1d66edf2e0308e16651c164947e302b6a23c3c42201c8c0417e63631822311f6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
Size

625KB
MD5

58edf83a5d22c91ef4cf8fec9b8f7e30
SHA1

0f6cf739f87b89e38ac408ae5dfa90c1c8cbaeb8
SHA256

1d66edf2e0308e16651c164947e302b6a23c3c42201c8c0417e63631822311f6
SHA512

73305fdc28ec9612c3b8f8e186f96b1804f166992e3742ecfdaab2ae898eeb6decb5820075e86c45e93c0ecec3e86441d890bc558a8a63b6b02c4cec50e5fdbf
SSDEEP

12288:w28geKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:987ozX0j52pMkuLoiSJVlIL29mhNq6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1288	alg.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
4588	fxssvc.exe
4000	elevation_service.exe
4060	elevation_service.exe
4612	maintenanceservice.exe
3628	msdtc.exe
2308	OSE.EXE
3096	PerceptionSimulationService.exe
2252	perfhost.exe
4560	locator.exe
1560	SensorDataService.exe
5076	snmptrap.exe
448	spectrum.exe
4532	ssh-agent.exe
396	TieringEngineService.exe
804	AgentService.exe
4132	vds.exe
1016	vssvc.exe
2164	wbengine.exe
4804	WmiApSrv.exe
2692	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ab5a28a92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cac19caa66a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000892537b166a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054005aaa66a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db2094b166a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa738eaa66a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed128caa66a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928477b166a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe
5112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3684	58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
Token: SeAuditPrivilege	4588	fxssvc.exe
Token: SeRestorePrivilege	396	TieringEngineService.exe
Token: SeManageVolumePrivilege	396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	804	AgentService.exe
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe
Token: SeBackupPrivilege	2164	wbengine.exe
Token: SeRestorePrivilege	2164	wbengine.exe
Token: SeSecurityPrivilege	2164	wbengine.exe
Token: 33	2692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2692	SearchIndexer.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeDebugPrivilege	1288	alg.exe
Token: SeDebugPrivilege	5112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3300	2692	SearchIndexer.exe	112
PID 2692 wrote to memory of 3300	2692	SearchIndexer.exe	112
PID 2692 wrote to memory of 3624	2692	SearchIndexer.exe	113
PID 2692 wrote to memory of 3624	2692	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58edf83a5d22c91ef4cf8fec9b8f7e30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
49a5b5140f1496911a669e733bde704a

SHA1
2ec1dd824d33c8a13441c53cf98ab981ded6c017

SHA256
2b56cb417c165eba92fca70a890c7324e6d7b57027c79454bd1d1336952d24da

SHA512
6190830d71f072f71ad25f334c09a5908679868a671d84827ad72ece584c4b8bc9ada3832f801c292cfed790f1c009d9ee6ac5d964b02fa855607498ba869bc7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e2109dc5ff068b0defcd074d57ce6305

SHA1
f5ab59be3c12500602604689be8995487565a56b

SHA256
949035e91b67be191b8851bf0a3142b7d8ab40ed677d4330ea5095c90ba82564

SHA512
66462a63c1795195555dd17eb698c4d1377955e63bd5d568e4d2dd4a21355e37d38a97592291674c6569e3c5365aeded8a28140fd46a47c4dd2abac733ab8c55

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
98fefd51ba53e283935ad34035ad4edf

SHA1
7b3e3c295b965eee00fe3bd981dee9f22dcb6258

SHA256
323332290383ffc7796d7885ee63f52707ca01a5fb7b598bcb045e59be1673e6

SHA512
221d00f143e08bb935e25f2452ea720569d4f9bfe6ab8980dacbab8a8a07685c59fc8ac33e573d34d1cd1d8223f98abd30d159550a27de87a6dc43525ff420e7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
300b812128fb45bbd1ffa589a02b82a3

SHA1
118abf105972c6fc1b78fd696314d885b01b64e3

SHA256
fe56ef7e5f01cd493db2638cc9bac3d318036f8d58d6f2585362bd0e99bf9dcc

SHA512
65176f491edba738b80562a964d6d66ec8235c6f5c40914ed0a7f950ffe9cb6178ea97df055298927fe8c63a760d96bd134db605afe10882d7c0b0748101003b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b9f819e38a659dc6d98b2645dfb1a5ea

SHA1
771a439accf58b494990969345a9aa778833f110

SHA256
6ba4ab53679baf86238e23aaebf0066cef0c4b275583e73445f0aafd99d1fd18

SHA512
151a7af03222cbe3114347a11600b531fe3cfbd63a5daacd9cc817b4286514108f03e6aaeec34eb2f1c7c886e405b42598b6a73e318e485e44e0b7ac062280ff

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d518b207b3dff87aae2850507a553bdf

SHA1
1b9bc29d185d7ceb17d1199f6c2b529282a1f9b8

SHA256
9311382b21d00a74446432ac5af525327f732cde0ea49d1a188fe1f5d88acb23

SHA512
e043b0c56a6ab026ae871de09df9a7cdfa277edbc8866216d5a5e28c7d5106b30032bf6e589a66ba17fd9233662a890d7ccd474ba8b14d19206f9c36be7d95f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ea87a8bb0a5c6dd0816f49f0d368cefb

SHA1
236f598dcd63aa5cafd5c83bb95d9fbae3cc1d85

SHA256
c53f1a376828cdb3c9a6813c49acd5336516d46b76ee55a6ed9b0a42b29af672

SHA512
0e13ab68e4bbb883a128911dc22703cb9d1abf56347f314ebce13c8f0623d68b67d4313ad96cc23ec8b06c5f1c686b192b0eaa56452922c38c2d62b397715505

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7e52fe4f63f32220140db7dbbf5b2399

SHA1
61a732f7cb3687b4c6328139aaa534fdc08b5dff

SHA256
fdcf12c2ae87f67c7d48a2224add92e2a7988ff92bfb2cf5349ce43a64da5d84

SHA512
2b85578e1bd24af0994992f68514b76c95e83cf31431a30a6b6e1ff3091482bad0a7f2bf6cd5609fd92498ce300f603555425a56de7a44086300d34979d20619

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
18cf7c268ae9cf447b137c1625227318

SHA1
e70ba93bee5a4a9053ace8598a6ff91df689dc38

SHA256
6e6929dc35439618363e570215638d1cfadf7e1047caed2982e5ca9fb8a83c51

SHA512
193d9826e39b83d5b6378711e3cbc37a313cc15633fb9ad35f427309772a83184d398b19b94a8113e7874d7ad481b74f008762531ed104c7b1f20d3694e5562a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fe84eb693575fb1563012dcb6d109d86

SHA1
50140f2e1a11644e84da32f717b11d9204b73dd0

SHA256
d193b1def936cf8920ec36c48cae4389c0d7438b813697904965198e77c94e64

SHA512
729be0f8b25f945cc1d6039bbeb3c60fd26b723fe524a9041aa0cddca02ebe3624f06fbe122406b7563ebb3506d45c445bcb04d316994aa88161192d2446a537

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b64f7788f83bb74ada3e11f7886c4101

SHA1
60de94573711088e0affddd3caac8f51b708eecf

SHA256
3b6cbe359c1b7c9388c488dba1a9a2168fa4f1d0d3f906744ecf8e41d285d824

SHA512
a02b812e82e4ed11b309743f8eb2a32e552e8c96106c641434781d639525045205df46b939ecd4aec47a66c51962bc6d192dbc74282b994c8e254a536419df7c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fbed9dae4fa7b83d48aa0e53173671f5

SHA1
8a10df5c9422d8a07928892c663a52c70cae5fb3

SHA256
6ecdb8e5cc889c3cd0fa038d2b815255844bec0a3f8e61e9b52440fc764f89db

SHA512
11a25e61bde4f390a78eaf0b7e729770e62960b9bb2b6b34692cb0c9ad7c5324f574889f52e4ce9ce6e2398caa11a9c84dd1759e986562c6ae130b952e7419f4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6811a4a943038e3d7ce384dbc435dc95

SHA1
d669dd2934a09f080d83f9da9c47096de1cd4a3e

SHA256
8fac33a11af0e654aa7702a14ae62f104c2a6b7276ad10e8b3d49c93cf0625d9

SHA512
37cdbf83057222b2c637df417ece20c71c953c55cbfb1e5af254f80f61b48dc973fb162b09accb29898309d410533e78f0de214cd32c3fa0c04a0df4429d5b78

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
dfee5a1f77b14aff298b88c950a012a8

SHA1
2391c408f558343eb5b272233bbb77c27b8f0f75

SHA256
7052c14bcfd03fe2f70f16cf07cfb53cfbba8e58a4f4e45b9ab57ad67d43a135

SHA512
44af45fd91c0a7536400ef7074124aaa707aaa9558f8ff0c77ac9d30bc7eff83b7c0a214500b06f4b7af2deaacff1bf30b04adaf9e50d560baff1736e427ff2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d43f518da2a6eb03256931c21f417515

SHA1
f8c14886a7b4cb8ddd4741cb9daa34186304ceef

SHA256
087c0687ae7a8bbe7fd6ec16e6860e3e5b6ec7bb88a29013da2b1835f575c0d6

SHA512
ce0492fd04a819cd3cb7fb6b368486938681b96c758860ac3f02aec3eb4b34c09b915b5184380a456129e3d68a78fd7abb259a6a76266a2410af4ef46766f058

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
992e808135de38c0df436dbdbf2ef8bc

SHA1
7458785cf859ddff1ef352fc775f4ead0def37de

SHA256
1a5a52563494b6983c9197a7b961e6a6c1ff3de06b46bdbe61a7857637857200

SHA512
7119f41bce5bf0043e1c131d0a2685a5688289c8e519cf6a98536473070b63b18f11de821ea31659a3158a9f89adf897bdc811732a2cf2234fad4155a2690413

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0066a0cc228682d5c430bf141ed11340

SHA1
1f5a3265cae899ff18210c3a73938dfd5ac8c831

SHA256
4354ea5aed728f59218926dbf43f7979afc351bd44cb528c983da8f2817e059b

SHA512
8dfc575a152fd244abdcd7c2007c3c6b1d8dd008fb7d2372c31eb6f58144a00ffe355ac47ab939dccb52fcd0e69ed074ad24e0fb0a802567ee7c47ebece36f7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1f5eb9f618c88a3c26489bed6a8e4a5e

SHA1
19c9de680084befbdb12e2a0e12d5a1104eebedf

SHA256
fff0e155cca347c6aebe1d02de80a3852490478f85fea33b7f964a5c8e08bf7f

SHA512
d5f2515e1499daacd1bd800186e5d922126a0fd5e01e045a1e1cf56713be7faccc810c26a99362a4098da51ea4531d515560b75219614ec4986ca5006ebbe3c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ace1d50842e048d88bd297606507f84d

SHA1
c81a0a9d0e1daf1feedd3de0dba9cda63f9659ee

SHA256
96c1959e066c247dfd1670a614f9b4249150c0b615d38220d2749046dc19fd0d

SHA512
6f1863de9b51d6cdd149da74a29a0d2140ccc3513b2ae72c6c59fc1d618977b686c8847ca64c10b90b98e98f6a815633fb4f24290c87ed6448eac552951da355

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b4bf06e779b1fe8caf22d6ffd3a67179

SHA1
7157db3486154575f4adccd5a4addbfd1cb51b79

SHA256
592df1f5e44e6e06586dec3fdba1bd59d523d6163a26db3f8a286b5bfb54b863

SHA512
0d706958864692d9d0b6359070a4ee33e46f1a0ca3cafd7514b66dc420a03b9ce867058e4acb42024d084c5323585334a3cdba4fc0d1d60b5561c0f76fd2c5a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
78562389316003bbd355429e64668928

SHA1
26dde328c0df850cd9f6a62f4235176183e973a4

SHA256
ed49d2b7e433d53d8cf268cadd8812e50f5f2b193a757a037d85a12cea4a11e8

SHA512
f98a9ffbcaa98e012c14b578287109a31d9281966626f6abf8e088cc3a7c6c7dd4a40ba3d46d23281ec787c3c80bef1500a0f85a12f7736c14ddcf65aedad6b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1af524cc46051a30d4d02378db31832c

SHA1
8833bbef8166df2a3438b65fd87fe0842f705e17

SHA256
99fc9e38f1f5b170658de388b34899a50aa33b561ba725cd306307ad6c10e598

SHA512
d40373570c13a4f646a5fb44781beed4b24f67097531bde91483d0ea761e23e63f727a8ab7e05d34b012e9c2f6f1f5208b471fc0e0e3ac0cceb00bbf2f412235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ec4c00dca182b9ae324c2e2985479e28

SHA1
4988267466d94cd66e0716286ba41941648cc8a8

SHA256
c2c7ec179ccc71d19fada2040aabec3f8dafd532018a894f9afa1ce1a43cd98b

SHA512
6495727b26b30c55559ec4287ef58c58d31182372322e5442728e7347635749c25a26b921ea395e81654af4cfd57f9838c59566d9480870b07b4576905f0e1ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1567be19e577f753de208f3ff3b6c289

SHA1
2b71f47e426940dbd1fe58b51368f3d44590d050

SHA256
391cfaf82a8d94b16b6175f2885c4632154705eedd1698c7c62ca0fe0c462356

SHA512
4cc618018d825ca48076da23dbbf6dd4ad2601bf34d36203298906bb54624c7ee76bbc296c0e7305a46eb9ae5fe88f8be6a8ad8f2326458252eabae63ce29e94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
547343333673348814403ff9bf6fc48e

SHA1
62e1aed03fab483cecd6424cb7703b45bd8b2f00

SHA256
da0054e60e2789f8d16493e02595065172243df618076b3bc49f4d88f91993b2

SHA512
85f3559cff8fc8dc6ac3d8766e9ae2fc0fa3fbc7b307a17cdd71ac5cafa13e26455a2d2f6bc7bc8c5ee17453f44b99782f5aef831ce40d6bcee21bdfd7772677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b83515c5b775ce72c967ea53202d0be0

SHA1
1ab2ee841dc57be3b492a97b502d7c83e8a8966c

SHA256
3fbc3a66c9ceadf84b2dcf61490f192f1e283823b2eeb35eb1468ff876c219af

SHA512
9ca20e416adf64d7f0e44f2ad00d61d9df512e4273bcf38f60df6c1a09de8b51821d7a7d9e75ef70967e5b52064d1e5809565021a8bd63416d313c49913de999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fbe87e9e19b9b5f8bf5582ae490460d4

SHA1
ebf7ea3ad5fb5a28f218c6388dc15a2fcb0d9cef

SHA256
e2d21e5f1b7fadd3fed6cee94451f98cf79672f74a13e9e12a4941c2fe319ff8

SHA512
077edb08d540bc54cb98df6043b886f8fdc0ce7673bea0f390ab0eaff7fbf75979c0db5b164d8204d80d7e581ca198d82dabaf5eb2de8b0a3bb6821ac95f483d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7910c3ca06fbd5303cfded16b2f056a4

SHA1
3a2583c6e59680b0b5676b91a8293c1aa27a6eff

SHA256
75d6cb2212fc9f0443c5350bf18ac6ad99340b5f7ef2aef644da796fd9f06e64

SHA512
d3881b8c2b3ee5615c5f5ea34548370b4326059a0a9fcc113c72a792f80e6b218d6b9d4cce33c251aa0ade0ab4017cc3c7d9554b2946bea6f16ffb38b64c0537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6babc94ccdcf51d81f6c15533e2c2567

SHA1
a7eb44fddd9c6c400d49f8914cf6b1b0b8656331

SHA256
6aeb32fd02eadc6dad05c6d18a7542c830127a59629c04492632e544280aebc4

SHA512
38dd8596dc5e50bc426a64834fb51cc5eac7dd0e32fe78ea1911a31e47df61a869d586bcb8057992cc5014fa0ad159c9a22580fce85979e07b6f85354d194200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8a65b6d3ce5f78b798384fffa1fe5156

SHA1
2aa338e111e57b0e0919cd3985697ed8c896439e

SHA256
8203ae7b094b9e0540575985d6031c617c66261c476ed4042f0f34da38712920

SHA512
2ad4c6dd3a39ec8f38359761bc7f9d15703ad4c90e27b97a32bf024323b3bd13310d232ae0555a4e5735f8123d7a6b2fe78daa5d0ea777c0c18d156c23ef3677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b24a771f66b45b3aacf8b85190d1a7ba

SHA1
fa3bbc2dc95d5ab8ba6edcae9e7d17d8aff000b9

SHA256
c2859920ac7b2c5aebf373d47d69317352a6d8dff7ad8186347ee81f2ba46f4b

SHA512
56ce6d17c212fb16fb306f3c7e3de9aab7d050d26d29ec82dd7fa3a27f3a636254f4f242872482691c0ca5077b87123acba98fc275eaa466a618dc073b5e6f38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1ed097a0d78df2a829d102ee89ac5a37

SHA1
66cb9ad2d446d7133153c27eb5861e3f36a18d96

SHA256
10b94b4b18378ac2cc3ad8b2e5be98bfdee65d19f60db38cfbdcf7740d98c228

SHA512
b04b90c15bbe11478be4b20caf7858b670977d3ebcc1718e4cb5a049109df42bc963d96eb96e01b878a351b19dbb07d3da809aa00f26256e6db008c74270682f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4ec40ebf63a336ae2dd1e30c44d0cfcc

SHA1
a0e1cc39c03ed872847ffc6b78ed983401481410

SHA256
e3375ecdedee23ed90cf32090d1d472cc4ba01da1966f49af42a82805394e715

SHA512
922ebe58095abe691f91ba745ada55ad30b489caa252a198cd4662bf92e67cc4d3dc2b7d502498bcde9351e57425fab81f70c454ea636c5731b3bb8047e1b47c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
60e40caa8897c78a43372c24b0380363

SHA1
1c6a98a7b9da8e87ac1c01dfb410152d7e05a9ed

SHA256
fede972f4579c463908c3342c7851a56843bfb37885db9409351a70b9375cf8d

SHA512
392437a7a8d268d18b283120d8edc5b7177f958f6d65a6300dd612eb4be6159e2d534f3ebcd59e063e691ff29f379189439b1afb88e0729af2255b918ffc105f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
850c0bd4f5da658fb07bb8eb83963e5c

SHA1
11407beb6e0a9321886d7652044c4298eb9eae4b

SHA256
0333b7ef18c102017cc2db3a3f1756c823db1e79fe1632510c840b95fd088074

SHA512
b29dc4ac6a8defd4171cb90f97c3cf49b33b9e0898b4b9766e81bf4d438c33a2f07265f5830608d5ed59d7fcd5906bfdeec7d754f1133f972a10a1ff08247f8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e2d3be57eec49e24deaa1d72f0ab1a0e

SHA1
b7fac07e1ab06f1e71ce442873da8dd7b93756af

SHA256
25fd552130f025855914725ea77f4414ec5bd3947839c5d32e4831b4659c9686

SHA512
71e62df4356cb0c76c69a5d8af0e33c9f86150eb1567583a00ca117cffa6d8c045467f3352f5916a130f639b5038ec0c3a78e34ea3869e72e68d2798a1abc658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4045ceeb0581b3a199ad65dc0204b0a8

SHA1
ba58b5345d7f4fad0f970070e37ff75c038c6789

SHA256
045f23de36397ce544311060c9a8029eecc2e0ce9f492e9133e9c06466ebaf5e

SHA512
9237f2014c1816e6e8f23b1cd5bf778a31bd2071ce2606d15067711e2417e9e1de00f99f6534632e7a070b5a3943b39ac94a4774ba9cddbf522dbe5ce60a885c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0c0def1167ddb427f4de0759654290d8

SHA1
efea985c5539d2a035ed58e6064d28b6a9338dc4

SHA256
44f0effb6bac5e72d5362fa9f0fe3e6027306e0edc3cafeecc745597d3b953c6

SHA512
ad50fd8fde85935a6c9a5c7c98edf200c822dff7ae48e6e81abb503c24fe6590926c6ab581b2de591e71e95c6b523966ba78176ebb74f1cfe4be9b4a354de184

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d23dfb59ff5a6dbad1d11fa250ba3597

SHA1
9912c70e420601a9efecab0026114271821731b3

SHA256
bd1e8027f785277f64edb336478b8b5b67608cabe14fe7276703628e02f1b843

SHA512
39e03e8ca3c67f2a123bc29e910c5484389cce28d2c445e227d901afd0d344e5efb58d113b23f85ecace9c87c1d7dd59863ddcc70d4ae68bc63fb907b60f294f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7db79dfb277070d4350eeb9efdc40613

SHA1
7719551ecc4c6bf7f1f7a7c05f6c710f9b55ca8e

SHA256
d88c81eb2087812174677fd8998ede0a22d7e636fafbbd9b8f6a8b0108aa52dd

SHA512
e757b40d1dda0fe14594842510475019ecb8f82bbf85db4d7b8cdfa16a14f6495a62a9474ce63ac9802b67f5a4b939afec2ca091fef581a3e0e7b43d7412edc9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b9d9eb18eab6a075720643b967336879

SHA1
3c70fda86c0145e20fa56b0aab87850b9d23be6d

SHA256
5c15ae90e5518fd7c3dbaf9a0bc7a90db8dff69a3a8e792cd9877d95476ad70c

SHA512
67f7ca1b53e759baf69979fdc3b1cc21d215f9048984c902a727636c655a3efb6141c8eafc2d60d20dfa8cb276deee78cefdca0fffb4f4dda032b8ef0e9939aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0ff6540c5ffcdf93c6eeca31237cd5b9

SHA1
be702f74c34e9ce8d587af9785cd5a3424e5245b

SHA256
76c64b2ad058d4fbd20be548934885a4309f128aadfa6956820845245da69fea

SHA512
d2f3097a5560bd4a7483fd49bbba1de7886d78bebd77fd460422fbd859e9e27928c511de9416ab906459242b435ba7bc2b9ad505d57740ad62a3458ba4eff7c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4517a84b3e391afae6b61464f4cc3905

SHA1
8c98592635530800de254438258c529c39afa9f6

SHA256
3ae8f56550edd65085369af92d31768fca40616dab8eb5378b5d71f3d80a5c32

SHA512
213ea08daaaf2e34a884acfb0bcb429ab76f452ceb60c98bd7f9ab351371f095c22f8e5f7e466c92b4a779dfc116d27195b8d843e75b6fe75ce69afa71f7ced1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c1078df298b79f2a1d7a65af311faafe

SHA1
37d031bb2e78340ae70e7266cb0d851b826f6d33

SHA256
2b2cf8100681120d61c9d33f27a02712c97e02efb5a09451a59d2bcae137f71e

SHA512
9afb09db077e83ffc394dfd33f472cffb6b6aa9b52e44c2a4e9faccbee175cf76a90e3ce352db96617ceb9bf5206f3b0095ac0a41dc2323d7b11f43e36c0c0f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d61b79cf72857ac7605ff9d586e8a09a

SHA1
b3074629c2a90ba61ea46e0dee0ac35c2942fcb1

SHA256
8707d9b5dc6ecebc7cfb8d6701f8a381e7238bfe8446a965832fb18feaaf214e

SHA512
f90b5322238a954d354af8ce36182459018722eb8033ff29a6693fbe6ff1a5cf09442d440e626c1207c476a0872b3277981289db3e450fcbb6bf71453bb974a5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c09a737f065ffb275fe7a7290d563ce

SHA1
68c3dc6ce784a4725a3df4064183bcc9adfbbac5

SHA256
b679d6aa3b9ea4248c9393238134fa6e54caaa585b79b35a463aa49a9c9ca64a

SHA512
6dc32e709f6767dc9db01efb843260121d7571b2c2d35a2452b8cd376b31625ffabdbda51308f738109643f77aaa6eb08297f8af7800e23fe5754b2bf4511014

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4e374282c5fedbc59749f0eff9a17290

SHA1
6ffd6346a88cbc6d7ced5d27329af54084651561

SHA256
daa157259bea0d3f3e9d0fafb027d340f335c379c691b3f9f78913e154fc1221

SHA512
c2a92f8e5c7b1114ebe72ca2aa46d34d4aa85729c94fe158296cebde34f53a0796731e64fbe1ed5f2830ff6e2799724f07706aba207a13f828cc13694fee26a3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c99ac97cf141e852b4f9a93508cd6368

SHA1
c22bed1184814b720054901ded638ae451fe5c77

SHA256
f69835f768beb297eb8efcb6cc6eed68cd21c92f63cdf31732d001373afd4cdd

SHA512
ad3eff28f3706c13b3c65fde9f4c50fda6a761b897dba549202efb2f9807ee2f9f8df76d1edb09c727030a95625954b9bb4ee58fca8563b1ee7a40e188bde7cb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6cbc4203e84883b51679021d0a6fa53

SHA1
87729a0be59e6df11d0900e45c074bdff7e1d6e1

SHA256
0b62c6c17d3130ca9fb7956bd7593ca626057e01659e6248a24df2005820b95a

SHA512
dae4d4a79c4e211ec696c616c9b5eba269880a40d33269024ce814d165326869bf2c1f628b593107f5f5295b2865e196f78c1945c6f42a2c434b6e787a81f162

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
13790645c0aa7f425e9f91f2b633a04f

SHA1
8a3d7a61660743cc54a10eda53380d8ca36a52d7

SHA256
77b8866a96f767c836e005d8d5103b2e27da3905034f0e48502b7c438a7dd6af

SHA512
32321fb307ed6bf1159629b6d03779dcf4c06240b9b4967fc9dd566798ecf97ba7b2e420682d3b64f69f713119c97dcd44d3ddfd40408d7507ba33341e97aa2c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
20cb854c47622f9bf13cdd9573088a51

SHA1
463c510a8024463fd939acfb3c35207e27d477a1

SHA256
3a8f2eda484fb49e4f05fa9f288764342adff79f7f81849883311f30c1648061

SHA512
8e48b2f87281e33beea909e3c5d6f54dad566d4888f6dae60ec482cf5ea0700ebf47c7b03d5fa88ef76f29eacb6aeef1ec3b2710c479b73c231b09d95921f2dc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9059178df39dc581cdac5d1957e74115

SHA1
c5177f7137362603db5ec63a26f5e3f14ed9d223

SHA256
7b0a1acce334f9f4c2ab30420eab5ffefef61e5c6d41f32191c5d22adfefa21d

SHA512
a0b35167a7f43057be5838abcf6b19b831335b3aae17a0bc34ea32d8b585e38bd096efcae6b3fe466eae785e5bd07276239de56788dd478e8f888fcff673b561

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d63a270b23b1027b2b236c4f6f6a0827

SHA1
2576b8086170d907422834d22121f8ac083a7eef

SHA256
f19587dc9f13288228e99424af99e54863a6d83554ae12cae253bcc6ee3fa0a4

SHA512
bdd6beb48178963c3064b3c0e4aa0e8eed56b66900bd3d8b938e43cc8ebfbf65b14bfbe6c0fa48cfc008f2662d33bad8c5c15ff3ccc86f4dc033ef8c9db990ec

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
48cf18e45f86e338250b04eb3a2d5335

SHA1
97d3c71aacbdf5a57a0ad8c7091c6490752bd5d5

SHA256
e6906bfe79dfe2327206fdbe43c9f82f3737c02397c346385f554d638d93a3f3

SHA512
c75c2beb440409a332022161e5b0b8f2b1dfbe6797d4b9592bce0a2435f0ffd6d1d59a49d148d8087b69a2d072c52864101becb031f68eadea533c9141449387

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f04196e6e26c77ed142a0515464a67c4

SHA1
706c3cfdfb3f7a38142107a8106e6e8663a9d0ca

SHA256
5a30024a1d428df605cba457f1071d4c213a8609c42011b4fc399345107e42d1

SHA512
09f26d66c7e663a906725444b90900fb7ea00196cdb3655bff60150ffe172a7f1320e8194894adf80098c39efbefcc057366e6be15215b0a0d76d59aa9afd6e2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
33a5ae0b896a7bb2e89e954a175667f4

SHA1
536f6fc6c0c888459a3523f0862e169028bee6fc

SHA256
e8d3523e4386d8fde801837cc5c436b92aef15080a375c1b96457dab978fe357

SHA512
dba3f3349cca5f3aaaeda578dec99064a3618cde4f5dbbb1a73ec36adbfa3aef4140689bdbd564718dfa6dcdb05f4c8a3130bb13cbc0334474d05d85db3862fd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ddf8460362a9aad1abeefedec460612c

SHA1
7cc312014151d32f154fbb6c6bc770ca54612902

SHA256
df98046b9eb7a909f3f37de233d59348428d79bec602bdc29fa2726a712550cb

SHA512
79ff6e272f1eee6dace4ab9a2982b1b7fcc5640a061b8f6ba3d574135993fadaf3d2db14799c6c61a3a79c39b950b68802d52381459f93d5bd737c51e88c3205

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
56eb60c76d270410e7dffb9e863d1e1d

SHA1
8beec1726661f775abe6ce82f9fcd0a99f82deee

SHA256
ec2b87001ee36a397a948ba2ec3312e9e0a9ae2c19468328d66be1239a9ab5d6

SHA512
3b9af92dbfbbdbbbbc15770f4fd0c2391b7653a68f921f5eb21cfc28638fd1e7d461d16e9f35d385f26784594c008886d8b293adc9eadcd1c02a654ce7225608

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5668c24cfb9b7a675090fde159afaa74

SHA1
ccfdb605b0b3bb6a16d8497a7c24dcd901f0e848

SHA256
4636e3726706a5c2d2ce7e011f75b8664424f0643371432ac253459836c4c78f

SHA512
1bc52a625efbdbfee7e40662a3098ec0b84fb68f57d4c4edec0c28949e4a75e97f572599523c4c0ff406a9d4104e777787abe7e2b08824e68844cb9026b775f1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0740632fcec03d647a0acec54300a789

SHA1
ebe933da2ec804e80c17827f78d8692ce18a3ab0

SHA256
84a75794778291a02633611bed9f388d008d1ec0d51ce1e8985d5b74b8156c80

SHA512
140bde1adee59f0d1539a34494a2562894d780265fb9f62c01bd5f509cbcfc63e5bac737e86964494d87d1bf129a746adfd397bd252385f62928a3b75f835baa

Download Submit
memory/396-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/396-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/448-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/448-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/804-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/804-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1016-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1016-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1288-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1288-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1288-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1288-149-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1560-528-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1560-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1560-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2164-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2164-631-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2252-150-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2308-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2692-634-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2692-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3096-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3628-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3628-89-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3684-1-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3684-99-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3684-466-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3684-8-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3684-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4000-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4000-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4000-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4000-206-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4060-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4060-209-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4132-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4132-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-529-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4560-151-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4588-37-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4588-46-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4588-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4588-48-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4588-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4612-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4612-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4612-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4612-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4612-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4804-250-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4804-633-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5112-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5112-163-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5112-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5112-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download