2f9cff5ec6ea2530e0654b6cbbe5561b5d3d8b45b48b881d3acddf52e785c9fa

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
Size

703KB
MD5

0789b52a656ac831aa1e99c6a2887240
SHA1

ce1b2a6e8269e8ab635fabe4fa84591826b3e235
SHA256

2f9cff5ec6ea2530e0654b6cbbe5561b5d3d8b45b48b881d3acddf52e785c9fa
SHA512

4a233ab2798ebd8f33c0d610208778dc65eae2f2d90c3ee9ffbca86dbc3be65e4add76c19bd3f64f7ef27f24a9d0f8681e104839e51500c9d620b414a43caf6a
SSDEEP

12288:xCKHJx5235ATNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlp:xCK4+TNjx+mZCkt76f/24pN+XNqNG6hF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4988	alg.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
1808	fxssvc.exe
2184	elevation_service.exe
4620	elevation_service.exe
2336	maintenanceservice.exe
976	msdtc.exe
3520	OSE.EXE
1240	PerceptionSimulationService.exe
1836	perfhost.exe
4520	locator.exe
4576	SensorDataService.exe
3472	snmptrap.exe
3884	spectrum.exe
212	ssh-agent.exe
3992	TieringEngineService.exe
4452	AgentService.exe
232	vds.exe
1272	vssvc.exe
3428	wbengine.exe
4364	WmiApSrv.exe
772	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8d30c8a24a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017cfd6d229a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065828ad229a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bc147d229a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d692dbd229a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe
3788	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4168	0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
Token: SeAuditPrivilege	1808	fxssvc.exe
Token: SeRestorePrivilege	3992	TieringEngineService.exe
Token: SeManageVolumePrivilege	3992	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4452	AgentService.exe
Token: SeBackupPrivilege	1272	vssvc.exe
Token: SeRestorePrivilege	1272	vssvc.exe
Token: SeAuditPrivilege	1272	vssvc.exe
Token: SeBackupPrivilege	3428	wbengine.exe
Token: SeRestorePrivilege	3428	wbengine.exe
Token: SeSecurityPrivilege	3428	wbengine.exe
Token: 33	772	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeDebugPrivilege	4988	alg.exe
Token: SeDebugPrivilege	4988	alg.exe
Token: SeDebugPrivilege	4988	alg.exe
Token: SeDebugPrivilege	3788	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1232	772	SearchIndexer.exe	112
PID 772 wrote to memory of 1232	772	SearchIndexer.exe	112
PID 772 wrote to memory of 4624	772	SearchIndexer.exe	113
PID 772 wrote to memory of 4624	772	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0789b52a656ac831aa1e99c6a2887240_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1232
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
848KB

MD5
f8a7c70ddace778baaa3e14b57cd4005

SHA1
6a57033ef3622936d1405f64f164df780d391d93

SHA256
ab9a6a65f77532b0366cd345ba71e3512a597426cf84e8cc1cd5ffbf77327de8

SHA512
4068fe8406ed1e17f85eb9c383fa7ab78ee59c8a0bf07c4bb9787946024ccf3dff89855e81dc931b327cbeb02c473e9569d8e5fbe980cf1a8157872b36f43af2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Filesize
25.4MB

MD5
4e96bd9a172c3cee2a3029cecefee9a1

SHA1
c38e29bb15e3cbaada1216d11d17a46bc04ff803

SHA256
4faba1a846b9016b7d47b0f81d36828828b79c76fb7cf5e208fd09ccd1ca1126

SHA512
8bd3bf22801cc00332f65610a794d6ba806b0a2bd89b3f7a04a48198b7ecb1c3d9e8da5794074160fd25f985183ce7846ce4d81101936fbc8343770246a06faa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

Filesize
650KB

MD5
4e369cb3fd4fb3a61913bc1af202fa88

SHA1
565b7ae89e8a7d31ab4aeab56a9a0a64f30579eb

SHA256
000eeda813268ead78063eb5b33e405dff3eeef9047ca60fd63186bed9c5de21

SHA512
646e8c5007260b4f6c13e089606f8c2bb7cfd809664556f3e73b768f8782c4fe6d44dafbfe979efa6f5ec998994e097b865318e26560870bc675e2cb41c023cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

Filesize
771KB

MD5
9ce986aed805f7105262c8e5cfd389cc

SHA1
08ba2d1cef4fa19cab7bd7a78cee91114ea9d0de

SHA256
7b02c7dccfc25ed54d21148f7c82a362baaf92b2398b76ee7fb5d67d2883b088

SHA512
3d86c541320aa91444cc6f8b4b1726198f391db5415d0dac8eecfcd72716848ddc8a30cd5477bf14f94b8caf8e6ba6cc7a7aa55dc7ada1c2788b14ab21b807e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

Filesize
904KB

MD5
2607aa6d753a40aa7acdff4de9ba339a

SHA1
cbd3ca731d4946dc611e3aab798ce736f0b1c926

SHA256
71537b45c99537114c5a432f577eb4d989e0825e97e2ba5f33f9c822e3529d05

SHA512
d80e228a3d19b0c968812e9b3f39d72579d9570599b6b360c65397ab5ee87b0ca55ba056219b982a80dd3b46c1bba4fd77c9e0e596aef1e4051d2de8b22992ed

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

Filesize
644KB

MD5
806479c9f8f9e4a81216f90b6fc6ff7b

SHA1
e5643fa3dca3e56bb4a02f6b4280e737ba29187b

SHA256
e71a9394878b77f4c6d0bb86e0fa379b509e7dbba51ee53e76ce0062390426d7

SHA512
ba1858b9467b07b9e5c5cb7cf41df4b2f7500f89cf251cbbfffb6936f2aefd6dc7e3b41219f0825fdd45f76ee8290e999249eb175ac8f8256aacfae4a4e939ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

Filesize
611KB

MD5
a32a193cdf87efbe1acc74af82586199

SHA1
03948819a85298570df0ed6fa2030e4f95911c57

SHA256
26d8b7bb32fd9e42fd6cd96efbcf38a300819a51a4b490e6c50f4e0cfaa3ece7

SHA512
18845a3db417bdd0b14283eaaaf0f91cd56643d382a129948ffec0f11593a3ac292e6a701cdd68dc779c8faf38ce009e110839ca26b78fa5c2a8f9cd56fdc768

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.7MB

MD5
169bdc8385b403055710d4f4803e8d17

SHA1
bfa6347afbceb4a5667bd159c7d0904da0461063

SHA256
384a157a2ec615756005755e94c731b458a0f1b83980f644bdfaae7176b3a13d

SHA512
8ca81936882d5f08535a13f44f9777340731ae55d4f4f4d4726c824758df991260440397a07a218d46d94864205c4813b772a31bccd11bfa617538cf0e168408

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
973KB

MD5
d7eec8332fef01de2f9611d74d40d352

SHA1
07869a96b1ba405578ce04f2d06918e5762e6a47

SHA256
e62c34a20419f9edf57738944e4b45e80f91ac8967c0a67b6e624150075cc1dc

SHA512
1838becf70e29bc2e619fa9924a86e57fed109cc1ca3b001635df8c0e29ae38eed0255039763d7ecb68e528b213ad3acc950e3d6a9153d51934b913a7082592f

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Filesize
1.7MB

MD5
f3268f28045f44d2b266ae8566133022

SHA1
63ed288798bcd63fa01f8211085826a5c71bd720

SHA256
cf3d0cf3fa0132cea9f8435d6cde6b74c0d173f4884d20b2a5027fff94fcdc29

SHA512
19e019d2291e7431fc000103a65d848dd893f9721a20a04a9cd470e562726200e8892a2df08e593c5c192ec44d48d85954d66e4e82020b0718d35d15dab13c86

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe

Filesize
947KB

MD5
2835d153d1d4c75308a40bc015894903

SHA1
02afb6ddce5cdf93878fadfebee3415352e66668

SHA256
bfb2db5a238e984cad47944fdd4984eab2528e6c53957c59f0849385ecca859b

SHA512
41e345132a7cf21477a9029ea4e788b655bd4ee93ddf79796a1025a95099853adea598ba4f1a33ea2467f0a052dcaf086b9d56e116fe158d2cbcc098c2f70f63

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe

Filesize
663KB

MD5
aa2ffc80818883e6cd9875e477869d18

SHA1
6c833c954200f93b048037ecc1eb75ca75f84d51

SHA256
11be8fe5ffc63d361c729b921e7a9cc49305a300f93f7ee44935f6e5cde8d0bc

SHA512
79ecb079e371b7ed0e5a88f766db68c6cc90ee18b222b111368e9f47219817ff23f39d7d4feae9a56d64985878cf4b75f192af8043d9b0e2b996e6f733f94559

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe

Filesize
663KB

MD5
dcc31c6cd5297f4f7e5c402304c48c62

SHA1
7d0ebcce83ff87eb1ddc2b417039d038347be74f

SHA256
73d348c43e9be3ebf48864c5975519f390cde64e7dea18ed3010cee520ab3a0e

SHA512
4fbb38e742cea3e7e4bc4941bd1c749f508f37920c4e0babe3b359b231dded77bef639eae08d65d8593b91c01dedb66ecf33a9b4247772194e0d1431a17bd0de

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
716KB

MD5
98352f61afbcd0b8ab5a7b13b303a613

SHA1
d915b0ac810f5496c81c19356a360be11fdf0c96

SHA256
aefa01e62d849ff517f25bcb65bffddfef4e9c011e239b435c060759e969259d

SHA512
a0039bf53f017e9d807e203c4d3f7731246ae573e271e22359ea0ec658e4d6bb4e6ec95c4403d337bb5e978f9e992df7d597faacd06df83a758c9dc429d7d593

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
537072f0e9c2a811e2d3f1d67b678724

SHA1
aa27d2977edb04193b0ca9ce275e34adceafd396

SHA256
fed71bdfc3c7e9fd2d851574e3782d2a43cac1755ae4e651a4152fa9b526a55a

SHA512
a15ec901cc5420cf88dc41517cacefeaf0bacc341a999db3bddd983f6b299337133b47932dc857c67dd259d89747608578ff9c4706d88f96c2c3178609008111

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c4013c445b03a23036d452e2e58f3931

SHA1
c1e1ae31e45c26e2767475afa288b3c1bf92354c

SHA256
b4ca64c50b242a906faaf8eaeda24a961fdc0b9280dec29d19f7789363cbef9f

SHA512
f236fe0694f359925279a61d1aea865b0b3116f9c3a69181e95d689b00593165d48449025e1db6356a94d7a95a7612c6b46d5028ecdd0520157e33a86dd388a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
dc02db0e65f109eecae6639e08d0af49

SHA1
3be14e65ce8647a6ac574b86a10d75eae7aad36b

SHA256
5dc041797a82174284631b5a93b04654ef80abdec8c9e07d90a26b4b8139945a

SHA512
29f177e9240259ef8da325c3f3af01ad802d244aa3775cb2e44b67374c99aba33283a4373ed8e7b7847790e823fc85d588dea49ea4d71148f32d1aa729fed11f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8edc3c3a281404efb7c3735f9f988c43

SHA1
edfd2305c9e3c204fd9291ef5b085d758fc6e814

SHA256
734d7c8c4d81b7584b8820314df8672e16f000a3db52e64ec7760d414b869680

SHA512
a837a6ae09dbbd30b8e766452455424fdcd3c39ab3ef5f3b7dcdf0ef72db22e0050b4fa3421eb971adc2172308210485824c1fb71ad64331289c94002ea15287

Download Submit
C:\Program Files\Java\jre-1.8\bin\orbd.exe

Filesize
581KB

MD5
452823e9032fdacd0268822e1569297d

SHA1
5d2d37ccfb94ed3614c0e14aeb76511108941935

SHA256
ee434ae834d0208c1474453ad06deac86fa34cebfb70996bc11346069486b4df

SHA512
407f73e699dcd2486a51c0fcf8c5e34eaf9a38f25060796305ee1ac972fdcfcc350cf5c404c4024bf9180b504c23bf10a5cb3988eceddbda21da40e4dff550d3

Download Submit
C:\Program Files\Java\jre-1.8\bin\rmid.exe

Filesize
581KB

MD5
a45432f96568b9d775f29388e702424c

SHA1
04f680139e6cb1719d5ee1182c09a8ac5167124b

SHA256
2e51dca831471edaae77ead627febef5ddb2432fdb48034851f373f00a749ea1

SHA512
60a89cf3dde9c745285385650f132df85c5f5674828d2454e4128fda5a72b91fdeb5194c9c5b089095d9f877251a2462d9920fb0bd9a4c000b431a0f6adaad37

Download Submit
C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

Filesize
655KB

MD5
442377d76b4e5cff9e89dd80dcbcc02a

SHA1
64c8ffdb473f19cc74bc71747e6c14164ba65393

SHA256
65b675fe4ce1bb34e479ba33c3fb7dbe3260982b49c6c9d53e78914da79196fb

SHA512
a13361c83848ef2b2eb1ccf9eaf69e44947cc57bd6ab1704d04d3a04e5b1e459a2fcd81d46ff4bd0502a0cae5b1404085ecb93177088ab7d8dbb3ec7b27c9bc2

Download Submit
C:\Program Files\Java\jre-1.8\bin\tnameserv.exe

Filesize
581KB

MD5
1bf4cf2a27a94731294fcd5ac23a722b

SHA1
1eb3e6c8d6732c8fa330f011cafda30a0b5252a4

SHA256
3f661f50f9cb0fdd34a97c72fb0d39299f3f3386f75767f59525c27988a1218a

SHA512
0d7caeecd7b5c7c7dd2fcc046c9d917373a871fbf87d0e3343cab31095dac5ef043a4e04e8187e029340b7efb72c011597175e1069147c5d68b80ac54220c574

Download Submit
C:\Program Files\Mozilla Firefox\crashreporter.exe

Filesize
815KB

MD5
368cde53f6c42d0eb89ee3b42f002a25

SHA1
982eda168b1003408d2f33af4cd43b9e847636b7

SHA256
c623e9408b9c5248678807b769bd76a6718b4e6ebf63145436e2c1101a9528a6

SHA512
303dbb2d3ae876811354b2adff4a164a2751d1397669a155dc341a7687824ccaebc82b2c623095aa65f4304c00b07eca137e4a42c57654d0776d59e9feb8be26

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Filesize
1.3MB

MD5
eefa88ab54ad1b4a7d9681f6c3268a79

SHA1
16c53b728950608a0c1ca491619bc184fc660e4f

SHA256
59f0005e08e7ac298b2a760596907e25aabe49a55b061ef601b8b34e307aa436

SHA512
e0ac781914666e832b862b1396ffa8700be384b6fd53f11fdec0579931364404a1a8820e62c0ad5d704b459d5576e66021806f66ee27805708b14365cd762b4a

Download Submit
C:\Program Files\Mozilla Firefox\private_browsing.exe

Filesize
620KB

MD5
b8bd2b65ec4489a5e2286c6215021c3f

SHA1
cb77b04da71a59ccd368243491a4b15451f2a3d4

SHA256
9122fc6b4cbb2ec9969badb1a3fda974b76447bf4b21073633dbdaa12076bc67

SHA512
bae7c2b8dd144e95b96e28778302415e4284654ed1dacca9d75a5f9c6a3bd14059f96b764a695136765a05bf66844fd70be06741b763ac52f6e3ab2ec012eed6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
551c61cc55755e3bc9936ceeb6585730

SHA1
97adc31acefe50e3cb2a55f4e9f32e9e8ff49673

SHA256
c3925506c35261e93969e67558a9df9a0974a0761e6921de8ce997fc78a392e7

SHA512
3cfaa05fc18a3572d474e743124d12c3ff066e8b0c12619a8b3bd15a98212f6063b81f356253c0d49990f6bbccbeaba1fcaf01433040ac8ed0e31f143126c8ae

Download Submit
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
1013KB

MD5
5ec1ad4ee205672d58a0ac983c1e6999

SHA1
1e2848b8229d390702880d9c93bdd6dea0e64978

SHA256
2aabc6093395911a1ee227e8c1322aaeff2d4d08db3b25452fee276a0ba455dc

SHA512
2bd8f0afe81609d188ca48deaa3467b207d628c482b809d82d5f75ea03bbde0e08f9d9a8f4bc3d5bd0df0faec1774a51909d1459f14d18f0d8d391f64f91498d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
67728e8d9c408fc5b386c9fc6e600e7c

SHA1
4e374774450d9cece19188f0ba12f2d45681ae15

SHA256
df9c3897566f2d88e574605f17c3ae3653e893ff0ba1609e58c850224f9aea50

SHA512
bbe1802e50215c855c3241929cd1093ecbc9fc273c47c15a93e064fc9919203c6af9685aafb0765fdb79713b1b73bab186fa3b2199c858add7b641554af59886

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cdfe4d2a2aae50e00175604ec54c7568

SHA1
02bf0c3f4bbf6765502e2cb9b7fe304b5b245e8a

SHA256
07bb4eecb211540205bb72368a5c5ec5f633f1686cdec73153fef514caf01946

SHA512
d888e40b4986e30ff58991a8f10e39c6139145240e4f10b44c3abf59708160480f538838c66eabcd16c092cc26d6482df2a2bbe92c30076ee5a6c1e012642dab

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
22d28d440cd0c5a93e9979571b52b3da

SHA1
65a7f1c0589bc561fc81101debc1b9d70cfe8cb2

SHA256
cd3f54a6ed5b842ecc5ef960a54fbaecb7c3888c44c8b2bb9f0b77a3eff9a904

SHA512
4ac7463a19a1daabc2bb9130b56195aae4aa4d54a04d66ea338b1cceb93d4c788aab0690bd240e63e77c0177a2c95f82b1c8baf328c48dab291ebd1ab0daa879

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d9888c207497555955ce272899c6a98a

SHA1
af40c71d9fcf2488c7dab8f6b50c3a1f101c0d5d

SHA256
ffeb7460e95ede8882d4fe8e241df3e068bb8a220b5f404061d527a9d185daf7

SHA512
c515f7bf5168324b3801ca5d4c511aee5bb6a0ecaf81afd83445191694ff9b5e1035ed265772fc48862a3ed871e9a94e69cea6f59d6b78b35c181b5ae41cb350

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5f228a4bea9f92f8f40dd55ebc189739

SHA1
8dbc48b122a069a88d0148a8021640a160b741f8

SHA256
9c340b6fecbf60476e95c443edf6268c1a7c02501e964009a496c3d0eae2c22f

SHA512
bdc2e4dacc0cc84fc6dc3ef574d74254a7dee8af08e09573edf350cf726faa99fe6e5d038facde4162188249e2028e9c78adf528ad64f908360642833691d2ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
30788457de306c447a1800ba3678c1b3

SHA1
2faf12b76b4b1a7f88a3b2fcefd37cd4c11e52e1

SHA256
b84a8858970d61b539f060b8911e955950cc0402621a1e7faa8bc257475dd2af

SHA512
049ea48bdb765341316af24da5c654451f27f57c1ded428cb5dfe47fac7c8dc86df497c743f43e45a111cda04cc9aeb28625e3fb620885830aa17bcc8d88681f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e4623d45f9c91a5adbfba8f0a8c0d4bd

SHA1
d4865fda539edeea5d76c67e4b27c9cc6cd56431

SHA256
5f02faf7710beb4d5cc10ce5dba3107bd87e46d8ea81d15b4e7e33854bebcb6c

SHA512
17341aeff251ca664d65d8f4397db807c5d8d131b4a43cffb1ab07613880ee50c1312aad121f7f5879e72b157dca82b23380244fa75d8956299446afd7bb3ebb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
99ffa0cc0fdc3b1c0f84e70b32dae7f3

SHA1
24a3d66a66525200f2a04dea70599a714295c7a2

SHA256
d1301d8adfa65d1b77d3b0232f2ae024910280ca8816bcc9e7b907acd5fb1512

SHA512
eaafbe5cffd366447ec13cc57c93ca9bf9158e62ba7763e44fcf6f3ada2906d03434b96d2f77da0aafe0652037c2b252bf0f64502a223d26a5ed73b34f9eebf5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c486cd0ad5ce7937fd8951e4251bbb88

SHA1
b5da5bf05455822667381582d43138940a89526f

SHA256
332f97374242c2abc7004b08f15eede669586ab813a02c7489dba432c4040a79

SHA512
8c935cfaedea5b61cba3b1852de6970e2bda266e8d81fd2441bbab54af7969f8bcb538f4f52f3214ade0c54943f5445744e186fde1bd99504ce565a7e26df07f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a2a74131e5e3ab4487306995df8a66b4

SHA1
e6490841eeeadcfa83060dc67be50891eda12a41

SHA256
78b70d39fefd53cd5707c865e4982d689203fb62390917124af3f31267af1767

SHA512
8124673329d55403366e66b5fc55d8dee81a0a488f00c52ab105ec5806c75faf49baf5da6c976e1da46826ee82be34f3d0e13460f43ea5828e792029e1975672

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1175ad1d7e8a6a2934b20b7f70c48412

SHA1
ef53d76433f72e46ea64276ffda9b2196d3a6724

SHA256
d4a9562fc1c1a3afb1565c7313509bdcb1c161c91852558968e980281a8ccee3

SHA512
4bba2761627362a6792f4d6482632ce9c9876f68de8dee8e755f07f6eb0d925f3c552b85570f7b84115a13ca87b1dc2c92c4120ab7d82fa8ac4129b7044e7982

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
67fd9d712e2e258dc1b97977a0b8f215

SHA1
65d0ce503f53684e341991da975ff7f6ffacdbfa

SHA256
a96f28034744c160112c64a5bb64cf9110eed76ded11bd45c614cb7243ae76f6

SHA512
0d4559a4b8696f39e4249a43c57538a69ce2383fd3c418ae6324da5f3d8210ab71606a13445c324e9e314c756dd7ddee7aad83e6b7aad58863dc00a485b563e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
09e7a29fcd91ffafbb5b533dbb44d7cf

SHA1
b56a5b9851dbed0d7e7a8cc46d2c4c6ca071e489

SHA256
efdb26db4be97a77afc618a7e019e6509bfec81325d0487f5f0fa478ba92f057

SHA512
6fa28aa43d325c8ce8169bed588624dc4c9683f8a3c029c0e1d240e4c89fea555f4b1cb640771b50337224b8d33fc757a539e3eaa55eca4474f3a35df06e6d27

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cb722615a9ff1606e0eb7a3d9fc692b3

SHA1
21cc8da15b38b13ca8369ce93097981b28bda6fc

SHA256
1c589087f11d770278ff63d26c46ec766407524c6f1e5335dfec010f2da5cff9

SHA512
53e531352d289e9607c17b8d9f1addc22f0febfdc736b79b7d3bae6a3b8805f65a1778554562d65526397456dce5e482adaa4637fcd8e51ad8edb7e4c3091b4c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2794437fcdfa1922c4dc46e940592f3f

SHA1
4679a5c67a860d22a22abac5c295fad52d396475

SHA256
4ed4f6d01cc3da0b0b641c405111b73673c2204cfb872cb401f6f094bb685255

SHA512
b30be1fa547a0cfe7b89d09d33fca9f79d2bda7224fdc6969747673c5560a376fc4cbf92851accaf51ac761b34e821bee9b20483e70d24b53169a9de7383458d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8b9d7fae430fc997f46c01af77d0b880

SHA1
32952a00de5e59fd96c6224bdd21968726f80dde

SHA256
d74bbd1836376cba077d41716858ac6522b853850aa055683355198f02155202

SHA512
b00b45f40b94da02756d74fd788f23bdca763a2d72515d944512480387eaf5ae43cc92f92e8c135cbcd864157fce41bf677db2556c74772064d8bcadd8f4d576

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c77cf2cd2c16f617bb956bdb24dde41f

SHA1
8360aeedf0b4f98be4b7e66b0f99a986f8d39a7a

SHA256
76d7bf203ae6e17d8389bcaf4a01ba873ba0b7a5b6ec37933d5fdab1d4d6488d

SHA512
f51fb12186d57e66de7489337be3f434f602a112bcc04f6c0634af2029dd29a7f4ffaa6b2e5023a55cfc13ceba039a07944b9c494bf0b5b4622ecd713c15736f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
24dc7a17d217ad17d9cb50d8c8925fcc

SHA1
6c6f55acbdd8d276b34a284c01f24e36c4a2c8cd

SHA256
8e72518ff64f2e77c08e7d435bfa3a654b427c010dea3ba0cb0696b56b70a4ec

SHA512
d53bf848a1c69384c90b62b3ff87d8bd6e1c6ca16c4ce7ea43c0b2e3897ee855851c2e71f5359ad0fcdbfe34542ceec69ceccb6be436d54225d50a92471f3d09

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b6e24e355692c0b5dd2868b94ff79208

SHA1
cc7a82988c70907e058d4d6fcddb274c6a2e45f6

SHA256
f8da0aa89bb3f741e441e98bcd3804dae32eea20da52254b4966c53ae6cd8079

SHA512
448537132c2e92435c9533361741ea45bff7a144663597cbbfc5623339e7f42292d21ac06cab9eb39cfa06cfa7a79ddbd4a0f779dc4e32583d112112cda1ae6a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
30975fd2a6bab4c9fe107e24635d6412

SHA1
d09d4019a398c724809ec197dd0b477859c85c2e

SHA256
906823fc848e8c0ae5aef90f9c45a7faff43fe3c6002365e132f83e9e2c8c423

SHA512
0b63de9a94f7c5c819031a28cc9edcf1db945e458455e38993b388dba3f58abb2cbc41cd2e607ac69d4f26852ee65ad7796c2365edc8bd0297bbd7bd624d87e5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0fcb1d7988afb6596c64a376dd10eb65

SHA1
a7012c2639bcb9afc72e65177de2aae067751c42

SHA256
f7ccd85064456988ba9f6b088dff29a529681267bac247e1a5da6797bb4f2d38

SHA512
3f7a6babe627e277fadc7601d0b7392f2c5ee2e6ca18058a2ab900460e7f61af38a76b23aa68620474c08cc275cba5d0503f540e60fd48c75284265ace0f1904

Download Submit
memory/212-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/212-461-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/232-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/232-496-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/772-256-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/772-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/976-88-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/976-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1240-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1240-218-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1272-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1272-547-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1808-36-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1808-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1808-42-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1808-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1808-45-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1836-230-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1836-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2184-55-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2184-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2184-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2336-79-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2336-72-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2336-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2336-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2336-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3428-548-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3428-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3472-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3472-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3520-206-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3520-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3788-125-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3788-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3788-31-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3788-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3884-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3884-457-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3992-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3992-462-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4168-396-0x0000000030000000-0x00000000300B3000-memory.dmp

Filesize
716KB

Download
memory/4168-7-0x0000000000CA0000-0x0000000000D07000-memory.dmp

Filesize
412KB

Download
memory/4168-71-0x0000000030000000-0x00000000300B3000-memory.dmp

Filesize
716KB

Download
memory/4168-1-0x0000000000CA0000-0x0000000000D07000-memory.dmp

Filesize
412KB

Download
memory/4168-0-0x0000000030000000-0x00000000300B3000-memory.dmp

Filesize
716KB

Download
memory/4364-249-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4364-550-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4452-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4520-248-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4520-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4576-460-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-255-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4620-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4620-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4620-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4988-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4988-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4988-18-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4988-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download