e542bd92e2b52f506a62ac86751dd49eb9ed57bbfe30c1e4c780f2b228786e38

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
Size

625KB
MD5

6394099d17c29aafd1bebbda4f03d110
SHA1

baf4032ca7e96645dcc8c51c796de217d42459df
SHA256

e542bd92e2b52f506a62ac86751dd49eb9ed57bbfe30c1e4c780f2b228786e38
SHA512

3728e3dd203bca9bad5194209baf21754f220bc2de304f74308029db086910041e6a9750e784f630ba5145cc83772de801bcbec90bfb9f6e4c28f54e311a65f2
SSDEEP

12288:N23Gt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPhA:k2t/sBlDqgZQd6XKtiMJYiPUA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
928	alg.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
3080	elevation_service.exe
2780	elevation_service.exe
4040	maintenanceservice.exe
640	msdtc.exe
5012	OSE.EXE
2128	PerceptionSimulationService.exe
1640	perfhost.exe
2160	locator.exe
4732	SensorDataService.exe
3488	snmptrap.exe
2896	spectrum.exe
4176	ssh-agent.exe
4588	TieringEngineService.exe
3992	AgentService.exe
1868	vds.exe
4016	vssvc.exe
3180	wbengine.exe
3760	WmiApSrv.exe
3648	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f77a3960c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b642f6e1ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3e9496b1ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acb0106b1ca4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbfc3d6b1ca4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad84666b1ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d4c2d6b1ca4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c34a4c6b1ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe
4472	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4456	6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeRestorePrivilege	4588	TieringEngineService.exe
Token: SeManageVolumePrivilege	4588	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3992	AgentService.exe
Token: SeBackupPrivilege	4016	vssvc.exe
Token: SeRestorePrivilege	4016	vssvc.exe
Token: SeAuditPrivilege	4016	vssvc.exe
Token: SeBackupPrivilege	3180	wbengine.exe
Token: SeRestorePrivilege	3180	wbengine.exe
Token: SeSecurityPrivilege	3180	wbengine.exe
Token: 33	3648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3648	SearchIndexer.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeDebugPrivilege	928	alg.exe
Token: SeDebugPrivilege	4472	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 4888	3648	SearchIndexer.exe	106
PID 3648 wrote to memory of 4888	3648	SearchIndexer.exe	106
PID 3648 wrote to memory of 4168	3648	SearchIndexer.exe	107
PID 3648 wrote to memory of 4168	3648	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6394099d17c29aafd1bebbda4f03d110_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2996

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2896

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3cf886dbe830307482f5c27293b0549c

SHA1
8cd4dc42b2ac2ff7aa03948288a8fba1f448e0d3

SHA256
72d1b475171ebb25d486e61488eb1e04661041dd7f3fdc79ca09964435ff2e72

SHA512
e0d079377291d1fd96cc8f9d9455b72fa8f6e73910982e8bad3d6895e67707f89f4b65ced79876fdf110f9d424ac3d2e35efbd9d94c16867443719dce01b2be2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a1dfa8a871e6a07c4306a9dc183f40e4

SHA1
092d565206ace09ca8bd2c8e70f554beeb012ce8

SHA256
e62962bde412146197db15d10979b345c32dd66314c4ea148679fbdc31fc7965

SHA512
3e0d9b92178af055375f5fa3f5fd196c89d891c642d52224c6e3e7f72a8963d5ecc532ed49315fa4e31baeee1b3d3178b6dcecc4e487492a6d6093a276bc39ad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c8ac84d53dc732037902a735bd5a9b4e

SHA1
a9913186c744912b9ea70f704833eb560e90fbf3

SHA256
9023596e82e810692c6797350d68a7f2485489c290f0c52f20cfcf8c6bdd2538

SHA512
5ef852639b35ac0abdce749ffc1fd65c7ffd192499c01825a95b618b014af2aaf8150f41c3fa40555ca94df0568be6365150075526f77efc609ba33ebec52a5d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63790f5b53181a8a56a7b1f753efbf11

SHA1
c82915be12795fe6b6bf7a8c7f9ead8c84af780f

SHA256
634c0f2d8bf27d0eb15ee2a8702fc1fd300d7c17743f4f84a2d68ff041ebb3c9

SHA512
e0973aea192021abdfcac69b42687dac657c72034b087dd8812ce5e0968ed981f346b6f4e8128a8c11641e7b57d3bcdf39bcb904cf3457699521061f5a1c6868

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a11485b5808bf2441e8d5ad3ffdef0d2

SHA1
bb1012ac9414ab9c34644798babad397805a1ef4

SHA256
b975c2156fe21a5fc00d9c4616357a85b73fb2cb78e184ad3a630b4337ca9e3f

SHA512
1176c2b4b16953643b3aa67d9e5bf5351fc045e4a5237a1dfb48b64917857caf7c72a784e375ad5bdbb46822c8332fc2e656ebcd0f187b4bfe592888e36a3374

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
98a024c301464924a5774bca235f3bcf

SHA1
eebfa75eb0b4a2f9e2df58f76e3fe14ffd34bd2d

SHA256
1f63928835e51adff5cd4ac7e506d7895c2bc3c4c96ee3e9227015a45461ca8a

SHA512
92fc8a5af98689a525cee17ddd71ddbd7c9e97d18776bc54aaf59f118ea6037efff521fa8855ac085ddf836e659c5fa9ce792a556715a8fa989086368f78fa54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
3cffbcb7b3af15f4a47046e61f2b09eb

SHA1
32eccf6f96da56e2fa35b5f5f313c0b5cdba1f72

SHA256
2068e3c3895797df23af6344ee32d6f66467a76d81545287ef194e705cb9d099

SHA512
fde3f7f0217c869226b79c47ed24aaad2b810e0271250f50a5d3bfa36ad2b06297b064858b2feb44e1d2abd95adfd6e4de3c71b4d65108113e21c08c39c75479

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
064f66c3a8c242fb3cfbe258a2c10bf1

SHA1
db0d8c378484f5d47a9d2dc6c7db33f6a6342de3

SHA256
050bdc7a4ec1974216a0826861fa340e0ed5af8a36e23a30002761e337d36d06

SHA512
a557036ee782e27ac8fa89614ccce028f5b78c51fba0b6ece626ba5ed3c98a63f79c9b18716ba5aeccc7cc48ea7aec4a44f7ffba2108beb53cc6a68012a94a10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f9a298ebaffa29a43b23fc2f6274337e

SHA1
25a2662ab6fee87a91e6d23c539f0e7cdf5cddd5

SHA256
db6ec74cc8adfc100cfe76129d8549d92eaa37e4413c9c24f97ed4e90428bfef

SHA512
8f5284626161f7b46894fc75723f96accd7fff24e1417845c551c22ca9b3256059617c557cfb6b9061dcba9ee763db61ce7a44f02f083dd8d1930c2f3f6900fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
db15e8290ec1add1fb50131adcc0a2a3

SHA1
2b5bc4a3cda37bf418c71809025be21fc6267567

SHA256
9ef5264986591f08c804700a51d2fe5ba839cdc1d1d18c48b2701ada79d2f12d

SHA512
8eb7920bb8536e218bb55418cf8ff788a11919b9702104b5c441df5d82e5c7deb952a5e2428f53cdc7aa95ccf1b4e35fa1defd8e7a00ab18d7b47c104537af6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
edee7d35462a263c094a3961a7f15797

SHA1
04356a2dd4b22bb2928a774c643a58c9381d46d7

SHA256
bcb6a723567e3d780a5ce9ad81e8511c5b0e3478fd6338e00d883b605f386bc8

SHA512
37ce33759b86d7f231f48fc7004e27f83fde0170b1d4d9850ef6ded04416b60565c6b841e16fc689ace06058c8c10156dbcd57683ff2ba969c240faf2abfe01e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2c346d6f64180ff78d56b8bed692ac98

SHA1
f24a1180758d42c499724c21738a2a813249730d

SHA256
1c1d36fa9e676dbe5bda559111bd423f785ea1a8e97558f3587d9e427aec7618

SHA512
e02a23010ee64bb8c9960c4dd0576c9eecd3e72b7d55d22bf4502b7c0511d07cb6fc5ca6787e4449132111e0bdb38c47409192c45a042071e7aec18b5875724c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
94563240031b223fa42c0d027cc83a07

SHA1
f479732d1139f0cab6d5948ab649e6af7916f0fc

SHA256
232ac61194b704780b5ff96a4e4bbac3b2a3f08fe1255b228adf0d56cf1e8e90

SHA512
3b8f66357cbf65bb455d6436dae5f5ed165b6cca5fe60cc7f34e5a8952071fd943f9130ad216895c1e4c9328473063cb491438722c8c22d18ff8014482fa4cff

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
61e0921febd35d04f3b9b6f116f1b510

SHA1
611b202427b698de609e8307c5bf982766272990

SHA256
0352bfc2ea4cf58c976745bcfc7ae13b938c459bb9723b8eaa9d296955d14aa1

SHA512
8d779483c5b9907069bb09dbffb158ad2dfab3d31cb167b5635094b4025ea1d0f80fdd42dd205279364f92829742f466e8ae993ec5b3be37d0a25f832b4944a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8123e6754fabb55cde09f9dd182159d2

SHA1
9740061e58b9236a093b052aa8b3682983fa7390

SHA256
24957112153a84647d665fa1e2c7d88b671b7cb4fb54c01fa3b4729280456258

SHA512
b43339bc9b240fab2cab938d2dd3d6c84a7c593f887698f5896c9e322552d1a50b153a78bbd1c5793caf9fb5881673bdf7491a553541c572d0862b49c1ccb35f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3041b4f101a366b88d0d313eca4814b8

SHA1
5283a4a8fc07118673201ce20e5401b8b55ee51d

SHA256
f2236c6b546cae3fd12e22e3f5f8f308f462c68d0facff0e0fac7ba2f3bca77d

SHA512
90f7a0b5dca9ccee65d71d7cb5d7093ab5648f9022549f559841d982275839419259ced4a335cf003cb18a7a32c8261f8f7c5734486d93caa4c71e325bc586fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fc438c8e4f3e8cbe0c15ac1e65705169

SHA1
0ff408d8f32dde1145c4f210496f15c54622fb02

SHA256
2046e3718cb305e3d518d9bb35fe73ed378242bb7458f7784191e81cc1800950

SHA512
fcc355c628a82abe28f5b4c203e129f9588043f1aad6dde086a9b1efe5d93f1741dfb98b4cf8fdab5c32d77ec144540dd1ac017af1152acc58920d9f50e8a679

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b046d8ffe283c89d250add8253111b02

SHA1
5af78edac6a89302832064a2ff5f0e552f95ee95

SHA256
43f99a2da887e229744c6391c6e2e8dd06f12f10554caad039e2b003633953d8

SHA512
7c90a518bac4e1e3b55760d99e79ec1e02038ba6c495fb527f9460add6e848dd68f818ae94873ddccab3a9e02d18eee9d10b17b30e5637f1f82dbd2d630dda8f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9619ca49f5f2522b95d4341715711f9b

SHA1
f68f57587eacb984b56520628a8cdc7aa635a0e1

SHA256
04f88554fdc9ce8fff5e17f501d68c3610a52331c9dea1302d426c34e966c84c

SHA512
00fd735598582366a3e8ba0b785240848e5a3007f0900d8930d10f16d23ab17bcb606bcd90af8d1ec5ae140112fd5c225c6e07e741418858d5f7f8cf7928282b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c9c6a9d76a31ee43d38274b7d18a16b6

SHA1
bc24fbb24bef03498b04b627ecb83a42ee424f19

SHA256
32a7cda5552fa8f34a408439d10278ac9e0955fed2ecb1e7e6aad3a89a26838b

SHA512
f5fca366d70bda72171d188d8342e201357f53668cb075d340b5505b25de2d98a630c7207f517bc9cdb84b9e8bba09762d7977a87ebcdbb13334c396a458971d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
705b05638825b54edfc83b9a7209c1a9

SHA1
57f0e807961ade386182e8d0e25855cff9778879

SHA256
e7e705a79f3dbe47cd721648742431d62fd3547206081007aeb7e1b4d8855d26

SHA512
b5305fcb22bcb045939666b948def1bcca9540e77f4878f26ed1d4ac47f238a65828a773e2f6d6b31916d8a0e17d2baeced836123cb12a82da167782e7dd52d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6b7a3b23e63b82ef8c45a91c4bef107f

SHA1
3827b62fcad75e4982ac54f5694e880b278c9429

SHA256
e83a3d004132c85b324538be1e945f439e43f73b196a4eeae626f962858bef9d

SHA512
2235940c05eb8134552b370ae3f6aa1af0fcdb84103bf25298ac63e590ecc4bc11ad3b5ca91a34fbfb7e079b65fea7390ca573fd8ce20be7578d951d521d83d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
523d8ad5250fab486a1a35eec2944541

SHA1
4f57a151cdbf17f62d89de163bc51ed32198b8ff

SHA256
4c620e1f28e74cb42bff0b906a6031074484e6d2349076c8482782a4942fde83

SHA512
4ebb9a0c49390941d16b9a67565a541dbb2ed44729b592a01f2f98ba597ece1935043aac9373c956de8d696feaac3f3e54c378392f061c8b1319c0947fc6da33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a9d3bfff6b36e1fdeb31c2a51f74a389

SHA1
892330f91898118b103a7eec03470f63c0ba1ae4

SHA256
0f09b3ba1cb654de4bd91ca328d31e0ab62959ae5d371f727cfc57ca4521be9d

SHA512
e16823f908344f6ad39cbf63d580ae4f333cce2e8def8a05621df2cd5a6eb71d3a8561cc9ae889ad6560d0cdeef7581eadb989d88b8370aaeef6b3926020a92e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ca4d4aa09316331fcb7d288eb22ecfbb

SHA1
c7243e76b3c8b2eacad1290fcb4410bc5652c38f

SHA256
18f1505a06d1e0050f4e2fa11492d70de6db19384ba206ed94f939d1d564c362

SHA512
df4aa8b2f61cdb867c6e0c652dcaffb981cadce0e48d87069ac081273f4f41bf2d288a6c92ddb25b34261d7c036f9ea553bac80b4ef1470c18afd0e72372e928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bafc0652aa1dfd67a60940370730cd1a

SHA1
926bdf012b390743d8f02eeee4e977cb1bf0aa26

SHA256
650d41d22d135a66466557059a7c2e9df9b71f5fec4c260fd515ea83bdb0fc53

SHA512
41e7d91b397e4cc175dd7ac4f8cafb247f63dc3c33c3d00773e51a854b177fa9d892116a4391706c6c26f50615532f22fdedb5f0d90d15aa98949d3cd833c0aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2389d262544b2d69bab9f18a16c8683e

SHA1
8e4a935358adb7380987610a16a55f9b0261af44

SHA256
4b2342793a0323c4d7d347c633bdd959f8230d28e6d70d1a30a7551684f1f3e9

SHA512
dc13298e3c9330774d89f8f3d65ca310c44d700be657ad867d37790250efd5958ce8855a1c3f6a0c70fa9e93681d7e8065a5fc480a06da2e902a43322a68a53c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
43183edc18ada5669d7540dd98451beb

SHA1
f5e91fb1f0848fdd1a1a89d7b2f3ade70093bd6c

SHA256
62f0c82658852cf163c2bdd97f76f67c35100ba98b9e2c862e860e252cb87580

SHA512
a0c66b67e7214869bbc26e771b78c55e36de786da4f024cd6f04487e83a99b4115d8290ca276bfbcaa8fc494825601fabbd9c5503696a5a37f740eeac1599e5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
da24cf85e5bce4556e2ed9068aec70e4

SHA1
0a42c9ec7ad489cc580ccb5d17f2057c11992750

SHA256
311af82b3c3d781b6c21cdce4bd07d1bdedd26348a62d9e3d2fe3532c3e93a82

SHA512
c96621bbbd918008efcf44429de8f30e8f461293e9c6469504648d02d01a960865bf4fc8cc011b8a6eea408defb8b5f083b98ff3e10b8ff7c562992bb4740a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e89435a0d4c2093e043cc88d57602775

SHA1
d11d9278832382083d50bee23756f74f2ddf1c5a

SHA256
41a5503a46d0a9035d07930c19cdccad84e6d93c11a5e63e72ae30720c9e2293

SHA512
7fff8bcfd4b7513119aa54b737392aefe802c90a3d28b7e6a216e502a04b5da1e1551ac7593e443264003c41074ef119811a0937e54704114976bba07d8bb36f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
29961dba871a06e1c6172523409d5a92

SHA1
77d83fa787fc03d1b0203422412f65e647ca6978

SHA256
fd0e45d9344a0dfc729392bca2bb742aba34875751c7cd2b37c66ba1af1bf4fa

SHA512
3574cfe02e9bab78add7484495f8c48f549a8e905c03087f63a1830e81da69164b43c54a748cc852fc9517e8aa738f2c0d36d3eb19d4b479c9ebfb047e1c366f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fafaae0c532d264584756d1e42b99546

SHA1
7eff693155ae2c95141bfe675092dac9c997e42d

SHA256
71226986e6f14592ed46e1056d0bef24f9399e817986c217ba56db9e5bba8185

SHA512
36dbb8e515c12eb5b211ee3e7b5d7e222ab56fce7d9478376751abaa39f488795f2b1ddcdd7a70f75ae5005f2a33924779c4b33acc4ce18d46bc857cb22526d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e1610617b9c1326150e23e719922f0fe

SHA1
48ba364171bb905df75c58f532551a54c60ca4c4

SHA256
1b9099fa741b4bceeb14781664fff163ba2c0b4717f9a5b02dc5b54697fe2220

SHA512
c9f1cd01ab94fdcd692661e1ca2097d0b704e60d074c1e6f55a1f44cfa0c15281e3a2538f32996803120eff6eea6e51fc2db2494e121cc310d107bedca713f79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8aaec262dc2405096ec2e014b889622b

SHA1
b3259b30c305b6d2cf0936e942b78ac531a927be

SHA256
e3a0df8dfbbdde11b8a361077cefd522407d07009189a856c72f8efa4eb36214

SHA512
dbe64b78b42fbca50c60e90a4fd9ad48af072c3a75560f13917a984ea6d217214c56fcd4726dbc7a91c25fecced7347d641e1e5a56468efbecc0eb3883201a6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2ece01f5922fec9c71651a4dc60ad0d0

SHA1
1c65274bc7335ce3c8c6c1d165930bc58161020e

SHA256
459a06d14c6b4aa76a536538bd9362ff0ef8a57c3d58c119bf25e8dc382976aa

SHA512
8adf53b689b40d197b6d813691406a0620a29acb700253d8f113d487926c4d1b40d74d25665c9b8c4a2a127ca4a746027762e7527789933052c01f987ba3c8de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
aae0674dd4325530fcd4b5088cbe7667

SHA1
91a0293ee05ca06c72cbc7523a42c1f60033c4af

SHA256
14bb034adae655604c7d37873d1a34f8eb04e0153f4d9307be354d3f8b1907dc

SHA512
9cad5351ee19137fe8e0ea7fe2426ff73f4ae7ea7c8da7fddc7c59fba193563595465f7bacd49c5be000e2e628f0b6d137e3e5de3bbbd187783db4626d3439ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fc8a0da22e547168cedfad65ec3e578b

SHA1
da2dc96897468e11b06d788ca463ba249a5d74df

SHA256
f3dbb8b0cd31b9a801c85e435709d6ad6e0faf51709baa725fdc6f066a027bb1

SHA512
68fde8c9863573b4602392b67255732febfdad4e5287714f13a70b030f3d77a3022044c7135215d3994159b1edd4333307898574956710f3c5c410a30d17e624

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b63d2f27719d5bf065a744fa4892983e

SHA1
94f068c5426a26d45f32630f041f25170bdca840

SHA256
8b02cf50413a632aa1f1c309ec96206708382ffedeae1734b9eabdf5c9401042

SHA512
b5ace745467e853f38bbbb342577977572b068b0080c22c85221a2168ce1f14c94994a253f02eaffce3fd14daa5ca7b219a3177621f850c6718fd61893f95129

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
365c6846dcce47b7b38549edd123606c

SHA1
c9b5bbff0f94b6fbd0c398250a96121cc6363f58

SHA256
e208074752ee4e08c12e4ae54bd6037dea5df1219dca17c6713893aa0b492908

SHA512
a7b81e7fc9e0982d4ade8b6665282132165e1bcfec484144391b76fa07bf9d915620446ef16871891e81eb818b0d8d9a2b8ca4b76c35691bd88d42e980d6c235

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f11d4127bade0fb368fd9bb3c04b9945

SHA1
a11701123db9a35902238cf6e44ddb4af87daada

SHA256
c05ab585c0bafd216938b1fd01fc3286ce94a1e6d20cb2b9d8fcdc7499b4acdb

SHA512
c4cc2a0e39292c722d147a92eac5ef5783776d49ecad561fd5ba04ba8f659db2c06e0ea22f5ffb3429d9b543ddc5434209ee44048e18d4611c59fa2e54b13c5f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
63deb268a1736d94e126c979f9aefac2

SHA1
429137951862bdc33473962cf5c6005150c71892

SHA256
6e9f0ae0fcaba89ef92d7339b0a0db0aca24fc2b27bc16217c707ca06afac87b

SHA512
03a72e5a67dcaab9957ebadad6d3a74f9a2c2dae18ef1b122bb80d3f4154a04f96d31d96c2f139ac1e2078c91ddb153f982d7656eef41311bc1e6f11cb579ef0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
10e6a37d8a35ec9b41a969b0c73c03ea

SHA1
09105d822fff56492990063ecc154404ff8c420a

SHA256
207708d4fae2d6b7da4c6d9b5faf8c2dadb6fca0451cbe9a64aeff2029469b96

SHA512
2cc7afd4707f58ca5e2800ef85fd8bdad4d9f908ea71dc682d009851f4bfe5b5fcabe34c1d97b1904352dbc39e0cf3ab7b2e70c0c9ce85e0e6f6fece77f4a278

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a2c0d130cdda4a908dd8d9d9499e83cc

SHA1
13cde2bc9f81040734a66459ce9d81711c3c3fb8

SHA256
23c760ad06b196eda99fbc83c2e75dd93d329b1178be4193a49680aad199d104

SHA512
a84f7086cc0a079d758cee92b6336830b6aeb6d4b66b0b321541afa8df29f9e782f1cb99faacd8938e159b7b744b21395cbbb6272a0d79143b658eb7780b9ec0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a9cc63cc1f02ec4cf81a012c6b17cc1e

SHA1
7ae8a0dbc7e13415384851668a8548d44467e659

SHA256
863e2847a6a37f53d267850cf82f365e149e2833f15f1f76522655eac1965a17

SHA512
45c48fa4d5e238ec6e147560ab13b54a01eee1a6004079939b0fe0c1734d13b3eb5f72bffc5e346dc2d79ae62b7a9611e6337733d0c55c5423a674795fe853fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8b45410e637a8a06883ec27888b7303b

SHA1
25b771c379dbd08eb4f06ed096e00f0e257e1805

SHA256
1c7ff0c2485f9a7cd97cf500402b6e0b6d62a930d1380e9e13f302afd49e862a

SHA512
18b719fc96cc9c6e5142eac69e6985b40f5b42972d9dfafdf258933534844cb21b4be481a8b7b24a3973269bd5824b0f3421a2affac31d9379a98a50f7680c4d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2db25f089cd8de5cf739a87a291fdfde

SHA1
9eac778b93c6ea8308903a8a7ff44b2311fae203

SHA256
3e0eab444061709281fb3a17d50a6806333626dff06d984bde372563224515f3

SHA512
62ea6e4645334c03a61a084d10531438aa18279d4ca478874898024c92cbf8bd11ba099d35168a5883ddcead57a207fe04e3b5fb7e3be19d15af38ad08778643

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
30fd02dd43e0bf50454b7e0a61dc7a44

SHA1
8842aec7f804a9d31e84fee54f873f24ec0b3e65

SHA256
d03a5445fbdc888f9af8872cd84f86236dbaae39e9ce66496539b14dacbeeaa1

SHA512
0d78f86dfd0bf4d7d629a4774d7fa2310f5a16b97f452a3706c446f07aba2f5a1dc8300d305eb523b385a56b148a59c4f54d8405a2a60094426455872bce4455

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
457974210111c7ae7ebbed4411845988

SHA1
38c0b8510b74e6ad25f8cbb1be6648239b961ae4

SHA256
dff3febcd23a54f08c5f7c755e35273008a7a015b1bb7eb951c5165b73be6b6a

SHA512
1bf4c1edf0ca51545749b43e24fad23654ba030d9cbc3321e779d28387dfc0e9fe6d10654b3443559f79c56e6588f5e215c265d4021acf9ff7e4e0f5ab9dcacb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
059e30d1c5744186b8ea2214217822e4

SHA1
fb486bc959b9d431c02b56c33c8c7d49f7a6dc24

SHA256
3cd7a6e49d4f067408819683fb875fd0a040f2f89f899bd10da7a6e44a378493

SHA512
0c00784e21f7dffb0e2edac9495bfc821d3fbea27e0824c3c9ea3fa93b845a0da383f7518a3b95e73dd779444311c72bc5088d9664b0d199533cd3fec26c0c17

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
36b797cb724eea0b6465b9d6c7d43b5e

SHA1
34900ddc84567d597ecabd9d2b7e6064d360ac79

SHA256
50ea49a1af0902f365fb3e953be00a5ddc574ea91e6c6b3163ae1112ea0d326b

SHA512
bf7efcda6724cb783df1a3c39e0d95ac3089357b52301f6ab67d010c8db7f51f930bf39d4ff0a7dca9fde98173bc1ad32e85c7d2e0a41b29e60b4b646c51f914

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f71c7ab97c00ea4c2b331a3b58697074

SHA1
f62d0a4f4401dc231c560434c89134894b59f3aa

SHA256
62f9a95b09a7d510beab281243970362c05f7180411e01f04c4b40acdf190903

SHA512
0134ec60ce956741f83ce0819ab709947cda176997bf5a6d9818a3487cda370582f8663dcce129105f45c6af64b0a3817d1cf93e50c9ba64431c4f43d7ed9c76

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9ee1e008e9368054d066122698e981ea

SHA1
f948c88018991fbd806d23850a68fe79b4fc2195

SHA256
31f5080443fdfab59a8c957a59e3b03e0eb1937c82f114fa609f51116fbd50d8

SHA512
6f20d9a00e08ca32b3c958403fd715a6ee38142e7cb00506048c90eb45973cf2ed8106bdd261bf6c41ec6b0197ffdfce255f98a06a582cdb1bfa702be65f1bce

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
46cc1808c4db4389fbba4426233eaa36

SHA1
dd23c6420baf10824bdd22fdd18517fb9bad75a7

SHA256
ccf47c319c88607a747ccc3bcd216fd60ce0438498c20937c28bf24b3ca4bc4e

SHA512
5cee3507ee67b2f4c1d4f068de7094204d8c1fc607b4abcf4124f8857eb8974b6940a937fc599e813715cafdac40702964478eb86ee92501333fa5d0cc45b8b3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a13eede45bbf4fa66d95a1247740ca39

SHA1
9372ac14c40076f9e1c38f346b018ef6bbbbc626

SHA256
ec5cbb9ea960b48c196e50a7241b8debe082bdb3e74cd263ce95178bd43c5f8f

SHA512
558f0bda735a1096d6124ce8bdcf23aa7cbdf12b4af9b77c59aea1a28e198a0bd5f8a24fd14cf6864b57bdb278a93c225d23d777cd3db0dda9b2274c6bc67854

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4043b75eed6a2161194041142201ba38

SHA1
fedb9e962d0a56f087535e9f86946557026a8965

SHA256
cdbeb3b33f9667227bb345382da3836f4c543f3ac405080ffed024de8e73def8

SHA512
b18f214dca90e99d4d061d7e502c7cb3ba105798ccd9610b3fe08a41fdb8bd31ab4b8418b6b2d6e55647999aa686077badf514d4472ca85da6a34b4bad60f151

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
472381a1d5f9652da38622fd7b8399d6

SHA1
ddcfe6ff08d7f8f57b0a3f1a0c38730499281253

SHA256
3acc80affb0decadd25a4d8586bffb64dcf3860283b502ad9650c4cca0cff213

SHA512
679b7b078ddfa1d8596cd6f4014f1a598ec1098426ffb9be4e3cc04cff38a8a827053a4aa861e6a7cca0dca25bfb1063fd84f835784a3f642bd1a817fd653ad3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
94235c12ba30de3b2bfee78946f4d4b2

SHA1
e992009e161b6aacf1328346d8b428b044bb6962

SHA256
99ed541fb765a3b3087817a150ed3afe2d25195803a0ed12fd283a792f8a6566

SHA512
bdaad6592c6980f09ddc4aacab5a7cb5d95477639b9db4aa07d2a30438d91ea2670cf4cc0c4f87c143ed314285fb3d40b18f1c865037960546c8b117db963fee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d6d40e3bff90e6eb4049d1453428359a

SHA1
4a122d13308b01da9f71663fe7d1910648ea39f2

SHA256
6c73db5836b45cb0a4ac1dfd1740af1c86a453a7bdefdee9d2737eabdbce9e0c

SHA512
fde5776bcb3aebd1c56137136bce6fae3072ee14064aa2108acc9b73c1faf1d0f31eb13442c68af9ad8616a593573731b4a815dbec35445a987ada21084b90af

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
521091f7bf6a5bfd4f64d204413e0143

SHA1
9cd56c97fc59168e2d31667c981b8ad7435cfd90

SHA256
c0ef741560462c64ac54a81c698a3a4b5e39c01c3635baee9caeaa41083be346

SHA512
1f20667ade0338b3d4921773c5d5d696d8de5f149029d85dfd018c60fa3d735c59c1e58b82cc31a0a7a15e3b6a81b961492e54fc05742e81a8791d59bbecfce8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
adb21fc577c92e0a33d856f650493674

SHA1
a78ae4644be9bf92c401dca15d39eb9e65b600dc

SHA256
edb85a974dde1b14c549305e1e3a56482eb9ae9d9b93db4730011aaaa7f708ce

SHA512
cbeb7ce89e1798c8ad9dbb8c9c693ffe53caa7f601783c096c5f8bfe51f8965aac7864586a881f87801a1b4f54dc53123aeba39db530e6b146fe22d7d197daa3

Download Submit
memory/640-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/640-92-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/640-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/928-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/928-12-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/928-21-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/928-90-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1640-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1640-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1868-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1868-627-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2128-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2128-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2160-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2160-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2780-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2780-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2780-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2780-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2896-624-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2896-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3080-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3080-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3080-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3080-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3180-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3180-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3488-551-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3488-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3648-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3648-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3760-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3992-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3992-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4040-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4040-76-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4040-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4040-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4040-86-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4116-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4116-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4176-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4176-625-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4456-74-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4456-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4456-1-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/4456-440-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4456-8-0x0000000002160000-0x00000000021C7000-memory.dmp

Filesize
412KB

Download
memory/4472-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4472-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4472-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4472-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4588-626-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4588-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4732-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5012-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5012-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download