4aece8461a746b93b11f863e48cbae4e0065d599f35f8c225524bb7e93eb8a5d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
Size

1010KB
MD5

6df76a40e6a598fb7f8a744a7690aed0
SHA1

0f8d78330710f33727595a8aec0df72e85ca44d9
SHA256

4aece8461a746b93b11f863e48cbae4e0065d599f35f8c225524bb7e93eb8a5d
SHA512

6face7d13a2085704be3fd8ebc260234a97002636694f0747a00f6d73e58b4e19e5bac6f26a7421fd9a80a84fa778e8185da5b334267d1d65a8eb4302ef8660f
SSDEEP

24576:hEpQQJvKPzvYZHTHy7kHofe3y1sInB2COzRq8DvFqt:KKPzvoS76P4suIRbDv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2064	alg.exe
640	DiagnosticsHub.StandardCollector.Service.exe
2264	fxssvc.exe
992	elevation_service.exe
3656	elevation_service.exe
1428	maintenanceservice.exe
1912	msdtc.exe
3260	OSE.EXE
2636	PerceptionSimulationService.exe
3528	perfhost.exe
2184	locator.exe
2028	SensorDataService.exe
3952	snmptrap.exe
3464	spectrum.exe
1476	ssh-agent.exe
1816	TieringEngineService.exe
5060	AgentService.exe
208	vds.exe
1660	vssvc.exe
3420	wbengine.exe
3256	WmiApSrv.exe
3160	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8bdbb14c293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1d3f08e29a4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028a5499129a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d91ee39029a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005546ea9029a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093bd1b8f29a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053d20f8f29a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1004	6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2264	fxssvc.exe
Token: SeRestorePrivilege	1816	TieringEngineService.exe
Token: SeManageVolumePrivilege	1816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5060	AgentService.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	3420	wbengine.exe
Token: SeRestorePrivilege	3420	wbengine.exe
Token: SeSecurityPrivilege	3420	wbengine.exe
Token: 33	3160	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3160	SearchIndexer.exe
Token: SeDebugPrivilege	2064	alg.exe
Token: SeDebugPrivilege	2064	alg.exe
Token: SeDebugPrivilege	2064	alg.exe
Token: SeDebugPrivilege	640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 856	3160	SearchIndexer.exe	112
PID 3160 wrote to memory of 856	3160	SearchIndexer.exe	112
PID 3160 wrote to memory of 2148	3160	SearchIndexer.exe	113
PID 3160 wrote to memory of 2148	3160	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6df76a40e6a598fb7f8a744a7690aed0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bcfcd3c7e49427adc5c65328e8559f33

SHA1
7825fcb0dab934fc2456237b3471f2a714e53a95

SHA256
a9821125ea6f96d1035d7d9b196810ae53d5477e56e953069b93147a59214cd6

SHA512
b039e4393307a3c231bc873e1ee8a8b0f69e3b15e143704560e33583d3e85a0d23b370695074c2f2b6e69ae2103a491d38af3df5c4444b54651d1f4c80890b46

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
52f6e75155ab0d1791c8ad5db4e684bd

SHA1
5acdfd8e615b04ee9e115981ae393629d8feaa9b

SHA256
531b81d3a9e21dba41b90621a389c274fb1be0cb901af9a6579917d25151a7a4

SHA512
be352987e3f52761c431f25d87291a157377ba3a4b69bc7fb097cbb7f2433834a3c05520f10fbf4dfd93adce625809ab8db61dbcc4870bcb058a176226244fd1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f52a443d3590c1942bd81913432e3904

SHA1
8745c5dbcc07b63d6ab1b07f06fb170b01b94b11

SHA256
c28aa98e5cac460d36cd64452ddb397b1c1f61df0883f82544bde9102c926af8

SHA512
ad452a95465e903ed5616d9773f95cbafb7fc57e00c643baac20406304fde7be4ea5955ed7a3f48886f53c5a3f5f3d7a4f7714ff2996e798909f2c10bb34790e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dfa6004af21e397bbf14bf7388625dfa

SHA1
ba671b8731c1893caee8be78c74247731c6b9adb

SHA256
342162c38cfa43219b5beaedd8f0be0e4ce3adcc3a4cbb1ae43eec6fdb36bc3e

SHA512
d677351ba7bae4dc0ab21055cc38c7eb041f95738266ff5388ce7ce1a5335f1acb6c0ea39eceaf81e95f88f4fdb6ca333fa313a9198540aa08fc6efe48b7dcee

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0678c2401bcc070818d1c6f306bf0ba4

SHA1
90c0d5d3de91f3b2b577baddabf9488e26ad0efe

SHA256
be7160872ed9cc72be028c5a8f76e9d0104a254a17802c96c5898a8d7365289f

SHA512
e1281ddb2d6481c793ebccabef8f75a854713838c91c156c3288fd4b2c708d97837e4e0019838fdbd10c87478828e1e78205f4b6a28d8b2f8c81b5b101a7239e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
53cce8cdaa7f042ce3cef96507f3d3d0

SHA1
7d0ba911c965d746d43e7bef910094d27411da47

SHA256
31d7d40a8da0d2c956fadfddb4b421979569bdc348e39df39c3e3f0dd8a84c02

SHA512
331248459fa202d7831f73852e3a044f8425d81e38e3e362ea2b80f709bd5ef4b6abb369e225b57cd9f3a3a379cdc6b196a2edb0346521efe6b4159d23c41af0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0f0cef17de2ff34149040788609c32d9

SHA1
c3719326ebf6a01840778efc5e3548cd7fdd0056

SHA256
e09fbbd1e96053d240862b66cef4b5d90fc391f695a52cd320dced041628c339

SHA512
83f91307cfb86f0c7399bfade71013d6b9a62eda211fb0173163f9bb27c975d575919ad10fc2ecf2827f8380647191ce29987f47cd8e339b0136555c8b8e8280

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6bbd057193f555a26bf1835344d371c0

SHA1
74496f90543eb0d6d4d4fa356081fbe6157e5e20

SHA256
f586e428f55b368d3204c6746ed97678e032f4dbe6d21434e62ac16d9d16584c

SHA512
7f2e1fe0fb745c0cf2c2091446706481921353370df92379459177a0f0975a60a8c0bb0b7d9e0d286d3c3890c13340a4131507d9b43e8607c9dab7e482066cd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1e1c954fb212e25157080f473f6512d2

SHA1
4723ee70be67246949c41514f0e0c9621410323a

SHA256
239150198f0f45d11a012d993df13275b27b66d25b2dc3cf63dd15e55ba728c5

SHA512
476c598c2c343eba93bc0f9fd6fb4233a69f42cc7f8038a2b40f6710779dc253974d351823a81f4c7ec6b4d3fb3b9c84f8e58d2f0a95030c6dd065fc5b4326a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c715d622e48a284d5d2399e1acb0eca8

SHA1
04e51d313b97cb7acc0b429253d47d810ae7fc7b

SHA256
4f9973ccb66e9597930dd094d0324e15012b97c6d75785b8093a89b71002b148

SHA512
020198782fa5f5ae7377d3b4917d1e9c32542378c6c20709880742133a2a46219c8c011b0ca1c819e22f22a1d61bfce84a7b6e60f5cc8f8a319e8d94fe86ba2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
07334807ecc4a1f2b0e70d49c112b3f1

SHA1
05769539a3e2b5f9e3bd6aa59e1011dcffc39ea5

SHA256
73ef95b4471941db7acd437f36ec91bae90de0aa1bb8be345b3230374af3ef6a

SHA512
e390c768cc485d9ab5c08f66d720f63b2cc8b6f51ad630503ea4b071a86f76ea51c514ecd27e5c27bd05d42c2fd5376f8150759da4f6ad368dcb35ec899deba4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9df1a9d593fd31d54c144b998006d45c

SHA1
12af65119d34e2f5dec079b96a0e79e5fc6b9ada

SHA256
e8e993fc358f27e913ad31cd5c087e3e3a2f70417fad2dc0f2dcdb938e9791e9

SHA512
eb76789fdf5b828e70e6b32f29e731f068bcb3f16518954f028c61781a897cf46b39a91ffb9c53d07038c7c15c1e2850a68690971995e6ce3c090cfa97db561d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f31678a3a617adf428201b95b5d7ac6f

SHA1
eec0917de53ef3b3a3012d65453def9bfafb012e

SHA256
b7f29aaed75e2364e04f0d706e7e0d0a2a839b83ddee751eac1eec3e376781b9

SHA512
0c5fb24059d192c6ae64190ce405bb213cc5845725fb4f2143e232661afbf8766d3dacb88cfd61ac0b0c3090fc652c9792837b54b1661e147ed00650fb14da12

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d59d3fdd560efeb861c75b2fde19d831

SHA1
b4a599069e709f23beff0c97d31974a4f0700c32

SHA256
2fd67754d6f952c03f86e92efa547202c8dc266b5cc0fd41050183b4662395e5

SHA512
25e0bc7773ceb83a3663ef3f1f32035ece721240d47fdb668216be82b628b64130cf11ec0c0111b431319bcc4ab0c44bb11663ca6b134e2e1b8308df0d42319b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
661efe9cba5958b8397b21b8ce2b4c53

SHA1
2d4af5149902189d222a46dd65db60d0889fa620

SHA256
40d074b09024ba69121d5e662dc489ebbabad6a5c349d1e206ebdfc4bf915ddf

SHA512
eb0152bb9680135a15a624ad6e034c011fe6904d89561120d477d333310e485be1ac95f47662e34b08c04dc02002949df5f21ba4bd7881f2f3d0854a4e4dcf1f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
99a94fbf9ccc966abcefe395aa5bebb6

SHA1
923332389955efea439506e76811deef43f8206f

SHA256
8b8050811f7d21434d6138ecb7e957ff67e7810224f52bf9b368e0cc6eb2f9af

SHA512
84e773c20059b10321bcfe984dd111227fc3e87c74e1479662088152b7cb4f0195cef7b336c37c853ea0eccdf8a58709f22c99d63b2f3e882442cdca32ec94db

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f571c4851e6c5501ccb2284c29da5bb6

SHA1
4d7468a0a666a15a37f73708698a0a1aa18e3a50

SHA256
897ea3b4436c112d64643b54da48cb5ddd90c1a1e9ec40e402db2789e43a7fb4

SHA512
cdab0d42bd8b7223c95633da904cbc3272498b1e0e2547870fddcd11ee307a9b61990bdedda83ec1d78f9cd0614f2a49d80a4380a1a96de8f90364fe03481b5b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
90f63219c3a8d2c000ba1d18787d5ca7

SHA1
ffa45e991ad64c84122e0d3ce5d9f80f2169f202

SHA256
b10bba1b8e43cf067ee68265ab5b2aec3ab1ea29f6e61398e92576eb7fff84dc

SHA512
e9830a9cb749ec2e5e05f249bb9ec2bf9accf3366930aa562dec90cfc7c05be9110df9a047cb5bc3ebca2132f7490e39392df4fc795fad7f9de61bf610d4e7d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
259d9048c24d9512a789801296afbeb8

SHA1
6a494e6d772637c010b9d11f9487743e434fa01a

SHA256
565e99d19f69c8fa0ba67c3782040e199a44bf57d4e2cbeda6c80f1f454b250d

SHA512
271d6d0247dfa16733c15fe8be07e48ffdcfea459878929eac5a4008bab84988fc65f6bf83bf350f4d17aaf8275e97099d6eaae5e6134ca1c2c984f7d5dbe7f1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
82cc238b50eb6886cb389a300a83c07b

SHA1
6ac3002d7a26cc92af320472774b81cbf9220180

SHA256
ce5d49c9500e1247934299db847b068cc11b8430f8d1484a6fb4007458102e39

SHA512
9e4e6742ddcd4e170fb705f9d03813dedfdf5c570fbd403a34fea6882a8992109361c842d16cbfc0aeabbd3e32b602447eef34d38c304dfe20f2d55e8a070814

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4403092ca8ef50f7f0d4e666c1755a76

SHA1
28c51a84f76a0567f32a548d59117e01e9cf83df

SHA256
717749950093fa6cde119026b9509ab273295a1b0b976cf0087ba5ad5b177635

SHA512
ede6e2224d256df13fe4963e88b253519ac30a817c1d18e491f7074aad9e111edf0b73459f7c27311f69b05ab0be03e73a05ae349329c30899b9bc4ad02ae0f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8840a62c503d15dfb5af3c82cfeb5bcb

SHA1
54df729b1f4e9ac87c9fe82ba64e5adfb98f4cae

SHA256
e8cbf926d84dc56dbc1ef81c28a48456a4bf999a2557a9c20806cb9ca4a1f2b7

SHA512
437ffde7d2bffd62596fc7c5b441245473873ecccee181d257f95050d475ca3caa331f82bc068f4a675170f6ce7b48e28ae9dd67e93c4a71180d5b48a6c11333

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7145449c7665414faf228e4adf2d0b66

SHA1
ce2296c9565bc12bf8411cf9ced18b2ba4897944

SHA256
037995c4929164168cf14d689e44f389c6481928084a9b489a7b4ef4ef2c331e

SHA512
3fc95cbefc4a8364951f5a9030f9251fdd9aaa449cf8e789d4438fe44e61a44bfdaba4e0124c1b1beaa8fc263d05725c8ec8aa52ef9657ee992b51bebf7e5998

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d719bc461b4ea5e3ea815a798135baff

SHA1
b23133611d7fcdbd6383385da2b87eba994c971d

SHA256
95fbe4df9f0b5caea0dabb1942f7b559b16a8875b6c019f55cc364f869aa00ea

SHA512
5a1fdd5b26a9f3bf7f08e1c98af028468a2ad5b13e8fefac9a81b6befbd296fc5cd7d46b5ed80cc0985d7ef20c2125445a1852b5690e029ac033d5d1e0292de8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4368e7c94b8803e22d28b1a62f6b463b

SHA1
2f38b75eedecc07ed94cb07d7cfa3f95fdb36b83

SHA256
dd51e28c13319b1081205de2f232c38f03c935dc0396a4074dbc6b48286f02cb

SHA512
948b4da6e6206234d1113df32d866fa5c80873fb0c48c93649229dfbadf7110a09d5fe71e3fd5c3e50850e8b67d2f658ba2d01c43417767ae7f53e2f4eed2ea1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fa275119bd6299a4d0ceb727d993c259

SHA1
5c903fd09dd66597832d05b86cb1c7a9ab65c647

SHA256
ad6149f58e14185e5508716e935c53b3a629b1a5b4bf7dd69828a2a49f2e7d46

SHA512
4018b8e8e6aa3820b89357f3eed9a7f28d3e8c4ae764f2eefac51f3d79593cb267f1eedcdba9682c6f3a91254b1b9c8239ad1bd7c4b434e9de40a32cf1e984a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6078186b4629f48db363f576a63b43fa

SHA1
e5fe20916ef9ea32daee63da7bb7a6ef3e823d44

SHA256
0adc308509813e060d7565378c54dd71e7e7ffd6bff02194fc14e69a32009c51

SHA512
88d84a6b0b56425a3af73d925fea1a8052418decf4309ffc1d5f9504e271cd04b40e3b3409116325e77401fb9a28c1eaa6b27e419347e65ddc35472dfc96bb8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ff0b9e1f23489307ed99cd3d59b7c2e8

SHA1
2c2dc8f9456dd7999e6a743e691f0df5298a95c6

SHA256
03d8a41c4c3ef704100c08712a0cd1d68a5c79fc6650a3a34adbee2d69e2293e

SHA512
7dbb021ad246aa2d7857b30d1eb09968e4bc424ca39aa2aefc0d164720a5b2d2dd7f6935cab87b6fe1448e17aabb609b50e1dc539ce7d5234b928b696f970aba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
947b300922cf745e616aa858427504d2

SHA1
0679d6cce93c4227242a5f7f9c17acce3fe4cc10

SHA256
c2e85b1eaac06d2e9b7bb5bc8437b65785676e3100e4781b51eec2a66b76f4a7

SHA512
a68fcdb503d19ca10d7336061217fa6b8c23eb22d4167362bc4345d7abb75eef5b0881de0f81e2b57759279ef0b47535a4f095ba8a89d8c52d7c5b1df921f76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3424eee6c6c2ec86d5c2262cb7f13d9d

SHA1
2d872ee8ed5906b4b06571c15f069017b559867b

SHA256
b19c824ff8ecee3ac5a0e6c0acfe1cc766ba74cdb90cdab98ad380816f100aef

SHA512
5eba99dfd303f6a585c6a7053e5b31f0b81f50a3ae7a69afd1de1bd0b74db6b4155823d133aee0e499435779914145d16a08e0f73e2aef594b86b9c4d0ae2037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
47722d7ccc2e5770b76b419ac8666dc2

SHA1
0fb28e20d79577840e34ea7532ee75cfef7285c4

SHA256
ad54e79ccc0f09288e51db95d3a1c023ad64104630ad5b75e2dbcc42bb1fc09c

SHA512
e2bcad7a1389a88f22b5bf7281acc0f663d3c021f74df31d3eaa170008aa871b3e200276aa40077421893ffb5bc7b8dbb2d6c8252ebea5c9a1d231d9167968f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2a55657a0559986bec3c4c8d209ade81

SHA1
58d2dff1a1ee76b3e73cbebac96f756b6016040f

SHA256
c8d90e50f19e979628ba88f31f8a701b610c489ab151b0f76dd10c684e772c7c

SHA512
29c93d16b169906b9858f27bc78b52e50f04ccf63c352242b70059466fdefd1aca238b224e7dfcb6cb328ed81f29d1e36607cb94a21bd836b051baa806f91b6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7e19445f573820e6ad60e8c5ee0c76b9

SHA1
63f1137ca4682b3ca83d1da0eca2500fb83bce5f

SHA256
d704f3f9791fa527fb8fec1d7d51f5e208048d0769997729f05888fa5496bb39

SHA512
473ded121830194d7b780c0b21cbb088e3e935cd222b6d3e1010518a186ce0af8b558b579496d4baa53917c1ae7400f1840e8ab79ceafa1278b1f456ded5e121

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
858cc6a5cbdaafdfb85c518a56e070d5

SHA1
49d5006b3685f580fb87b2aab732cfb71b821690

SHA256
8d980be80a62e3e808992f977161ba02e9ae9c772f04c495d31bee7353eecd03

SHA512
37076ff59882804cc403d8b0a4d11d6d40966ed5f9961c211a57eb2195cbe43a8c7550fa86496faf88273eb61c8dbbce9a914713c9866be9e7dac45f3dcdd06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
63cb7219263a676159a2316ca7e66982

SHA1
d49f6ba3338197924cb6945850c45a13ac46f463

SHA256
ddc9234e53ad30cdad42a80e0c81aaad8e7cf158636513381df68805092d1647

SHA512
2496e66b9a5aeab65460095d38e482ce31fa6e5b4569716b8612a8219660788a18009bc2bb383aad1dafb4e82449b22ad7ff5b2ebc1aa3d15d18a7d78c54db18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a4f9ad4cd605d811bfb5a2c04f6973d3

SHA1
c71f60799e297533628b53d15c629b990f25fb40

SHA256
41f087041c8fd2e246d173f37a6d30239e33d3a08505b377c9bd1b5aa0cbf640

SHA512
f9ec15d96d2b2621f4fd0726634a80673477626bc89a7ebe0bbd53eb9dc9340e7f4c16a2176e3b9bd2f1efa41899d2f3bf10f5488287ed23838b6fd09c5c8731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e9abfac0399a4024a12afbd7751e304f

SHA1
5da6b581f6dd5aa78ad7a9317cfd3f30b51317d5

SHA256
01cc7a60731ef698259afb4b9a616b7db39289b7c1d68aaed812daac31a2d8e9

SHA512
dd9575db1b25a3c6d3e4154028277136426e6171037297ffa8d9a5ed2de1847311998b238a8ac1a9c43cd1158b7e666bad510b5940ddfa9ee4cd06214c3da343

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
534646dc5f854b6768a656f25bff84ec

SHA1
1523f4622d883024d92de92da393efaf95d3b6e7

SHA256
80859850f4c9f2a13c8afdb18aaa92232c7a31a16cfdfab7b45eb40edc2a5a4f

SHA512
ff288ded716dd66943a62978547ea706e030bd36b73fc1e0e1916408324969a1fc82738282df53fc9e29a22b26bd37e019552de33efb1316955ca4b5ee0b13a2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a0dbfd938bae3f95c4dc4da259b2a9c1

SHA1
1bbe5902ea9a7e49198de5ddf17b8c687230cbb7

SHA256
1b323da467f294715ad966aadd9489b7c73745fdea5be7d445958faefd8730be

SHA512
28b40b568fe3c7ea46dd3a5fa817a8f54cde3d1b6ba51581590cb85a3a76890621c34b1d385424bd7f44c885ff3bc1210d136aa799cabe4ae303f60c41d39b9d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e375f9461801731e5a7228d43d15835f

SHA1
bd9671f05932706da63c140e4c95afd78222acfd

SHA256
b91b2c9e25e5af1f2a839e88cae61df0a7f06cab6b271b25a4c0ce66fe8391fe

SHA512
052e21b90d0a09dc8f836815f999381ec5d86ab3225dba9ddc219c3e3e10c2dde1b0f47e1bc46319aaf64cdb3a46b9ee2cb4b0ce8b4b7b52cc9ac6fbbb9c8b97

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b79abf3bf1aaaf5b3ed9f590fa9f96be

SHA1
3e72321924c62dcf412c4e34273a640c39714cb9

SHA256
c8f88761ef4f35bff7016ad82a66fa94b6ddaff40e485ad2bc034abddfb8488c

SHA512
d659ada7a3099b22a502ef10ab41d2285a2c7bf8fe85299ba7f0dda1078526ae1bc73b3ea6d15e3d5293b6a09d153f26056ba208a519c8c022147cbf1c3d34f6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
adc00dff8ea18c8c169929d48873fd37

SHA1
b0ccf6a84f05ad16a330acd3b3232ba6bc1ffb82

SHA256
7a218424513b3c035ba62dee73275081b985b5728bf3d9a87885b626cda88c21

SHA512
da7924fd9ece6762a1b6b8528eab625466944133e65ed478e6860aa983b81d4574db9999cdd61491d74df2af6cd85e034f0f9dcb77ea7ca7c9b03daa4549ed6b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b081b4345d5f598810862dd1866aa6f5

SHA1
78f5f6d5bf386ed5001bbd4b10e9a43650401b69

SHA256
619f0c8af6286c55643b1d541203fb1332b3cbf005b5cd8716a986d072c63869

SHA512
a3255b765eb1449c2488156e9a3a3b81654fb9da500fc706034cb3b43f807b09ac893b29f0fdc1d6a9da56713e2b8282ad041b14784fcc5b1caa9e48569c1f0c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e946126d61b8046427c47df0d680c951

SHA1
c61298c6a83081822014f8b131f038ad2081709e

SHA256
44f4ba0ab91da36a4764a8148a8604739e9f8ecf3126ff0dbccd061bde8e7f1a

SHA512
fa467944054e7d2f39cb8308427262e862549d1afa5f8fe02b585e68e65376fd7f386099dc7a253b5e17d8ebc44d873891e4f1c5a207c454ccd91966f6de4f06

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fc823e310acbeb2ea71b2fe11fe11076

SHA1
7e00d0a62573f6430a7ad0af3b1277ec9e8260f4

SHA256
6312a513caf241cbc825f3c12efa25c0dc4c06e387081b8abd17fae87235e027

SHA512
32caea02f460a738955eda78c912adb037feab3acf4aa2e9444fd24558c68aad5dcec0f9a78bd622e1a55ea037485799391d9de067bbb0fe7a33e0ce71d9d845

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6a6f8c553eb433ce5632402691f451db

SHA1
20ad6190ecf66d8678b6db210b62c6991df6ce79

SHA256
a0ad562e95be2c8f3376ea430a1041a4c6c0d905d2cb86c9cc32253436dab950

SHA512
7719a1400d445274af6d707c3bd4f0ca7b084b4498a37bef5a593fe5b0e988445b302f905d12dd5030df75ffd9225af619dd750d6fcc03ea4affb11cbef436f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
96bc08b153e5fb2e398da3abc35d55da

SHA1
58e289640f5a2df7b97f2ccbdc7d8ef492e802d3

SHA256
2a6dfab0ae8530eda8880e1c6c8ade6cc81ecebd36eb66fd8a71eaa333a1c380

SHA512
a5acfd8ad1efe3d001fcfce7e563768ee8d9cd66d7b3a9d7e7eb9f83094763258d788a20ea9782c1d1dd449ee56ab1ace9b341c8f93e3de7df79357b09fbdd97

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
320a12481caed97547a356ae6219b96c

SHA1
b530aea0bafcfed52494929b182dfd9bc515b7e4

SHA256
c9c198766fc4c1e6e3736f9d998bfafd1806552e7763b61f952edbf584d631c4

SHA512
f1bfc5a6fdf48e77081ec354564238e08c477847a3264a9949a6aa2c49525de2a85627e14272bef7b6cdb4a3fae02bb29c85e161f33081680d2aa9956c6bfeef

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ce0469c84a8ccda7bd60fac8b21c8926

SHA1
b6d688632e27a1e749519cea2a97995ab56ce332

SHA256
b70c46bcdf7391b9a9a50dff4cc2c31c164fc5705f9ddfc88b0a1fede91f2c56

SHA512
55894333f4e827d4ffce919a50e555a913741663c616198d0b9621495b45c95373dfbaa07136c729729ff4bdf86f4ebdbdf1614154fe36471186a63d4721e6bb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
294565dd69486c4d7b9426c39dda5921

SHA1
1be68c02ee81290ff780875d690a4f5063d43334

SHA256
cd23e853f1cbfea7beecc3de9e3bc1454c3151a6082fea034d4d95a566e7c850

SHA512
9736f04e1d2957d07ff4fe9e3dc5ddf0277b5afb2a72f62a893e61ac6f2e5fb848e17892cbbacf935b73bf3efce356a5e3ec830fad8164b027ff373112fd014a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
06fc4b21017195742e3452277198aa08

SHA1
f8f0dd9bf88492f1993cd52c15247111161ef1fa

SHA256
b5e28c684e3b8a3f34726a545f8d4d8d57c74ccf60c5b594b1c2d512b2cf0ec2

SHA512
7e6d6a2fef0ef2dd12b4671318e0a427a8a5e6ab1e7d208426b3dba783d7ffb6253bdd6d021519b466ed722803c8ae46b6a821e6cd9ce54e5112f9e2d7e97511

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
56f48699e3130f6d4138a893c7fa82a3

SHA1
283fdf556c4ac2f911ea9b69948757f145feb073

SHA256
6aaf070d2816199acdd85c201de9f57d68cf6fa8c7e82956d1be381a804a13ab

SHA512
59ac751930bfd22d1b6ce76f2bbbe50a9180bfd3da78076c3a0806e96a5397a93c23bc4337e20c688a7bfb7a928fc0a69f250aae70217bc2493dfe9bcbe36119

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1e3995d46ecac7cd04f1d6945be2792b

SHA1
445464f8f69d4e3e3feb0346ad369a2ee8c8e166

SHA256
32ba060715ee0ee2eb76bc47ec066ac482bcea69a0ae4629a22e09fec4ff801b

SHA512
865a33662f88371046e733db65cb3dfb18d9095e24468e9b495570efbf973a6a39e894c9320c58912b2272bfd840ef4a8976d719abeaa29b921fd54f29707295

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ac077e3217153677a0bfd70323c24bc3

SHA1
5d6ec18c4a9d169ced08f4d4527a6b24d38806aa

SHA256
118adb55207727c9d70cc870203a4570dd47c51b39cf2dd3f8a3c78e003a2c34

SHA512
ea100efe00bc20b2a73741a247bda817b8ec336527624c4e008565d4b837199b31fc769d314054f5675bdc0cdb04143cd10ef4411cac778b318478be2d74b8da

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aad9d7d8b9bfd3732d52df7a9b53baaa

SHA1
9f772a2d2c9ad7053b430a005044d94cd8dfc58a

SHA256
c6616e2c2b4df3912c2d2f778be3cd39f131b3055c9e38eb5adf6760831cf4c7

SHA512
971d82d54aaa9aa16f66c69b7a070f0b11254939b6b8a5c9eeff12220663c3127c6643d9a9ffa05e183f3c48cfbb089ed7462723f22b88ccdff0f1af57ae638f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7dd1239a7bc4fec83e2e040d24e53bef

SHA1
dd19ed9bf9397876768b76668746a28292c4f231

SHA256
2a8ab55e5b28d76846b69aca8c87e7726e7ed9354a0186552cd515f698aa3daa

SHA512
afdcbc990b9bf50ba81cd3bc17d6fdc639baf3dc38796a492a83880fc976d4f4f87beb03590cb27f1949bb88be8881eda00764809597bd79a416f8535321054e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
632b86eda4835f86b2bca66aa2889b21

SHA1
15216c570838b5c8c0ec94cf41b53b15b7e06e11

SHA256
fada17b35d097f68158e68ff3531d665c48716f8d5f2473cfb25b51b13d415ea

SHA512
72dbd26f906d8842917466d8bec4cc290172ecc4eb65ccf37983feded1ddc0b7ec824df9cedf4484025530dc83d775c5e7bc98288a954cc1414be1fb015b0799

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
981c1ef540fa9e61b6a2e8bc71bc5bd4

SHA1
47e57eda826a0286d60403ee05faf530cb85a217

SHA256
89ab552b8caa5495d32ca0502581d7ff679210562cadc9c4859f33f1505e8c0d

SHA512
83edafd752d5df014acec0b4211285e5eb340041f0b7fb3f1a4887ea534819c7f6f43add0183102476fa9794a8dc4da6363ea2299e5cb383de7a0163b532fed2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
790932bf10016a70ab8b6267f1155584

SHA1
8a1c41cb4f59f70ddaae5362d628eb5993d63121

SHA256
33031b69985945895ed4bd909eb378e765467285f9d74d0c74dd37db4b02dc94

SHA512
1a5a6671652edf875c003cfe2fb266166bd11643fd12f708618222c27b858eedbb3752bd42743dd90ad82d937036128ad6c753c28a8498f19e7ff695b81d7ac2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f64d7ffa9433f3ca9758f7d7598d2130

SHA1
6a523b217c17125ea1ad0398c08c468aae32b4e6

SHA256
329eacc8753132ba4761e41503abe1051624ada79ebb5cca5362cdb33002a40a

SHA512
0dbd478a9575be5d6a9eef6f3db56877eb8ea1e0128e231410b13fad0995d175d793628eec4c0f6c4e7d2c3b2eb40c654c3247263b9f2b025d3934f68fb3e19c

Download Submit
memory/208-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/208-567-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/640-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/640-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/640-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/992-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/992-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/992-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/992-48-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1004-436-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/1004-0-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/1004-98-0x0000000030000000-0x0000000030100000-memory.dmp

Filesize
1024KB

Download
memory/1004-6-0x0000000002120000-0x0000000002187000-memory.dmp

Filesize
412KB

Download
memory/1004-1-0x0000000002120000-0x0000000002187000-memory.dmp

Filesize
412KB

Download
memory/1428-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1428-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1428-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1428-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1428-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1476-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1476-565-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1660-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1660-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1816-566-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1816-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1912-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1912-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2028-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-526-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2064-20-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2064-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2064-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2064-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2184-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2184-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2264-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2264-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2264-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2636-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2636-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3160-573-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3160-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3256-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3256-572-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3260-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3260-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3420-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3420-571-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3464-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3464-528-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3528-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3528-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3656-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3656-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-448-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3952-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5060-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5060-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download