55cde6f1b1d05823f8d89ddbac6af08c968f936b6f12ff026443d959a156c926

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
Size

1.3MB
MD5

b5bd36d7f8f22983206eb3a67643ec40
SHA1

166db0e00b6856835e2e41753a4084b464211488
SHA256

55cde6f1b1d05823f8d89ddbac6af08c968f936b6f12ff026443d959a156c926
SHA512

29bf419b457d3a5e43c5f0d8cd98468b79c190514271c37d7a893ff9dcc4ebb5a3090c0fb89c06cf99793a8175d7c175f16617f1bd9c1066e7eed1ad58bd7a25
SSDEEP

12288:yqz2DWU/Sbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:bz2DWNbl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3956	alg.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
3248	fxssvc.exe
876	elevation_service.exe
1944	elevation_service.exe
3184	maintenanceservice.exe
216	msdtc.exe
4380	OSE.EXE
3236	PerceptionSimulationService.exe
3212	perfhost.exe
3744	locator.exe
3664	SensorDataService.exe
3320	snmptrap.exe
2492	spectrum.exe
3032	ssh-agent.exe
5112	TieringEngineService.exe
1572	AgentService.exe
3584	vds.exe
3132	vssvc.exe
2200	wbengine.exe
3244	WmiApSrv.exe
4920	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc5a4088c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bf430042ba5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000727c59042ba5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecdf3c042ba5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6846042ba5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000392e4b042ba5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe
1112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1268	b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
Token: SeAuditPrivilege	3248	fxssvc.exe
Token: SeRestorePrivilege	5112	TieringEngineService.exe
Token: SeManageVolumePrivilege	5112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1572	AgentService.exe
Token: SeBackupPrivilege	3132	vssvc.exe
Token: SeRestorePrivilege	3132	vssvc.exe
Token: SeAuditPrivilege	3132	vssvc.exe
Token: SeBackupPrivilege	2200	wbengine.exe
Token: SeRestorePrivilege	2200	wbengine.exe
Token: SeSecurityPrivilege	2200	wbengine.exe
Token: 33	4920	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeDebugPrivilege	3956	alg.exe
Token: SeDebugPrivilege	3956	alg.exe
Token: SeDebugPrivilege	3956	alg.exe
Token: SeDebugPrivilege	1112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4792	4920	SearchIndexer.exe	110
PID 4920 wrote to memory of 4792	4920	SearchIndexer.exe	110
PID 4920 wrote to memory of 4736	4920	SearchIndexer.exe	111
PID 4920 wrote to memory of 4736	4920	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b5bd36d7f8f22983206eb3a67643ec40_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3224

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
90b78388eff7c36a02c25f69f518ed92

SHA1
21f893936aa55bb10771c79554b66180a9fd56bb

SHA256
a6e22e57ac64d00b5d76563447713df48bcbbef0b65968114ab5e2499b76c5a0

SHA512
cfca9ecfea043d552c06d73ae48a830fd7cb67b1511e8498eaea2796e63c41280a70b389906f4a66602348dd179325aceebd415bd7c8142546aaca3b61fd6b8a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
88492fc330c05573fc7d189b1d35f1d2

SHA1
2951ac5a8acd2f0fdd98b59719e593c15f923035

SHA256
0552f420b2b46199e671aad94907d3893eb0d23fc62feaffa3bae39e0ba806c0

SHA512
1bdcc60c6fd55b8a27d870a57fce2e621e99fe9c0679be87db97fa70bda5ead7ec322bddf07d02d0009597819b396c793c73cdf2d80be5aeecf09d066a0f6cc2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2c88f8a897636f1fef27470ee16c27c7

SHA1
06f2881c9398745405257b46e4f8fb2a68ab586c

SHA256
230f29de9973f004eca53c94b55cf3549e6b37ca816565214e26a018f00e7d67

SHA512
09d0137cf5cbfe4fea50023f861b88d6a680a081f9c470565f50b7208c4cc2afb41fba63d86a8b052969673d7cdbd6c58687748583237d1e2fd5745dcad5914a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
93fa6ea7570373780c22fc8d6d221563

SHA1
c955bc70642460334d959d7ab47b815ef67ad04d

SHA256
73e589d4b782c374f0949d2d06df5149d5201ddfcf7f799ca38c8203d06d0d8b

SHA512
ffa6abd59a4419a4eded353ee06a4d96a182771de9ace348447b9063badccdc925c04605191dde1f6a6922b0c59cb0341953173173445357232fb9510f200c1c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2c8675a8204aea2484df46006b11d301

SHA1
6e5ab64d93e6f3577a5305cb3816085d31a5df62

SHA256
eed82c0cf8b229953c25a5fe8a29bde748be15fd7fa93454bb4de1979faa09ee

SHA512
eae56c916f93ff08676f5ffecd1513fade00ec04022f850273e80ab7bc8a064d5ad8126a13bee565ef9675ddf8cdda1ea9d94ef05f69ce45cad6d0e89b6fc8af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7fb9a043dc73e07fd26644fadc14496a

SHA1
030e1fc5abba87a6007cff103632d694444fea91

SHA256
8d46ae7fae11087628719711bb57e469dcde6fa94ca06bd82d8d510e96124210

SHA512
01ef074f54746002d12b7b18c6becceccedd14249eb99533ca6d22d7225c4a83d7893e323b767afdea1c13d0fe54744362c36d02dfb4181eabf91211c01509f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3d243415892225372b6a587c552b4b24

SHA1
46dff1ac7649c2482a1ea9bf92d659df006904bf

SHA256
88faf038f1bb325f654bd7f84291eec7eb48a2ddb14055590acad16f1fd3b46c

SHA512
baa6f7df89a979a19342c07c00061ef48188ff4a09c6d32a6bb7a006ed5c7bb29a33ad0a5cb5640c1a149ec30ca6a092d33f0b8b973cbf739788ff0b156a30fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26da1208b88fd0571731efcdc3d54249

SHA1
f004fb8ed6046a6b80acf9ec52641dcd7d7dfd84

SHA256
cbcbf5ab667e263018ea10e6e84b875b4d0b2587382e0f371a944bfdb1450041

SHA512
06033dd9b8e7c5c05aeeda6aac7ab134eecc6a12c4abe7a3bf824dc04f54ac036eb294a41d73cd8768cc4588a7373d70dbfe7e2bec56ea1b126c351a9eea08bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
38abfa0605f62167c417fa0854f1cf40

SHA1
f22d860e9f4ebe96386254b04af333a0ec91829e

SHA256
635025032ba0103e6812dda001ea4f276e693cbbf9bf11ae74322644aa07181f

SHA512
2d713701f9e210fe3399f041ba00744f713d3cb2946e9d4070a7d57921e11835ef41f463d5e8c2c64a0195d20b1feb35add04fd24f32ce7c94abcb7ed4237769

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f0138e32922ae04697f8a0d80e04236c

SHA1
4b06886f69859112c1a277135cd863362716c1aa

SHA256
64cf1dcbedaeaf15796e51c993188245e8dafe29b67fd4539c955a4f712b498a

SHA512
0635f2c9be4c1d2cf46bcf6ff50585f599c9a9701e8b6a1b1bd263182d3ecff1a3836a9ca2141f551367173f776e01667164b7ed31ee9f3b2ea3e77716502e1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
69150893a54600164c4ff0440da76b4f

SHA1
df22450cc6284c066d2c7c051291e75af5e716ea

SHA256
c961ab338f26f0acd88c90e5e99f2dfd14a38f76f87d6b5ff7a9f98fdcca36ec

SHA512
5e1f96bad99c2bcf48cc1dcf8aeef3c0d0d73590a0f0b5735a1a59ca2b39eff49c30fcf1b9d94c832332929df3acb1454cd78f130529c18e553c77d0f74123b0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
047ee14f0b933b862b928f8905cd0f49

SHA1
fc917d79f54f0e499d0eda60eeee95624ee3dcfc

SHA256
4636b5fb4ee0ad3a55622fb440e268ee229024bd589acff0d751fbdb78f61169

SHA512
5f611c6c696accb1fe832ff9b39ae27dfbdd45373adb070bf9dcf1d02f25aeb5a2e7caaad4cab79ee7ba735ec82fe00a1dfb2ec3da6bf12f1012c733d41cad17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0ec7bd9916eb2ce14cf2ea2d1636134b

SHA1
e31e4750fb8c4c475344a5e0ee168e2aece6213d

SHA256
b26f3a0862cbd3e5fba9ea57844d52eae6f58cffd146973b4f164fb99f2c87a7

SHA512
f898efdb2663072e104669f7d3d69538afa3da4632507bc842d38fd8cef98c7abf9b99dad5394c1b8eb57f8faec94f836d2627b6af6ba3acd3cb253e1cee560b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
efab6670f0778a8c308725d54abd9e8a

SHA1
51a5bfa50cae78f245d487630fc0ad6b06534559

SHA256
a761172341b983d2db6c851e7d301ae328a1553b9369046b9400afbc46807793

SHA512
171cdf4767e6556f61afe21e9751d82c8a59c049ee95ccf56ae3b5ecf4187ae2a212d52777580a7d1e0c046df53b1748858fb0e1c01c4cb07e0733615a9ce0d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
611b2d0b01f7f5bbcb528c5af3664c29

SHA1
efdf607f7adcea9d6716c405c5b02a9506646b72

SHA256
c4d1a6fc6e1609158909ff8db0b0baa18b727ad4401ec836905b33a055f74955

SHA512
1287d66c55541ebde2c50bc1f553bedff4e5cd206c736bdff7ecf5462e3de55e3377ccf5f4ec5585d2bec5e3d8ea36538f39345690449f37a36bb866ff1bf937

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a4211360b1bd3190fb218f8d2082c848

SHA1
1854f92765707c11b718e160ca3cf0a53fc972e2

SHA256
20cf29ead816b172a9e81acb066b677d0468f1e5c6f60142905874702c763dd4

SHA512
9ef137ec4b03d70191585fdf6182dbc9c39d72b1094ebb7a07cf472bccfe1b0d9ba83489db63471f4097e57bb34f967d7d878b16e2cdfc0a08b0d28c2b9e6371

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2cbc9ecf4bbe4070e755cf3f1775cb73

SHA1
5cc96cfb435cc2d3019cf4f61379d292cdca52bf

SHA256
2327c5bb11c7e6b7ac464f8c6b9551362c5e91849e6148bef1256f81d432f518

SHA512
c3ea207e85a97fc7229352e048752a284b722ba2ebedb5245fe817f7e9e28b9cf8672ad6bab823e6374b3b4e6f7c040d8708e62cd51350c252b9b5cf4542e64a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
03d0e99cbb64586583e00c8483b3c0db

SHA1
c28cfcbfa9af0eb0d208189877902d5c2a24400b

SHA256
e43f4c6f5a807aa018596a5d8c4c22ed46ff9cbd977101730275f79434a2fd0c

SHA512
b4997171477e90133d101274398d55bb430441232dd14a00385b9557761ef88f200501ab81dd85abdf0492a8bbfb090f3673092cf2c1c85aa64c29a9fffeb9b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
83b09c7e21cc4a035d336136b4054db1

SHA1
57abbffef304b2de7f736128f7231e02ec167d2c

SHA256
ce93cf71b5639f580f989ebbf173a0e286650e55be6862ce42be2fac0706631a

SHA512
c4026c11f398c2b3c8bdb92db838cfe4b01b75dc7eb5cdb3b8b38bad33bf451e0dfffc258e9a3223d483fd28116195f9e4fb9eaf57a77d1c8b5a8ad5d96ceca6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
319b4d10d92f53bf1b5d34b4d5549ad7

SHA1
1a145697137c4d8bcbb290dba8268ab878d68563

SHA256
f2addb4dee3e3c7be6b5b4cfaa968d72a89ef61146160b60cb0c28116a45ae16

SHA512
f0fb9224dba4d6cfa179f5a114f0bc362dc9d17ef720dfca4104041a8d25e4c6e08ad3959ec86c27b46f06059b03b6228375ff84b95e0b6778ed788ea418e62f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6c18bd70c4bdbf1f00f83018bf5227ea

SHA1
92869771af4c3d27eb53195f98f08d513ca44acd

SHA256
3b3e5c6d9e72b976d914993bf86530f33cde023d1fab43e5949873ee29405798

SHA512
0c5b5501d19a3e354c2b3538858f72a3f8169484a9b8ab594b3db9680dca8a7c1a71c7ba49ce4a39122e53c812c44107d1c749438234470b86c28f4103f62253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
89ad1d5e5dfc1667f4b900bc935530b5

SHA1
22b5e5b68a92a75163b5d33536fc0272f80d6fb8

SHA256
f707f8e81d71fd9873aadca70452c9c5c243d80c8bff166b2833f177f56249ed

SHA512
3d840891bbf242991f179591e0b26bd87a3b97158f2cedfa462aceb609269be22bc7d40f5c3c95b5c064e1a6a53f42884a5df9aa4b5669e1af17a714ead7f822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
daccb20188fa398f6d3525dda38de678

SHA1
66051273aebf5e0911374022fafde41e55c4cc22

SHA256
d2002b01566a06869bc5d60a4f18f228c7a3e79cba649f8485cabdcc5dd1a557

SHA512
9e2111f7ee5287e13c39126aa725298cf3a477e733ca22cdc0f6a08efa882c73ed8d99a4c2f395c26535f6a2e6a3237e458fdbe73c058e0f7f1fe9cc6e46fa71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bfedb80258c922efc7cd51ad0c05e3c3

SHA1
3a8460f306caa7c5184e5a40d065b27203519072

SHA256
f2685237bb180d3e6c1dbebfec7ea65369cd359c8e21eeb486b3d4dbe7e968ba

SHA512
f0d40bc51fffc63e3938811a1345a77b35a3da26ef184a029d2130d366bdd6622b663a48a8e4b06e6b5109f2d6326796b15f1a6301b418b1fe9969af86b9bc2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e8c9c932462469d62ee3c246001d4479

SHA1
5e4d2020b74a3f0681b8cc5fefa43e8708fab818

SHA256
b4e94f18b5dbfaf0789777bd5bb6cee3e32fb1e567c425c24fc7df1deb50b0c4

SHA512
4858b0df2a9efb2e570c11573bcab2f6a7e0fb961ef7b44d8ee6c217c16fdc2010194960b0ea7dd830cae2bd0ecfe0a34a6a74690c2137d974897a3d7005de9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ecb66f45aac08f2d7cb6618c0737b9a8

SHA1
6d8ec49b0bba81da5b17b7d32ccb63a25bdc2c4e

SHA256
0a49cbdb51ff152edaad982ece1324b9de542eae362571000c6808d85b41ee8b

SHA512
eb041ece87688d9e764edef9a0cac9e1cbf43004ce869fc2f32162524ca04da016909bf4398da5c1d438531cea0570ee5e8e65a51bb3db8f08746bda66868b68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2e88842186a4603e7902d36b7984d665

SHA1
1692ae6df7c7735e383b5de3251a57b487a65980

SHA256
513e73fc7759e4342c2094846ab1bc8cae3e384854b88ded5a1af79f8d059ee7

SHA512
28893cd3fe66729f49e0b3a4cba2179deed7b529161999abfc26ca9cedca21d1b16f969eb0f2368db102276257d85946ab1d1730a59f744684a165aca865644b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
14ea7102b5dba58075898394fcbf4c83

SHA1
e1caf2769293b1cf91186a8ba0f433b929ce616c

SHA256
c92bc6539e10bb5660c97c8ac57047a9e8675c4a8a4ac2f0e49527e5568fbed4

SHA512
7b5be2a54da8001e63806756b90381172f7f606b0bf4c6111a404eafd61f31fd4e0cb3928aaf574eba3663bd1838c94d29890ada5f69fc4223a6bfb597e23c76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
323c9e26559cc7aac67e84a5f7500262

SHA1
2ac595a6d3cc60dd83af5f34a0f468a8dbbf837b

SHA256
6f9dac7f8a61fcf00be7939248c53cffe757281ebf5991395293b6f66f592010

SHA512
35b828e1dcb39df986ba7dadec19dac8b2dbaf20c2f72f73a8efa7a8c4dc62402a550e57aade4c3212a4630b6d9092c7c3cdbadf56bc6e5a2cb64e01736c8743

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
519e120936a38207608d09fd42d0d4a7

SHA1
412add73e00deba8a97c85d1e245fdd845bc616c

SHA256
0350c7515ee4683c6efc4ca95dc3544cbb664b65a86e8a8e8d30b8e1fae63203

SHA512
730caf4138f0277e57690642f9b574adaee9dbcfebc0ee99fea420044c3c211c4938df135368b06edb9251df90940082734ac5f3568e63e240ca28840fcff14e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3f8600a86d1b098ce70961e1cf561bd9

SHA1
a937a44ccc5acd2c2f9c7b0370ddcb536032953f

SHA256
ec6a19db81dead65a7243c78719b592fbb932ade03757df1cdf6f11542b9c737

SHA512
1ad5550b2965a93ebb13404f196d313bdc025ee1a6a14a458f7b558d385e200d8be1a7be356831498c92a448c5aa88247aeaf5e6970adc95e7d7018236d99452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
74cf6004352e6edf484d4620f15d622f

SHA1
6669ea428b7ceb9b47f8d20d19d1946a02b70a88

SHA256
df34908e6516470a16ad0f213f60b9eb8e56f484014f13514311f78692ede545

SHA512
3d44589e9a0a3e6619cafd0c6f9622e74d0e2524c415086d4c3289ad927c207f8d06d1e8ce9d50ec5df46bf8bc2316982d9cb9569d2a9a6bc40e3736c6ef4f7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
dc3f1d2c4b169b6460ef10caaa871b04

SHA1
d91c892e745d981f9d6930bf24b78c551c4da94f

SHA256
d6dde0238e03119d7b46532824619382f5a72afc4bda440d76e88d597a753581

SHA512
e94c9641a8aad0a7ba6efbd383b2db95538b8b67549dec890279e3ba4a2957b0f3b022fad6fc1c721588ab19b1044b72c01e92e8bb4e62a1f34bec2828b589f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ec437d789644bf54bc4ac0fd29b375c0

SHA1
fe7ec76d3ae2961211a3607aa3af2bab59624a0a

SHA256
abc45259aa29baeff08f73d7834dba23b9fd72cf01fc0530b264e48a284e67f8

SHA512
68ccda99bc39acc764b49e2bf6c9c215d141ba332a3c8ab3e9a98f6ebc2378d170a27e0583d4b145620f5a255ed184a129afe0d83b510edd6a2f0776c82eeab1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9811bcc74361790a99fa1c803703d33c

SHA1
b5f7ae3d5176b9f7d38f748cb3e641213f4a2088

SHA256
3826a5c1ae8deb28cd357e39d99d194326c552052612c8ab5ef7fc636421b611

SHA512
447cc825b792a420a3b1f0fa6ee1451f0af35b65f896959d7ac9890262296f716630b682ac97dcdd38eabb3fdccb8f2dea119163f2d0fe0fe07daa9608faa452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
be214f38d7f94c608b50facb1c8234be

SHA1
06b93577a737ea4ee62fe77b0e51169d995c06c8

SHA256
a9d3c8a38f38d17814b4f8679d330476b0f08d557c1bac0f32c96f159a463ff9

SHA512
1daecf0e1cc5dc43e98058611104ec6a1e43dd5d71c2b049901b9187442cc4e1717bb91220d33d0415bfad27948dc2c6840c87e6535a6e3bb69076ac642cc682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
eb242b7f2a563cf2df206c52722544ef

SHA1
185894adae70d7377ff818bbb0ec68031c6ab6c2

SHA256
5448ca13f41a63729df768b649a0efbbe5ff0ef46a5894b1f7ef16bf81301b0a

SHA512
68fcaeffc7a3b868df0369da55fc287b586bfe97ea0b8eb3a7dc1b6587f7cbcd73992229b571b2cc64ee460241ea2a76e7241c3083e78aae983ce249527cc237

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e1303d9a3a22f386b834e65fd13a8e44

SHA1
cebceb7d19bb1a55f84e16651ce53b0ac8b84957

SHA256
d00b78d5291325121d4aba0062d89e54e06a60c54e0ae5386c47c29fdefbc699

SHA512
4c76aacefe7d8b1456757be81a1f392ea6e335cda028eb6a546e3a8926c1b00a53c7973bfd5245f2815270d3376b9e464d7f18ae4bed38366ea4758f8714198c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7d0446282de9cd19bb7b675e32a2fd11

SHA1
713c3566c5a7270cde4bc89bee993c4942f5ae2b

SHA256
964842cd2f0943e9e10185ab98a76227510849c2f9fd3bd7c80f8efce02dc0d0

SHA512
9cea5b3b2568cfff415dd5af9e6b361f9b473dd6edd0f9b5b6b16addec1b0c7a1be5693583e35ce4464de324d05293563f0535c4ae06ff2fec7e29ad7ed1b8b3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
642d354e816770b2f8bc515662ca4570

SHA1
cce075cb1b4b583ba8b383bbfac1aa9340c12946

SHA256
375918c135949863d0eb1d4823508f1733bb2f57c99eda66dc60aa6e99301e99

SHA512
29b570536216d1db307c1fa3db339315ac0775bf05c6de910888b15fd51d34e3b1e0872ee7708235d2e59cf3f6d2282293aadaa849b31a80dfee1e291479751c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f297225e6b33a44b23f0f0cd32bb7b0f

SHA1
7be9cd696743d31e4457d1edd6d6faf98ff96030

SHA256
9daf28a8c77b51a497f1343ee672c4440060825eba6e0ba23c3763c29ae3aaad

SHA512
706f1b55f702a8620b970a5c2a8f7e85e310b75f5547eb12b61014ec08ba003ea4d0f2bebcf6c87e79b672054a63d38b3e249815fdc43b69a532e42239433a80

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
78cd5915ff6e051c13b29f78d512b5b4

SHA1
c40f47c5733222462a110c7d9e74605a2c2667a3

SHA256
9857cda7d479635a2dad3f98eb535dc9d50a754859c500fa21900edfa09b0290

SHA512
58f3365c4720398d1f1560e889b98b079594c95623f82504234159bd207d9bf33ed80fd8c575e4c6793429cca25d3305affa1548b3a91e3e746287dbe3effb8f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f9f6ac3120c3817b458ef5279c0995e4

SHA1
94710d5896d46573496a02311cdb6dd463122553

SHA256
7df3ac83ab55eda2fe79b9d813f82b15fb17c5708d5cb21aa06d45e4236ee849

SHA512
631420b918ff74e752a8712edc7907a01d92308bb06807e43f9d267c6104d4a2f2754575d20262f335d0810bb73d1db857ad5dedc29d6b475fe9294c15fa7603

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a60b4f95e12e0ba62fe8ea33611b29f0

SHA1
86677fe1968a742062b891eaed4a04d7852dd362

SHA256
d0fa569ce651a81c77a507407bbf925ab58faea1aff32832e408e283790888ab

SHA512
17cfb1557c0b2c1acf2dca7f08ef370075dbac81e3743be15f6edcef035bbbc75c9bf895bbe6f7d59f249f45dd4bb62790ca9ae8a1a577de814d1616e81ac788

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
927ffaa4511953b83acdda28181e2bb9

SHA1
881ad3c4bc825399deeeea6fbcf8151a1d234cde

SHA256
db0d2bdb1abf75d0874da8bb268bab63c7cac2e74b4f261777a927db50c5242c

SHA512
ccee7566801aa1c0b248be6e529c44f447e1cc9c88c15c885ee6e9b4d3535097cdd2c019a4f8e7272f2927ae2af603cb1dff6bb040744317c19a46476053e952

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ddb842dfacc8e53133c0419cdc6fc678

SHA1
546533282e5c5e18f7661c45bba4658e84659cfa

SHA256
6697ac36c43ea1de33935f1895f7d9ec764f1ed4d30ced7b68e761a800a68318

SHA512
f6f8b7391cf43bac449705ecc47d8ed6ed3f05bfaf595d263837ebce1f5fbbce31d565d3f94f0a58082fc4a5fc3f22ab68c46b02927d5fbaecce364039ad3c5a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
84b7bb85363a3fdd6d857debff39de45

SHA1
2180eeebf15dc67ddd7093198fad6ca1522631f6

SHA256
391f4d25ee4dee2f83752211c2e3173ac04576e0f32c31f89f532ffc14c7c30b

SHA512
f28c296f66fddf42fc85ca0a4c480ec689587aba3dcc0bf6f8a65de8d478f3fffe1e34a279542ac25fd8b1cd9713d4deb28ef0847af7213b5e932370e32ab7ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3599dd9f87ae8eb6dcbcb1296120817e

SHA1
b392cd059a40af83316210ca8a257a923c3d8dcd

SHA256
99c36bf8cfff26830027d6ec09cfc5e82510c1c0afa456ae05f335bf01162a0c

SHA512
f2d3417637b5f21ab29a17ff4f7be63cd0e8628d15bd0b0de97942442a5760bcd5847a78176f872c73a664b6f35a13918c0a6b92c2e257738db45ca7f7b337f5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f68a8b8f620fd07d3532466395052038

SHA1
2a141c296cd7296b26dc61a11c3203ee8d8bcb95

SHA256
ddd18bd93a373353c9e9b9f68fb9ac2a92bab4fb7f4690bcd6b6ac492e2f3a2a

SHA512
fbe09e0e1f43a1306ba3ac64292952356c3b675a263b2b2e2669dedd68bf20b6304391fef37590c0a877a12608d4503eea9e404488aa3fa7294552514714d06e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6a2d17dcb11c1baeccc0e4d5dcc852b7

SHA1
67cfd7cad595989e8b0d99a0bf5a3b109302fb65

SHA256
938eed5ae1fae01d286f6a1f6dbef604a929e9e11c4679db73abead75cac46a8

SHA512
17124cdb9529cdd1bfe705ed050121f62915480edf43730cdec900ed4769ad3dbb411f2ea268cb534aa592083240752b5fdbaeebffb2f45994d74af11aab23a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9b35addefc46534ed0c810e49922d679

SHA1
c8c7d045c8b5b334b6ee1974be6b269348e12085

SHA256
3f262d7008e16aa00e91a72a8597e1e220340d77bf2426cb7cadebc0fb7e455d

SHA512
6f902e0778092fd47f8775bdd9c248937ba61ad1df6562d1319ddd684144a92e3890aab01a7300575c9c84d06b7d30ffd5cfd3a493a01e20b0a346de0d42e4a8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c840f824cbe6528f08225ac713ba11d2

SHA1
332ddea9489c54ce8766fb9f59885c748bf7d399

SHA256
04e30c5d78f2c3a30955506f66e6b7bafb3da1869bdf009ea51f6f9a32cfeb16

SHA512
02f668c5510b1abedb80eb32fb02510fe32fc25c3f5edc73549d88ff14adf00e39e9fa4748f8d023c9ee9cc3a918563e7a4f92c8200422262bc13445192f5d32

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f4d0217359d341dfa03fa76accefe718

SHA1
ced998319f384a14e305d5dde09af01430858806

SHA256
c1932fcfa8fc977f9edc82deec4c364ffd828cc25d1d6b1957081924ae65c008

SHA512
9891048f9987807c43a3269b9c0cc8ea46ebfa43acf6b9f5c2162ec47152a44ad4c4aa2dbf35fd1ce00d322fc71db2c66b08ff8aa1ef1e3845c079705b0e4bb2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f8f2b6c0c1052e27c984fe6d6b5ee410

SHA1
e6bdc0b215263e6c01753ef77d6e8a3ec8a554cc

SHA256
4bd29e80b09fa8f1258854579d70381ca8d74e30bb4733d09884cc764364213f

SHA512
8b37415a159b965f802475991ad957e99598b891358a72233739608c3699ec8e1fc1ed0d302339192c261849c350c4a07224fd61fbe2cb77d6c3debfe5a7fbcd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c6688b3f78a3264506eaa50dbd55741b

SHA1
d2cc4948a10e7dce4ad9a6df08bc9dae05a3385f

SHA256
615ae40fcfbab90648f4e5835ba56a0a97f21d309f26f45f5a1e8c3c0ade8db3

SHA512
50c2979b46b4685ef5c31e4dd8d09249c98443748e612c7974f543cd30b9085a8e4db06b518a1dbb00b6b86e790b82288e4ef651433a62dd8690a48eddbc9290

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
eb9f94c30acb7915626a74eb973d884d

SHA1
cd85d200ae899399dbb4ba70b2f99696be0758eb

SHA256
ab4deac4f9405bdde4ee9c4b54e8cf16ae5252dab3390bf06c6f81697886f31e

SHA512
4a176db0ef4aab9de52f41f6199e06c5b7e38e863906483acd7f6abe3f1145361a0cae033332ddeb1a711ab5d71e5d62d4a9b507cabca3ece40cf64cc77c50c4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f2aa969d0969ea8cf6c6fc84aae1d5fd

SHA1
b994930a4ade6f45179e2cfe824eb264abdcfb33

SHA256
34ffb4c70ab385dfc5e6b5df1d23430f837e8cae8e5f490c20e46eb4ea4e0f64

SHA512
436c8faf70cb2dd597c82ceb9e13d4af87bbc4814ab4839bbb8b6bd0300e743ad4ee959cab01002721a94881c54f7cb2ef2e38c45aeb62d635db4effc0ce01e1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4335e772e8097f0cc4a393b86de6c337

SHA1
0bee80258ab30c88a806a4db75747757986faf80

SHA256
654f0f093bd9aaaca768400d2c0e3e29a5bccb3f0a2be4966a6be766357016ec

SHA512
a70890a93d81b3047ad9738cdfaef1eec06c5eb9680c31d659ef144b0f6f53acf92b3f22d7560f7cb1cc3b771f3cb188514fc0b7836f2a23ed12b2fb67a2fb48

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d6cd8c148e78a4b5cd86b84b6db8404b

SHA1
89be96af4eb618718c576d1e9fffdb613839fc20

SHA256
1c5847255a3d94931fe88fc13ea2c5b7ea56143347795e1d12230adebc4e4caa

SHA512
a70100bc5717f3bbb818317d88495248bda5b985cf11d3f5c1b86e3d05e5f1d5aa958808e1b30067dce94936f77caa0696d5e4b9e963430cba45bee0b3988c60

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
a46967232b7d4f472e8bd2654c8ed1dc

SHA1
8d2bf85b2daea7af3ea0746a81016190de70be99

SHA256
a46dfb97a5fbee4cd8af66b632c359efbe82399702c4125afb36a92a083100e7

SHA512
1d19e0221218f6f5affa1235c85d0ab8cf38b103c3598fdd24e3fab28834eb01bf018a37714c6d3b29093aadc6ef89bd455692e5568a673439a3da758b04ef9e

Download Submit
memory/216-93-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/216-94-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/216-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/876-53-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/876-622-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/876-57-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/876-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1112-150-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1112-27-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1112-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1112-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1268-9-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1268-8-0x0000000010000000-0x00000000101EA000-memory.dmp

Filesize
1.9MB

Download
memory/1268-73-0x0000000010000000-0x00000000101EA000-memory.dmp

Filesize
1.9MB

Download
memory/1268-408-0x0000000010000000-0x00000000101EA000-memory.dmp

Filesize
1.9MB

Download
memory/1268-0-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1268-407-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1572-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1944-623-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1944-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1944-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1944-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2200-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2492-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3032-266-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3132-269-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-77-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3184-78-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-84-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-87-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3184-90-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3212-152-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3236-127-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3236-630-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3244-271-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3244-633-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3248-46-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3248-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3248-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3248-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3248-40-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3320-163-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3320-631-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/3584-268-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3744-154-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3956-92-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3956-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3956-22-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3956-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4380-629-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4380-105-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4920-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4920-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-267-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download