e582c8bf6f429c14942e6124baf95f9c2ccc35667c338f06cb431d12acd7f95c32

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
35e115134f6ee941f1df14e92d347108

SHA1
07a7f1b92f0a049291600a56dc58b981e638ab9b

SHA256
4c7ebfdaf7cebd9bfcc11ecd041d29d9cc0381f457d862b26bd8e9ec1dce6b3a

SHA512
cb51904eb607387df8a7bbb7f7d54c3ccb3c89a2f2696b02a9bcc49239bb9af8f6daf6b6f8e20ea16eaa474a5138ff76f55d4ae661909467935b78a77832b3de

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e29cbb127f6a545e26e7d0c4d01b0f2c

SHA1
10a4c316dfbb5ccea2bd1aacfbbf431360ffd377

SHA256
4c7396696e5b48fc200249ef72f1619ef41f2fd1c6c74742716ab915eac81618

SHA512
d85cccb5f6e45ea7a965b916aedcf0df3873150ce8cbf645c7290b464937e8abe23cd4d1835fc6046e3c8543fd5005f4bfa891782be16e06e0aa25451ec0c5e7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9602ad69e009643f4bb4bffad8166d3c

SHA1
b1799ab4343120f0e0117b171d31804cf8a7d1ed

SHA256
fadfe330ffa92e47fdb6316a92901940e4258e46e4199078f4913065eaccb10c

SHA512
2742a9d04583e1a42d11c3abada489632662e8556d4464dfd0da38dc433e2897a2a9dac5ea2463ede7c6ca04bd2546a25ab14ad9460ca6446ee29f8601553d4f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1bf4dfe12230d1b86ff647a2f60f0fa6

SHA1
6997d5623fb4569c0dacf6554a786d88a3d9975c

SHA256
a4065ac9a9e7f0c491641207ceecd1ffbf7c29de1f3459a49c230e02bc47e66c

SHA512
04fed46e53acbeadad6f349846cdfee62f4b5a16640470edc406a30478d2f0ba6b3a6e0715fc19f1b30949cc9918d3b79c8357bff61a9ace6186ccd6efd80438

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8c0eb2c85e00e148b3579c80790ef17c

SHA1
c8fa1b5000b3809b428b06617490ceb35de86068

SHA256
052fbc11390bf073bda92c0553a4686d85ab7cff512e80a4a7752989dd2db67a

SHA512
9f8d1d4e133155f175f554b1bdb90c147f77b24afbe8361c3a05ecabf303c98a56be790ad0082ec8cee5ab86bf6b8c6ed384177f68a9dfdc07ef02d332868c59

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c4b4a878e2dd10eecba109933d9e5ad2

SHA1
e9bfd9c193c7ecc85f483cbc13d31c23a0c69db2

SHA256
1ae44225981699e08c14a54969266a43c061a6ed3ca9d1deb92df932ede8c683

SHA512
a80ba33fc62b3932f8b96a38d60f09b179533fa0ea53b705bb323dad7ab043db6d402815376ce5430d1e4da939d798d86961a18b2c2a78928bbb66ad3aab32db

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5a495901c14eab24a3606b57d588eb1b

SHA1
bde5078cdf2bd3e20634efa1f4d014f0409c07bb

SHA256
d68717d4d8512401e89b118f668668b23ad70b3fc044116d67b7c28c26f8b074

SHA512
3c07e6ce140ab3f457c32b0cd67ac66706260168676a7caeb8fac676bdbff79cee3b25b9216feef5ad531ab1e25533250fa0061c7395486985362ea249eaffc3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8e7a2e877348713472b0f704408a6d85

SHA1
867e73c9c5c7d0ad7c0d98b1815c13c6da966649

SHA256
0f93a230217d6b082ceb5812055d7a8e915e9d3e46b2d62d4ec1a7697dc3f596

SHA512
098fd4445930178767ac9bc6a00a8d409ed08c0d70cc078811d410e51a65a8c4f3e6d467e2b85242973225b1125f5de4f086b3ba96f11cb71c375ea8f017e269

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7d308dbc71a459e8c9ac779b5c7a044e

SHA1
17e26fda576d721c1a7bd1a055eb3e2c228c56c1

SHA256
584758a89c3adce9dd8920accd6826eda89432bf57be574eab978bad316ed460

SHA512
6551ccf5cbbcd978efe16dbe07b81acf3e4b75a0af6e4fa6f0701409a7c27c101731c269c76a86883f3464975684eac53bc5d38c0f599b0c28d62f9a1283a9b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dc89daba2897a8297ef3489972a0e140

SHA1
717a4d46c5d7ab22f40a81738f69084933d3bd88

SHA256
429103db7404bde6722e29190a6d900b75c3f99225a56745a399bcc01ff1761b

SHA512
68ace9cc1d9c29645880c3688087d52b0e28c54c33102cf54cc50c7f305a69fd493620d4f6756266837a02a8f53f25281e599ccf1db481b8dd3fae4d5a06c78f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a995e652bd4db8c6c6ae65652620d498

SHA1
71813655584d455e58c3590b1102bff7613858dd

SHA256
d3d892441977f330c327bd1380c276baeda77f893797a8e21839c344b485e927

SHA512
fa1abad0a35664c55121afa21384e2b8525a56473b92b9d2aede60050566aec51f219489da066e8694bdc51960929639d7a8fd7ae729b64a9e921db65c1de788

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0fe65cbe97db230e770272baa748b94

SHA1
86757f2aac6cd93f844a1b4a06dbe5768f45ccb1

SHA256
f36406198b5fefe50fc21e9cea69ebaa8f0c317c254137f2b98e7ce3b3211146

SHA512
1d1ab1128199a1c2d1f38fa1d1c3d3dd85c3a3f35a106838bf14d4dc3d8dfba83f447e1c21ca295a3c0feb9bceeeea99f2f9ad636a61574b7a15c4a560084b31

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
37b05af3008bcd9301ad0df17afb59a6

SHA1
4383c99e877a8bd92bdd9baa9c426b55cd232336

SHA256
69698e5cb58f4d8d5071aafe585ddac17d770c97b1ee51b121cc7e09103fd1c1

SHA512
db0df8179445641a41aa170007692beaf3cc6110c4070541d0cb768d138b5c6e94adca7e6fb03ffe4b3472b4ed5dd24354cdf2f3c66efce78b2b9ac4ae04c322

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a8402dcca5f650e1c75abcc9f26bd74d

SHA1
4ed97041c206b555dc3a2bb0e6be53d4e888c04e

SHA256
576d8bc070641602f380670144a8db8e4e0a1a1af882d9e9c3fc48aef6594261

SHA512
5affdd9bfd519a3a07c0ac8e57f9eff8b1bb596538d88d60d1eba9c4764b269ffc5a2eab9654c9807c8cf4646a74318b9f2cd6496901de4ed3584de20a7801dd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
572f76f073a859700568349442354dd9

SHA1
bdc17eef4509c0631572a8d789f3d1888955a7aa

SHA256
082e356f82cdb3359622b9b0a0bf3bb4dfe248e790121eb3b37ed4592d082ec6

SHA512
c7e4e1d5123105e8eee36aaa4bc2fe2c33298f5183597a72249168ac13d697d19d5b32666947f87bff91e02dbd4164c332e8d7af787a4d3a62b2acb6e1ff56ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f59237c5505112c7f52484cf029b5780

SHA1
78600f8087e677bfcae405cff2299d60c6419eef

SHA256
4a31d3e6a6043893c7f5e76d2dd21bcef9c1ce58dbd577ca6216787c2a0143cb

SHA512
ef4a4b759efe53956cbbaf9a0fe6a93f5ce72e889add7e8c70d72f7e942939ed962272bd483f515c6b7d182e04e62b6a9bb5704989086603a3bb6e6e9c774200

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7d63eb17df1c2a261eba130607d9a1ce

SHA1
108a7476be70242079bc4f976010fc205c2200df

SHA256
2f69cde7ef2c79ce481920f6884999e02ae3d8b609bc7ecb0c4152bfb1f0432a

SHA512
2dcad0c73a8995e229516a08003bb63e6e37e8c537bf7923aac1d103ce7ead61477e026aed6fb700524eccd587d25e4078adedd1253a53a7bfa83cd6a11bca04

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
292a430111f753aef60d84e9634482ef

SHA1
eaa90f444a2119e17f6a07b7e2d44408e032e34c

SHA256
b436fdb582a029838bfcd7bdec7c97ed244178ebcd2889614dbb4a9ea02561b1

SHA512
e93068bacd6fc7665c3f44bb7f79ca5de8c50fb7cc243fc79780583f4ceb58b0e374fda1fd70cda9bfe930861e599e6934a00114411f9aa75ad1773858f7f834

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
02f4e378221a7b7020802860616d187e

SHA1
f1e447a1886aa11b772bc6608a2674af0c0940c7

SHA256
8d42daeb1e4105138dd5fe3d052bcdb46b403a6c082fb290d2f5db36512e1d41

SHA512
c7208c24e4905166beb17ac70fa0a76c935cefcccf1d835615110c6e3932b6a6fdce9acb102596dae6e2b682b9d23d4af636d9bb435e758e8f4a4bdf71444618

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3afca6c7ee6bfefa7eea8fad4455ad9c

SHA1
d517424d9e6ab09a2e289638d1f74805d6831384

SHA256
f9cd5802bf626ebe38e9984ef89a0154b671099c608f4eae94867bdfd6caf220

SHA512
8fee8ba79e782c8af8a7ed66f778d6126acca20ac0a1cb65e5c4406bd233dc4208efeba7f42b072200fe03029ba1e1b5576b1c1168c5ca80cb434012343f60a9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f3e49f81ffb0904e44acc7ef3a544364

SHA1
b76e76f5f5e4dcc19a0437f8df03c90eb45266f9

SHA256
f33ae2206e62921571c9a51081daba13b71e9dbf349d42a62367ecd12e4340c2

SHA512
4699fe87f017cee73e967ac9f393ec1a876e035d1bc74716dc750b6e2e6d7e0f3d0ec7ecc5bc6126c301c5297a848f4a8fe5c3c305a00008bdda0d446bb727e5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e9874a0bb26bb7a0102f0a85b3db65a2

SHA1
cb84598f9570c54b29d5736b5101c932d1a19a1e

SHA256
50af4eafc0e32003bdaa9e419a59c4875ff1fa3985d221a3edb868e877b8b96f

SHA512
a0d8b2c7d443d72be8487632a45823cc4ffe780542ff8987ab255c42386d64bbcb47b741d8469b358d3f00707e40967e954c6d5a96edaf9e75d62ab8bfef48a2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e1995475507becf54a09d7363cfafa16

SHA1
4c59b60e9a68a786242684fa943454fc6785969e

SHA256
67eb5496c64c4920e31f40176aed7084b8850a4ddfb31da95cda2d611acde7c1

SHA512
f516a20831f25f924c60572b0d57febd41a6bda9b44a6a808866dee02d98d8516b37c6a29a6f5c3acf1a476c463f888fdf9fda3cfe6dfc34c974cdca79ba85d8

Download Submit
memory/424-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/424-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/740-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/740-44-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/740-47-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/876-136-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/876-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/904-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/904-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1148-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1148-450-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1504-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1504-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1504-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1504-191-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1600-618-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1892-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1892-635-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2028-21-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2028-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2028-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2028-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-83-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/2280-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2280-78-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/2280-72-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/2280-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2636-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2636-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2636-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2708-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2708-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2708-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2748-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2748-601-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2748-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2920-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2920-637-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3056-6-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/3056-87-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3056-1-0x0000000000560000-0x00000000005C7000-memory.dmp

Filesize
412KB

Download
memory/3056-446-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3056-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3188-636-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3188-195-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3340-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3340-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3720-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3720-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3720-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3720-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4308-642-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4308-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4560-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4560-641-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4616-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4616-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4744-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4744-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4800-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-643-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download