4d3934370496542ea9207633ad3e3bd5922f27a037117e60cf2e7ebafd0694e1

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
Size

648KB
MD5

cceeaa7d922f9bee58caae5750dd1cd0
SHA1

ad79d083b21adffbc0acfb7bb7f0eb903a2d291d
SHA256

4d3934370496542ea9207633ad3e3bd5922f27a037117e60cf2e7ebafd0694e1
SHA512

938ddce3676d92195290855c176b654686847928ce21ec26d8bc7a6882c90870f465f25d6611fa5aee923dce63e16c941e20efd137f307fe9d553d384a44197c
SSDEEP

12288:Eqz2DWUOPU6DQPHPcJrX+YIyjSIHpVXiV8Ih8Sv/uDZTk9r:dz2DW3lDmKBJfJVSVTLgBe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
832	alg.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
3744	fxssvc.exe
2912	elevation_service.exe
1512	elevation_service.exe
1484	maintenanceservice.exe
2452	msdtc.exe
3208	OSE.EXE
2908	PerceptionSimulationService.exe
1964	perfhost.exe
1916	locator.exe
676	SensorDataService.exe
1880	snmptrap.exe
4788	spectrum.exe
4332	ssh-agent.exe
3652	TieringEngineService.exe
64	AgentService.exe
4488	vds.exe
4432	vssvc.exe
2740	wbengine.exe
1968	WmiApSrv.exe
4388	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\47d64491293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009828fd4317a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034a35b4517a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9a6f4417a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efff144417a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b64b614417a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031b5c84317a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
4136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2456	cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3744	fxssvc.exe
Token: SeRestorePrivilege	3652	TieringEngineService.exe
Token: SeManageVolumePrivilege	3652	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	64	AgentService.exe
Token: SeBackupPrivilege	4432	vssvc.exe
Token: SeRestorePrivilege	4432	vssvc.exe
Token: SeAuditPrivilege	4432	vssvc.exe
Token: SeBackupPrivilege	2740	wbengine.exe
Token: SeRestorePrivilege	2740	wbengine.exe
Token: SeSecurityPrivilege	2740	wbengine.exe
Token: 33	4388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4388	SearchIndexer.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	4136	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3888	4388	SearchIndexer.exe	108
PID 4388 wrote to memory of 3888	4388	SearchIndexer.exe	108
PID 4388 wrote to memory of 1756	4388	SearchIndexer.exe	109
PID 4388 wrote to memory of 1756	4388	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cceeaa7d922f9bee58caae5750dd1cd0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4940

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1484

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:676

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f00359135c19c7b3b1e44967a103d557

SHA1
7e9bfa94070752c5ae309af3ebc13422e5bb04c1

SHA256
6c246ea647dc784aa65a84df7f3e2715857823b50ff501a8c68cce2f9460edab

SHA512
89ae4e99f67741728aad850640594f5c011cd6d28400299124864a72e2ede52e26653b56bc230a9d5c59f9b5fce126203988c042a7c9e26e4b34659725d72a69

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bfe07aafcfaa258fe16e9d7096bb17ba

SHA1
956d9f7bd570079f5169c97d1de390599f81091f

SHA256
4370a1d9ba60da1f7dc0b7d4477ef5cc536a907e1e2e202550ce56b1bfa27a41

SHA512
a6ca1bd3a044c01dbccb1f8a7d6c86a2714ed477ea49e49e61e5ee851967fdf7d6bfebbf0009bd283c0214745a96a69e895ede1fc1dcf306e869e5461a653aac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
55e6e2eb807644ec860790bde526ba90

SHA1
e44d6c0e825bd3bf1f30deedf7389828ac775eba

SHA256
c7b0baa9ee5629f0dec59353da7d8d09d243ed28e9b09791dc9fe01cf31cc672

SHA512
23f47781b4e7b801123c4ba26a1d805053fefb3754dc3100ec5b73f28fba71d07ae253a7d66fafcfab754ee3cd7956c244ffddb274dc481fda3f93ee39be717a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
12610acb3e780d09c59b570d802d1504

SHA1
3d25767c06e6854f220964347af9362b41efe596

SHA256
6eb50df1e858019fc58b76a31ff7e745cddf7086a554f6b6777aec3864d6a796

SHA512
ddc8057d95852741ad233db335025f681c651812ccd931f0fbb9b0dd4d6949b70e2c5ceb4a7567665e7e37f665f2e35e2046c895aaecdad8cc9eb1585be8c8d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7eee948c5aced7fd55dc9b6aea93526c

SHA1
815069ac623aaa98b5c683e4c8f724f3b71e807d

SHA256
9d1186075ad416869c6423bcd08f2ca8c96c677df6149c6200f2f4f7b7dddfb5

SHA512
1e237ee8647de619e2e1ce6638a93a8265415f272cac14c53fb67e9919fc58316aa96a86b8b8fd3afd0e46daed548d210bc56982056581ff207de84c76dcb98e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a6a4a31cffd2d8c40520908027e769fe

SHA1
ed482eba14d1b0466fe7ea7eaba12077a9bb741b

SHA256
0e735c8feaa574287ac7e781528719058ce50dae0abf4cf375b0ca44d7f90783

SHA512
0daebc9e87633778d8c820c112f46fca0674f5a57d8afc8e6b475532f4f66b2348e2c1d075d57cd5d9623b52fdb2a402063a3397e8179652117552743f5e6118

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8b4f77d091d9b555deb86a36c8d6d352

SHA1
421d92379866b98fe1843e53e1e727f246451fd4

SHA256
0c5066616f1f5c8b003a63133fbf8d383b8cf6294aa1e51c24237478d9bc91e6

SHA512
5fc10de997861e041cd66606bb6814dc51e62614a7c15d4340bda69b6475a886d8c75b80127e97f5843366b0e44ea1284cf7e1d562e0385a9ef3409544996543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
16f3c338c35850a339c30ece953b1b9c

SHA1
d77b12c10a14413f791e8e7e86382d06506d1f7f

SHA256
50724c75815cd34525aee406f5ed3440cf02ce2b5ed723cd6999a55c9ca6242f

SHA512
64b81f20e036f4a24942c2f4dc813368247d86e4e90e4bf5ba6e979632d0ead898b1d1ae31aec66b19e6de9d803d349c7ec848ad15184b01e6ac631ef447b5b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
228f53b11d8a6e38245439cf04c39e7b

SHA1
899f0e853c47f1e76fcaf24d0cc1ed8e699eaa71

SHA256
ea556abbeda7c0166608efe230555b0b656f165b78ed2d267acb6509161fbf26

SHA512
e82bd3f7206a2ca998ebfe8d8d55cbc214b3854bde0fe83e8794ae4236dbe076d34778f2c0dc64da564d47787889a588bc7e6b1b2fd0ef74f88def89343de0de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7d0a7e98300744a8a6bc9d6aca139181

SHA1
059eee6c66d99eaed959c45f8dbd170ca700eae1

SHA256
273bb6af36587b4ed9415553ac7769671e994b71f50182fb1f4402c890638e8a

SHA512
2010859ae6f6e63d34d935d3d674292b57edc98c5ee0ef6c0b7252cf46321134044adf8da39b0e780ac7b315e0243767cef8edb94403124ed49c25254dc677f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3710b7b1d30d49651992f715700547dc

SHA1
f3664296ee02d4e57d5907b971491a927850a272

SHA256
1ee2f71341664bb968af84da89105479b864db64c83f5681af2253cdf619fe88

SHA512
71260d072ec5dd8a8ec4eefa7de474c6db636eb974bd5f21922412ef780fdb993d7c8207cef7b90d70473065286083613a1e0ed29db9a688b7476b40a2bca687

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
604f0e123f457cf64fa59f80357fdee9

SHA1
37069d1a2ad83ae3e789108be3c09fc3c39b5402

SHA256
2bcf13812f0a2a3b12e4ebfc08f7daa54d0d661edd02be9ee12c45a12e1d1084

SHA512
b2bae3ae17054172e0c8f325c4703edb1581ab3f61353bc52c6b8e80164d0cea9ac4a6ccaf04e331a0a852fe695ada3b89ae3463a90f27494227d2994a012e17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d6c6c68d9e639bbc3fee85ad6a88a120

SHA1
729d26edca4731bdd27492271a534b6b795abd9c

SHA256
0394706eb4facd8d88fa412c0b64bbd73045a660f13f563a2a05741da077c84a

SHA512
4577c859e62c1496e4ad01808aea55a73688a7fec976c6527e7ff5cd317a3d182e7fa350ac501ac90b8448d1dbe3bf58c0eb862b86a8b3bfa9e04003c0338073

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2b7a4b99cccc38cf13d57bd3bb301361

SHA1
130ed14af8cc3e49ba50a44a1690380bf1a34288

SHA256
e328605e764cd129c1cc3e295824cfdb3273585ead45d442f0c7d1a0c80e6eff

SHA512
4521f54ed48b1d8083646dce6aa92eedc1f5cbd75b144ed1142c02827d3dfc2ea0aaf6c8a9b0912270cee49d901439efbafbee9de9d2ae10edc949c359a1368a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3bf80a92b78d4d64ab3ad3b75df0bd7d

SHA1
7f2a896f3fabddcc82338812e68378889ffe04d9

SHA256
5fa0d0752397807e9aa74a31be799f4d67f5d6aa9d82ebf5edf90e0017f04e74

SHA512
217f3f7f25dc2a003ce73764ba25b097b5a0a51d5c14c0ee0ce21d563636cd0ab975ee8cd79221fe0ecfad5fed8f2f50688092891224d30f531ab764c44a6f79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e66386cc1d42b117afa41570f39f09ae

SHA1
d26db0d0b182d9e024d9f74aea2cbab49a207e17

SHA256
0cbf57f2beebcc117e5934d1afa65b70ab565b02343bc234325dc2c7074ad361

SHA512
e7d8f0d238b54493ad1082da19f465c13e966743215da41564d4e8646ffb55fed03b112d7473b90f37284da97fa55e1e2bd2a877055953baa4ecd1133263760d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b35327b21a686249b598002deb496db5

SHA1
1cbf225a749952227696536c37d7cb29ce8bf480

SHA256
38eb2b136959c7bd60c85335321da18808a30672ae5b611dce57fb7a2d01ea9b

SHA512
261c0f5e8896abe677517138c1a71e73bf9cbd4296148be77d4e33e6c896f6c14d89e02b97a73362081dd545c5043a226ff5fd439ed1903cc2373ce943507d66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e87dbeb862e354a651ce3fb9c1f67f8e

SHA1
c6bac75234dd021203285c91de01a5b49453dad3

SHA256
39fa6ef144caa8014bc6dfdf79c1b609e777bb852eafa17bf4771d769d8b081a

SHA512
3cf5263f6e508d5cf5032d00d457a3bd4050ebd83e5402ae0bbc0fe337ceacab288fc6f951ec9abc8712b0be7e23a2eae604d7b5f5f906fa16aa8447f0748432

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
88bba55ad9a14ac90dbd807de9157f54

SHA1
cbd9941731e80c3f68a2487fe714771421b8af4c

SHA256
77008cd26f4acce3e70a0b115c942c11416990d667a2326c748e4423ffb16989

SHA512
67cea30367b5bdb88fe1f9f288983dd0b57afa36d48d6b592e21286c834581babcc6ce1c0e77c376850877b8a9452372250de990c116276e74465edc136c4316

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2bd35dc56fda44383bf38e6dc8b6665e

SHA1
6390e3b21e1b1e8b1690df4c19e06bf6511278d8

SHA256
cc3b767e8dbeda4b00f6a140da2ac4c0de39561e14f04a364ff4607b14095ebe

SHA512
f25ca21e64b078c2cef143ddbf748e222b6e6cc6268edc18a882f5a47514b97a72d3abe87866d06c0301f790bf8fe178d14be69ed1045db26412e400593b3284

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ec409cf5196509e6eb618e8ec76b64c9

SHA1
84f49ac6f58cfccfb2abd1eac3f5fd7813c2b622

SHA256
bd42d753b44f731e665ba5997bc906e22d0ebcd637d6ed9767d9930b26527ea7

SHA512
1719600f41c12d72e4f4bc55127d2942208f2afd4f2b31df44f31c0c983b17ed21ed77f60a1d1b69cfe6833f58d93195d0b0a410955bef09999b103995f4b084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2a6b54ded0addf9b6db1015ea8c0eace

SHA1
64867b3da4997aae81c33f0594dcb2f05c074208

SHA256
e467340a395a9eed98d7cddd4c65f0e817c22eea942d30895524a105b6a9d903

SHA512
92d327e1f7e599f9e604b497e27641916c75e84dcda7740b664b79a88d6378b25d28867e9fc53a7b08fd021440e11dd16ecf92a7b281b4b1f050f1c5234e974a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
88082673fd5ca978bc37559a26f70051

SHA1
35f1a1cb62cf8e23074db5b23aaa4e0907f61a5e

SHA256
01ba08b1e77e12ddc17a44f868cd1738317c2958b686b9ab9d0cb109b9b8df12

SHA512
2dab1ffe64971b123dddfef4a1183420cca35f8635babd251a6b67ff4cf9d36dec59f906f9eeb950c3a6917b999ed9b0274f954b846c592dc1d9bedfa111693a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d684a28b85eba64ae5be2f51f7b04fac

SHA1
3120c0f65f0a094572959d68441ea2aae36554cc

SHA256
e099d6431f6350310bef1e2b2e5f4b21710cb31edfccf0dc130fe7a85c973050

SHA512
4baa9595719a7bc6a3de3c128a0aeba2bb321d727415192728acf754aa51d2047aa365f68d70d47eacd84dcc74a898ce6eadb12821018f7d3df1948bcce2b36a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a356d8aa16a6fd03b8f04cbb26ac6d87

SHA1
4889496e795ededc836530897127082080dec942

SHA256
58fe25d114615d91ab29bb5d0d074c131280b8f965812e044ca8a1324dc34ac8

SHA512
c55939c9839d32a2e46d3abf5fef689cfe640d0fe1a5fbd09ecad397d6cd8adb3aa535f6a12b5790b478fc3248aae8d74f4cbf070a3a43c834ed0f4b5740d7e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5fd40996c66fcd8b7e113674b947d28c

SHA1
b0f6ae927840168b4ee215dd1c6141d05052c335

SHA256
d0b575037d4736d655b850c39bdddaf594a5419eb49413f0c5093493c3e4168f

SHA512
b9ee78e29e4aec207ae68e28d7b6b3bee83a95841aa9cac45c0e972fa2011fd2a2abbf675a3c942fbf1c9d3ab8e01eaaeb9ea729dca692dfd315c1b987d9c5d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d2cc9e3392d70c1deff61357867a71c1

SHA1
bab6c679e00cd7cdbce09bc3b9d43c65227c9606

SHA256
428ae717e056e41d409243029b944bbba8b0a0ed1b1a6b03df06c93973120f92

SHA512
80cca62f7a2b8e4b27630026e7df1c09adcc9f60461ce59f45987ed8135e332cb704a7d902577accab2c0346a321cace6d94f9826ff598446b998095ca92273f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1fbf510be70820ca06b75ddfde1690c8

SHA1
6f6092d81d4637bb840497c7b3d2f36766b4b64c

SHA256
69e2099de5e1470ad985eb66330a662fe288f98e93a6e25a7950cc89a1463ec1

SHA512
82af739dcc014e17b8ee3edc0299d2be2ab824f83bf0d92eb6840dd82427b42aacd56305b40f31bf045e8011bf95134261c8d14fce19db77108af69db2ba6919

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
107863678af67d741b997953fa9a0bb3

SHA1
c7af1fa749c4ee98ba8c9194edf0ac053ec99666

SHA256
9121d47fec670ff52d56b08882df97c0b9f1676d92634c35e7be40096d6f07ac

SHA512
29c8cb856ab16ada60ec01c6b6e3b69c4662d5a67b173888f457b42f5dcce7819b183e326cd97577c639635dd914181d1ec4221031237f7834d7aebf15b2b986

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f08f216ac787dad5078841343c74c9f3

SHA1
070ca1a60269071b370812ca6a9512688c83d16d

SHA256
41a1e84668d41d45663c579d2e6f00681433f0731587c1dc4fca606147eec9fc

SHA512
4b00cc894a706da936c85de457c25de04f3403cf8991e1c016ae20cae2d432b79b04b809b1d0b84594424a6ecd723e2c94b468aa792870747c5d2dd7ecf32428

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6dd0c99bbdb25a96f531ce8114e153c8

SHA1
09292ee5b38369dfe0f50462ed44d8783e0ee807

SHA256
217c1e59bbea5422a9a8077bf1851a87a1beb82410098645793752b5884a8a76

SHA512
edb2b01303f7cce58edb9047cd982ea8b1f6767c30c09f9d4806c3932303038128a83330e0f84baa604f376b7f3234cb7a74aa6d4d65a943031a95cce3dc08cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
37e0aaecab421cdc9540c9874a866a11

SHA1
d7182566553569950af3a5069a72af3dffe486cb

SHA256
ef05be65b01923b5c34ee9710eb736e4a1e314f28fc9e5790bfb10fe078aa8e8

SHA512
b63369927e9be075b2ad815d14c8899252b45631187aba90dd3b2c48e50ca610f1f7d53347f588fd64db53cca66be6fea90ce196209fb3f5c3b9b4e043b2a07f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
328387bc01c226db2a4d191f21fc70eb

SHA1
f0141fb3a9e16c1b7ea39c7acca16ab92a9b84f2

SHA256
a551180d72bc0ad91c02ee09de639f75a2688141aed5e3933da461bce826ddd5

SHA512
fdd758aebe31ceccf7a1825b0d33f231941228d6430d9c6d6e2373fe8b599cf1922d3c260f548b4d0dd8296d4af887aad16c87272210a1ef8d6276bb2596041f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
bef20676a8a1ff5bd70f57c5d04ba9d3

SHA1
1f8cc6b053011bdac2aee45161dd1f5fff992720

SHA256
3f3100b3d0f9cf807fe5ca561506fa3f7d6c85f4deeb0e1794673d686bb3dc58

SHA512
ae0ca97323798705d1869d0bc1833ff9119949ce7b228ddae1cae4344d654974ec309d9562670e69a47748d59e33ec3f1ab7a4130b17602083f0ba70e921270b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
09f65b385affdcab5f73b157cdec70a1

SHA1
f0cbc2f79f151e8411dbae5af15ee86d26d67477

SHA256
a23f310abb717e364b1d91ee0f78e54580b7cca6ad6f4b5cb94d6af92104cead

SHA512
5287ef44235cc27ef2752830a31351b8a8e5948e7db8dacf8bef2181018147fe18f048e395e29572c065ec9075430bca13f7b815292190510b12a08ce7a8ac67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
731c6162197c0ffbbb5a882393868a1e

SHA1
ece834e39394b364fad9d42a23b672457943f03a

SHA256
d91b791363c458d5e399dde9c5dbbe9e3b0419680633b3de6a758ba38e44bca2

SHA512
54a349705a98a0bcfcc8440127cee58296c982146cac997c3d0108749b3f1fe82436be0491a2f73f4344c1578d119acce7d56348f807129a6ef8de7b2df7768d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
42a50cea078431b3d3ed4dfc08d3660e

SHA1
725384aecffe84b1ae775af84793bd44563eaa74

SHA256
6f9bdf8e543123a1e50fe2f0b3c594521f9c506e0a56c95f6a0772999b781fb1

SHA512
0ebac61d7421f364f2f128a912e9d611039960a9e1befe2b65d58f61150400700246c18e891b4ecfd9df03b29d95ae9a3a570cfbbae235feeace124a42a10f7f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4073151b8bac3923db562349aa4d1264

SHA1
381c0b22b5479514bd4e21c601e3087af3c022a6

SHA256
2f696ae8d792c345d17d6d475411801698b8a1ba7747ae58de5bc26010120da5

SHA512
ec4a6256a7fcbfbc1e167db118b2c73fa3cebfde88ad73d9725dd7c1188259fd5456db532162db47057f7650405466e9de4c4ee1ea7220d8ea8cf7b11bfb44e3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
96c57a58de1dd6dd659baf578d2640e9

SHA1
ebee67b72db951ebbf126818d0aae937a5186a77

SHA256
575507a061be0b39ddf5563bdb8bdcc283ab0b48a2997245d81023dd3fe293b2

SHA512
6e1cc713d28bd830b6ace7031dd51a77c82bfc3e5e356d885b91d2d38a4a8f6953c276b1c32f3fe2770071075633c29a96cd7259448d8b395ac31b965b606728

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ef6d4d3ab2b4ddcb8a6a2307fe094d33

SHA1
91f34efeb344155511856730b5ae1c4d3ec940cf

SHA256
3cf267b1f7937cd6bf8ea2c95f3a74dc307de3b925c1e3574b8a92c365891eea

SHA512
f5450df6aab926b82b920e5c0a5de4f1382794ebb5e83291a26b008ebfece9240af1b36ef052f6075c4d7faf5b1eaf9d42134bf1d22cb80ba8cb0c9db9e56ff2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6e63ccd572c59b10c93bc74d1ccb026b

SHA1
e9139c2cb811be491eb8474a8442ade9aa3cf91b

SHA256
20ec790c102bb76c0f2ba3c5bd53bbe256e475b3dce8ffefe9d5d21317a03f2b

SHA512
758d2f56c468256803e646b0356963aa953e6e7382a4de28d65fec13f7fd2f70db8d085d2bbcdc9b174bcbab505c7b29ac0c0325d4229ecaf75e645afddfcd51

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
677370f4bd5c1160951490781980d602

SHA1
4b80e6eddc50abd9e4903c8147c95d6fbdb35753

SHA256
889d494bc550d5360edffe05b9cb31031c4190d59df210a6d6a4e5f88e530281

SHA512
1c54ecef78a92ac3320ef68d7004086d408169e075df69042b65049792036de079578d86975a6ba7ee06fed1949e2cf0a62fa0898cd4707b873dd79dbd9be123

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7f8972c0abd67ca393d4daecbca0f096

SHA1
2806f3486a08010a2a1a2fc5c7d9aee0219d2931

SHA256
6941c47fd25c1a60a40d44564233817ed8b3b860208b495de6fc42ad577c190f

SHA512
d39259f5a64bc54a029da96a80e52a3b6dd99886fb78dcf32ca61870a1f085a9e8576bffa5d94023abb1ec8cdaf3a1483fe5ba45830067634becb4a06e5192fc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f8720d1bbbbec6ee724d99a00f2a4f0f

SHA1
b444bfb48bb561fa2119744dafe59aa66db56379

SHA256
205ffb09cd412709b9e416274f2e14e2ed622da50e7790013f81fcb41f9fd96d

SHA512
37fa31802cc29441d868265ae65d8c136639f0292ba3a59ab000a1e104fbd6d0d35a9eb2890be8bcdc7df090bf32e057a017307e586056d41626e5b1cece945a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3862ac4872e33775ff14f288197ffbd4

SHA1
873cd341743b274d4a0518fb2a023e1acc323c6d

SHA256
fd0808a0b7b327691dbd01d680cecfe2de81c43d65a8a564d59af5317d7b4039

SHA512
443d05c0bf40c3067a0402942fea76334c09b5bca2ac50bedf65612497722845a0527c03107b07bad3c05d8835f943e1d203a03fa9cd1c3ba830198925a45f8a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c2ec0f0b797126f2404552541c0a0cb9

SHA1
ea6655fc6a5e1a8627e4bfdddcd087393ba1ed5a

SHA256
6bc49f990c51131cda9eb257a5b394b3606a2c3a64b5eb81911822a4fb947547

SHA512
ab667397c53ee8a2e58f663d132fe2975aec3b8255a60183204eab03585c813e699bd8f5a6a2344c55340440281c29e3ea5344190d64a8a80bfd99da8beb27d1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2b9cdcd46c071f3be167f736bd4d1e95

SHA1
2070c558261f6cef40784b4cdd0db913c6b4bddc

SHA256
c3f60b8f7bfcabf02a5942b1f90939123f9bef34df3d9155e81c1395d5859857

SHA512
ebd95baadda7be030bd6f705970d138cc1e501a5512c04b11d7ba51b90320a348f71be584c649a5b7e824a579f229b591fe92e72c098ef6d708d52a1c75021c8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e0ef2144a989cd20f2c82f630ea03686

SHA1
00f930dcfea4a8d4e171bbe702fea10f7dd83e04

SHA256
e60f5d9381ab97755ee6d19577669d2ed75d52094ec4f57e5f2c727234a390db

SHA512
c7502dcf9344a96f056e4714bcade7db5ac50e45db6101bb52030ce09f0d65dc98603b4a9ff87f0acf41649af0ad891e22071305af35f7d5cfd2ee0208266aab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
03556cdb556be81cab4589030f58cc80

SHA1
7594cdb0903bf7083f76ee6f76f4d48727fc6c6d

SHA256
23fd0717471f7d9e1fbdf883de356e18cae5485de654195e88399e11df57590a

SHA512
545d2b4bf57fada82c5ea9455ee733c39b34607779aedcec5ca24b1b5497249cbec0f113540ad03bf34b6e24cd44308a43740d8e135256746d2dcd3204f25903

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b55a3788b277baa78fc28f83b20767f2

SHA1
11bc962a195afb4925272bc68753b1a0054e03b7

SHA256
5dfc80bc3283d2dedc36a3f9dd2dfe5649ead360a013bee429b6ec64387c48ac

SHA512
601470b59f0e346708de50f41397dea75dbdd23adbbbb03573f905f30d6ddf1db3631f947566be6bd8b1b1bdf2fe3bd1fcca68532aec94b6b124ce6c235e83f8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d147484cd0270e95af33fd7d5b1064da

SHA1
c9925200c5f32b3242d137b4a4d3220b003c2491

SHA256
cd9618d166722e8d315ad8b12cfec99351788bf629f9278f046cb8b060bbdca0

SHA512
1c6b9f997713c13b020dd153ef5bc7fcd38a3e7ab363a467b22fc2a679c90b7870ff2421be4d311aae175dc6c6e95d7d1e24afc84fa9a82029249c1e49152285

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
848c5f51c515e627adce5b88771b2dc8

SHA1
fbff5d4c1904d48abbfd19eedbadf3af0a2cccaf

SHA256
6bf7535515fa834fc49602da22e3669417a162c258e7c9b2f529922e775c89b2

SHA512
fd11f7191e2b571f7b727d8ed12238767a7370f182e591deadba8f717f07239d89abd035cb9c23bda7cf7e75673741e815a5d2e887359d72cde301c4d8fb844d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e258a043ac20666706047cf595b18f57

SHA1
213ab57a3e44b02424c247968ef71f239a425f72

SHA256
e404f7362d561347b7354328c5f44b2da93057ed54260e5ed26e84a2baca7a0d

SHA512
3976ae8eb9276ab3bf9e0cd1d3c70e141c31c33374d10b33412d1d30a8a04a2e513500caef0cf7e80b4677734ca64c8961c2c06bebacec48aacfabfc3a9ec96c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8e09aa47d7e4eed90b11c8e50ee542d2

SHA1
bc560578413194b9d3692e10401f63b688d5f89a

SHA256
99ebf9bf7131ee2ba0665f0f9efd645a13a6c8a5826cac37790349910b28c846

SHA512
666d94e4aeeda26e9cc90fa8929477e14a9a6bbbf4d611dee74e5fbe7ad77f25e9085d93a2f26cd7e0ef415004581f147a9a2048b294f6b706e977ae74b3a95e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6c751c6824d9150053149727984bdb8c

SHA1
a03af4014873789b9099d32aa24a0a247017a758

SHA256
949a3c2b89acfa935cbc0056a9d8f7b1405e5884283215cdca24f70426e439ea

SHA512
e6a8014353472e16ad0ea73c4cac54d1144b83e89da5804464d3616000967fb37b6aab74fccf255e5fce6c3ce5405f0ab5cafe906c136d6c29d7c8f3431de4de

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3ab2dcef19a6819ea8164bd7ae00d58b

SHA1
556cb93b9d150502a7f63ccbcf8d9b234744e104

SHA256
4ecf8d5f4f8dbf0a87996cb370d898ef0e96bd9c2065a05d713078baa5a5f498

SHA512
61ec5a417accf2a96521b6bbcae279cd567d07aa3dc6e0dca4cd5a4f870f43a1b8e8012bfb4aa7b2b371497caefb84e86ad5d7175750eba8f2dd833c5a4b96b5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e3a929a17bbaf253664f4aa0813671ec

SHA1
f939119df0e7d19351d66a60be75821fb6fa551d

SHA256
d18163bfd1d03ca16283f41c8878e487737c9874fe8fb38e454a304cc6897f29

SHA512
e3d22c18c2e549ee8221c3334ebd22e96310c3a55516d9ad05892e1a1d5f7f1e88d53aaf0e681f84210221f41bfb70e3c3e385b261ca4e13fddb65766a6452bb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bd7c51fa457eded39877ae1dd25443c7

SHA1
bb3e1a2584b0e7027be3e6ff392d2b03ced03f25

SHA256
da6bb99c3970babb2c8a83d53e7f0c41036c3cad346bffa8ccaa7479f9ea9747

SHA512
2a1b7113d863b176d5aad632a40ce2854af9601e5264c6ab43ea44bdf97c7e732c0cea5f48875037649881eb4270f9b4f57a4357340d3e7b6aadeb35de0b2ba7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
dee345fc27aa807265efb4344b6d121f

SHA1
2bd1513eaf9189fc46763753ca647ca012893589

SHA256
65227fbcd3bb9cf18a112524d59beb9f02346db0f1fb8f410bf98f7eaa34d712

SHA512
a096cf048de4ec5ee2f1255559cbea1c900a3e0f6b7cb38ed0913143e83682697bb8a0d6480e2ed74865c74f710a014fa5028b8dfc663f89f7d5f53cdca258ab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9b1f499e291ea79e150bc6f8a2268d29

SHA1
feef9cbd90d832b5b03b04f6bd19a04740b7d83d

SHA256
0767061d9d4adcc526b51949fcc50df97b40dae5752262f084bf9f629c1ad147

SHA512
48618c95788ab0dcc608b5e558b4a1b7f9f1a7ab3d1bc401da38219738296aae4a2a5e77d4d653f0be886b70c4c4dbdca70700e7bb593ea39b36669c0a9e9cf8

Download Submit
memory/64-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/64-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/676-191-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/676-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/832-14-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/832-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/832-20-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/832-21-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/832-454-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1484-81-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1484-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1484-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1484-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1512-610-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1512-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1512-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1512-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1880-193-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1916-190-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1964-189-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1968-272-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2452-187-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2452-89-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2456-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2456-461-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2456-220-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2456-462-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2456-9-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2456-1-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/2740-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2908-188-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2912-57-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2912-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2912-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2912-609-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3208-186-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3652-614-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3652-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3744-60-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3744-45-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3744-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3744-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3744-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4136-608-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4136-27-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4136-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4136-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4136-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4332-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4388-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4388-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4432-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4432-616-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4488-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4788-613-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4788-194-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download