5f58a48dffa45b640cc81adba56bc15b9d266a572af75f353cfdfe3c88ace962

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
Size

1.5MB
MD5

2e1ed415692c0b9f0f78f38ba225dc40
SHA1

46454f16d7e751855e4dc062d2092bcf056a8fe4
SHA256

5f58a48dffa45b640cc81adba56bc15b9d266a572af75f353cfdfe3c88ace962
SHA512

6ce6b3089575f7962bce12e1f06e863587e8105327c345d2efa223f868ec65f36226b3754af0111d0341bde43837d30cd8af07236e8d86f316bff7d9c71612a3
SSDEEP

12288:5kgUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:6gatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2416	alg.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2164	fxssvc.exe
2456	elevation_service.exe
4616	elevation_service.exe
2784	maintenanceservice.exe
1864	msdtc.exe
3176	OSE.EXE
3100	PerceptionSimulationService.exe
3792	perfhost.exe
4348	locator.exe
2300	SensorDataService.exe
3264	snmptrap.exe
4404	spectrum.exe
540	ssh-agent.exe
3748	TieringEngineService.exe
4988	AgentService.exe
1916	vds.exe
4076	vssvc.exe
1568	wbengine.exe
1972	WmiApSrv.exe
1256	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\49859684d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080722b0307a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086d44c0307a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4f9720307a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087b76c0207a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025196f0207a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c8ae10207a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1168	2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
Token: SeAuditPrivilege	2164	fxssvc.exe
Token: SeRestorePrivilege	3748	TieringEngineService.exe
Token: SeManageVolumePrivilege	3748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4988	AgentService.exe
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe
Token: SeBackupPrivilege	1568	wbengine.exe
Token: SeRestorePrivilege	1568	wbengine.exe
Token: SeSecurityPrivilege	1568	wbengine.exe
Token: 33	1256	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1256	SearchIndexer.exe
Token: SeDebugPrivilege	2416	alg.exe
Token: SeDebugPrivilege	2416	alg.exe
Token: SeDebugPrivilege	2416	alg.exe
Token: SeDebugPrivilege	2340	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3148	1256	SearchIndexer.exe	113
PID 1256 wrote to memory of 3148	1256	SearchIndexer.exe	113
PID 1256 wrote to memory of 3436	1256	SearchIndexer.exe	116
PID 1256 wrote to memory of 3436	1256	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e1ed415692c0b9f0f78f38ba225dc40_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1c0fa4e2a5f81a01ac9aea79ae1763df

SHA1
d9859ee2ab23b338bb39c45b42ae5d3c10f9072e

SHA256
2241135680478f61a3777b9cae174ac2b58eb26d5a0d2727189de51bd8dbe693

SHA512
1e9b7db09d8de7282b26ffdaca641cd2b02f60681dcfb4b343d5545894da3f82085776c0e82ecb44ec96e3fc84cc484bfb3bed84d1c568e23f8bdb6d98a35857

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
21dc4c50d183f7a3412d3befaad99471

SHA1
5e6e85907be6b827dd2b56a189f50ff9eeb35d73

SHA256
ecf89f666738b6a7e71c09b2dc2b28ec0d9a755c4f8a64afcf923596d24788cd

SHA512
54a7f6d07312b8b5ff7a144e742a456bd90b8054ae6917ecce8946e599dd82f17179657d67d5ec59767b0d9f662597b0180950ad7838afc9a76a72ea2c15ff7c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9a7dbccf1635f988e1aee3fc61dc8e33

SHA1
f02c57b6033c945c36dd70e5cea08de060e80871

SHA256
36b977c1b4c65d6e80ac5805a5ccb85b4656b6517cd73e83aa9c24812dcc1ddb

SHA512
2fbfc3ac54920c9ca3eec25531d41606290c88829ca6a64acd8b95aa772866450044b1413b64097664b28c2244bf36b8eef3b931c4e76941716ad62211f9a0b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ea796d70d18f259a8b3e6d6162a282d

SHA1
13e60bf77255dca120261711b772f99cd71a11c7

SHA256
a1d844ceb0007f5cb8e6d4a7491c69da843a160871a070bce8f2c6282d1159f3

SHA512
bac58bf3e4028e996917f55730230da81a164c223a7afc364191fd28e5f332f990254475ca921fc673c91284fea2d5a113abfd84fb5df3aa2c4a9d63b38d38b3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45944c7e8d3cf5b06fdcbcbb2beb8f9e

SHA1
2c0e2bb5189abe1561f486c41a7835cbd0839f44

SHA256
a88dd1413081fc3e4ab2f9349bf977c3cb3cf156fe6a66469b8c7f4fdf5e798d

SHA512
3913f363c97e59301ec1c9e0c145034b82b29c6753a8026f03c566ae49ce98ab9d776afee4e6e86a607973111ad0edb2fefd81c845db354f04d6823218c5895d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
ee3a2db8707250740dc3f5ebc19f4c2d

SHA1
9844c3f3ac2c0a548a4aaefcc3dafdab231e8d76

SHA256
718ce560a9567b4ef65a6aa3a31b7e5db120d93b4971b0e0517dd172ede9e68d

SHA512
62a7168e3e3e0e4c5d40dc39b10f3d12c5895e50a4f928e7af9a91d9a6689e7464664d7fcccc134fedcb99f078240012d234421ac768c1872a522fd5efdb9613

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fa1575b7d7e8387aaa87a57681b1ba3f

SHA1
f0bec160b49dd50936bccc8e00fd55f52cb7522d

SHA256
952be5bb5e5131bd177d47d1824bd7b90261b2436cfae8a707f1e661218ff505

SHA512
891202b0cc8481a2cb457bdb3237e352fa8ec6206cfa141becaabe32a228b4245f618a325ecdf7a3a77dec537fe8e470fed5b445ad53c3dd7a6f1b5bcc2aa0e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e13bd40a782ac65856cf82bac9a2a9df

SHA1
f2217155333a680aab191c50733c52fa788aa37c

SHA256
645d39576974b83cb3d86256096abf5f274c309f756b6f587a32b61c9f90c815

SHA512
00fb0f9b3bbc5075f09e61e23823cca13702b6b938cc8f7f8a68639576850c0dfdb52f0a85485d32c4cf071b84a1bf5f173b67315aa2908bb3b8f6d6d57028ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
27b8df18e433a64cb068b8b5562c1d72

SHA1
d6f9dd033cc3ab296f8e8182ffcdf6d0cebf2896

SHA256
9c2c9e2caa4e8b0c744a53924cd8ac2b7ef636ca81ffcfde5d54e2278dc69b08

SHA512
c466e3353354fccaa7f66e17231af98348502117f6b2161f9709a08b8b582d61dafe2519e8ea7fc3cca03fb13777bfd3cbc498fd9ea7dd5d37a9462f416ec094

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
430a9fd9521362333db5c45594f06792

SHA1
15276a860d25fdc60dd7c7dabcceede00b707cdd

SHA256
bfb8b7765cc7f0f902eeef99261553ce6c57d50379ce059e8630fad6ebf1eb26

SHA512
1704e0456753b20130b2e94e46751d2b0342e9b072fb4ad6417e25e724e0a57353ad8398d729a87d5a4e321d01d2f9ee4c304b36492ad75d499cb7c0f60c90a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc42881a8ac05e7aac81da7c986e771e

SHA1
787380c642e8876ae40022320e2a6e728b4b4e3d

SHA256
a27e7f93572164aadb162a86a48b40e6e14bc34701ae5ab7b1f5f776268f0fe5

SHA512
0e0bd5386020dc7c579f418204e0e270ed6ff817066fad8c36e1bd4abc2c152c9b82ded87527b02aeb40debb2c58896cfb31dc5404f68ff7107c370d4a0bb3ff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b9716b6e1a778589d9e891e01eef380c

SHA1
05cb93f422df5909f9d85156f872b3f12d56581a

SHA256
5e8eaaa07e517855e8832b8c4f7dc7300707d3a439ba761b85a209118fe8f571

SHA512
4747f29f357fbe821fe491eb760cbbd52a76fb1df8f1198c4e91e3cd94c0270589eba9e8721febcee8cb82c37b42f189068200bb48cf844934c831b95e55859f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
bcc5637b25291de12f7b0c5877a1dd9f

SHA1
ea8b4742ae841e915fc514038ffefb5b83b0934d

SHA256
1a7f467a8f19fa7adb1d2e857c0a2abf11d22da00fead6c2647fdfd08389bd9b

SHA512
8c70c4cef8a8d96584b85d3cd9c45b903303aa6f3ab51dbab3f3a9c4662e1037a584fde8eaa174aa28375ebe467492b621b592a8f255e2c58593e7c1e153a506

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
49c4fbf1a8b3ebd74dce1e6e18090c84

SHA1
89ed9662458e3d77353df09b02e25cb8330b35d9

SHA256
96a7f21e90f2caa2e9f771aae113a8afd84c059dc16426424169a247067686be

SHA512
925e076496ccb300b050d1d267d6786c8a1b806a7b616b8b40bd4e3d4fb431fc4ac53af3f26c27da25488666494db3b4622a16bfa677fff21b2aee06e6ad2832

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d677ae994d0aaf05ccc1963b773ff79e

SHA1
4e0902625e80abb770c8aabb77efa84da77a4a33

SHA256
84ff0474e74401f16cb83ff2de66f2d95e9c77aad080c813fa6a9bc5f58eda6e

SHA512
7ced751e14ea4d0e7699fc10a7f0ae5b92a4afa3e152b594f98b184c6e56072d628f953d627ce4105cd9e9c286f0e85bb67e7953fb3846d4e71e8622f90d74c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
37d4416770a5eaf879f5092abdc24410

SHA1
4ac028d1206a0ed9edcbe63d4fc52c9d0fd4cc2c

SHA256
108004b66a4955313543ae94843c913cc47126ad5db97d2a7ec9eb700cad9405

SHA512
bc76e8a71edea2083d07b616c92d4925534414020b2ca30747503fa5561f8464a0075d740c02aa2cc583d5a966b70c7bd893292669633e20b7715c6590002b59

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
aee974b99aae0a4523552201db03a810

SHA1
b6ca8d660906468745d45e62d6ed481aaa724019

SHA256
b4031c7c48b84b9b303cd6cbbf96972647987d808153d9e72633b3a8169b09d4

SHA512
4b9a84f5fa0c91d569514c3424dc1ef9e01d8e90b01f714757fd2c8c9d1609c4951f10e6df098ed6a7c6bc19237a6192b11146f05bb019dfb8bab0395313dc28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6e0cc1aa99a35207d7e90e637377c882

SHA1
ef4c4b7f322cb502a058e74ffd709858532aef50

SHA256
0f597a4021cc3c03205339c59636bc571c671e3aaef34eb268720833c30ab516

SHA512
aeb5e2ec452753c2c4725f91216004bfb65ed2288cbcf2c06ffc97c1be4297b4b641971018c1331b42198e739b963ffb5e0d88f388baefe5bc21e286c0c2aa6a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d056d4a978debaa68bc44fb1b82a695d

SHA1
ca7fea1db613513731ecd5c6cdbaa0c087609084

SHA256
0e7191501e395e22f535304dd3381ac1bc8843f187b9f8afafff4b2b2c492d1c

SHA512
b185a77ee6c959e7bc058125aee2ad6f186781f1eb9a58101b018f0c2d99c4bc08ce996b52dec1af20a9eb76b297fc5e08e793126c753ab1e6bc3c21db20ae04

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
42c4c5fe3c2c5e973a554a5b94ae3089

SHA1
da0942750ae31e11bc7781beaa4111e24b26c638

SHA256
7772cfb26e3b96a06560642d6e72477a4f11ad305e12b953d3b21dd8e5d17897

SHA512
0ab0506b2ac2d874d539b6f5e49332a659e559f57ec2b9fcd9ce5fd7dae56d153d609b0b12c0b29ae4e478c931b3f7ca6aef879e40b0ca4f9c19f32158c6e711

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
9cb1f8011c5182b8db0267fed9834090

SHA1
b8063bd2027c2f5d20db96fc12e9cef5c3ab67d0

SHA256
c59a3e4bfeeea79dcf1a8efdc0b24c67a80fe4cc7d9e59eb13c72611c2fa2de1

SHA512
6d7e9e38a93444409d3d858f762d96f53a0c1a96311ea769e6aca798e3205fb9813cc56b1cdfb65673f687b94cf8e34664d19521b9983880eb96cf198f39e3da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
f8cb79d361ec4ec10d2f76d0646e6f63

SHA1
775f64f0db7747a4f95c3860142e4f1176716e6d

SHA256
2d4359343394e6cab37d46938f3e4e1f373972e1f7c45aad191e242bd950fdb7

SHA512
0204bdbbda1ed55c6f78030703b1c97ed56e72926e9914c8cebdaf1ebe2f1e16af909307ca32f1a702be8ca0788bb4a15750c99c752ddecb57d7a11ece621427

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
9c84b44ada83dcfc945ffa22ed6f0802

SHA1
47cf89ef9b0ec0f3118052140a6695ed7fa44ba3

SHA256
d2a3719ec4754e9656b94dd09ffb1e371b95e267d8f18ffa3aa8d4b4e0d5f5f0

SHA512
25adc77a5cb578fe17efcc409b1e8d923387a168b4574a0b60f27c0f1cde53b3956c6476f5e220ee0a07e64d94c54779d2e10969a4b481d929688a61d2d1607c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
630667c040055e7bd52c3ada3402b560

SHA1
a95385f6cdb4b2d3c59eefc85d2fb5be9436173f

SHA256
40531ae13cf48036802e5c8e5424a67387df2a66e4ba8adbe24c4c3a1bfe413f

SHA512
971cb91833dbc289ecfd1166c0e5dbb933b9fbfccfd019fdebfed16454a8e729d8c6f88b00da0026baa77edc4fe2421c3f1498391544eff8373460dfa3e33721

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
a30af1c5e36ec5bdc15e9fc6ef130552

SHA1
cc86784d5e2362b374a73fb16463a3f2a2c38a57

SHA256
2f76ad5ee013150feac286bc82a4823ef3c7e657101d1fd4fb9e7c60e6ecc038

SHA512
b54d3aec6a984613eddd45966ae0258e8d5a72c010118f09e03611453d8f256af947b01740b89c41e1e45f9465f2906ba0ccbdbe6bcbf441122f45d4186a4311

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
e43412358632828ebff8d423c2c54b7c

SHA1
cdca298a94f626703ec6d639ff4adf6934b15922

SHA256
afcb078550d635e118c5d146e3ecd6caf0a9dfed03737a04fdc04f32a6b882de

SHA512
489e58ce7c19a5696f73aa4c1760b27c877ce9d71d56da218117aded2c74d7f05f2d875006c3e17bbec104b3da5683f4242cd1eac7e3b76b616fc8f474a4924e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
d7d37e3ed8cd588f5f07be2c0f9d101e

SHA1
112d07202479358990f5470c1e3960bfb4589576

SHA256
f9dc69ba3d3c57e98ba987b01bf65560645e2db0ceaf3132603aa28c889897c9

SHA512
dd8b49938fcbe11aaf4ae3c3a53c4b9ec6d298446098129c088ed42f494705b84f2062dbe922fd06061049f31dfaff9b64e20adf4c8f3e403ccc722b829cfa5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
889d5ea00a81481e0b30a7ac5c897e4b

SHA1
b8caabdcc1ad8b0a96578935cff23bde5bed5079

SHA256
11ed7aea0de65b5493c24f042dd9736b92d8186f4a9ed39b9ed1da8433195f04

SHA512
03f1d1a5eb7c207d02a9df3a6569d180649bd8b46698e4ee40986e07d6f190c7954ba055be2b504a62bf6ae1c6610d0c54d2044ed1c9f1a0d2f91582855f7d66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
ce5d42d52e50d7f0b080a38958bebf39

SHA1
df03c4d2f312010f87a1ce3fecd6f9d837fd7b80

SHA256
13bf639b06d8e9a0db8a114cdb66391515265d54880f8fa8d0ae2f2c7132ea1e

SHA512
2b96b3d97120e12c3b0a8964e91d3f72316218b7a42c190725ff567e4de99ffa378020e53854a46cb81b96cb65ce3e35118ac93ecd166882578e594065108576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
0351fb494014f45b14e0bbf6747d2405

SHA1
06299d998d243e198f3161c310707801c2ad7d28

SHA256
9a35552d2ffad908dcec204078e78861fdaa851f66e55c8aebef2374350762bc

SHA512
2369941536069249c58ee63fa610140d41ec22e8e438fad6c1ed94d8746dcea65f2abc88f4be7fe3d4497e6b625031715817d6fb699f0c2f2edf124488eb72ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
4aede8940c5e76f65090920883252e4d

SHA1
6d2cc021735cf553bf518aea5ae50bd8d424a73b

SHA256
766defb69030f7586ec4da6fa841034257ef2e5ad30b623db850169af6f9ab81

SHA512
4cc07c9fbffa0ebe8a7c53ca6cd4f31d36eea9a3fc037f4fd1c8238a5cdb847543805deff130fd45b6955b3f039afa3c9ef1ef2ddfa7776e60b57da66ea9c1e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
64bc348ab103f8e5fa7340f08c8d725f

SHA1
439beb0ba4b51e2dd00abd815bfe989549a1e371

SHA256
34dff32358820d8d54fca49728b3e8bb8e0acd5334e3b42788d728f03405ba69

SHA512
0b56a89c34d2fa0873685f901dfc92207a17128dcaacdc9b5e9eacc048893bffd631bc70252b7bc60cbb103bd22c3ecdbe89b291de0820542cfe461af3df602b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
54c8edf4bb83f62d2857aaa758d0572b

SHA1
173d4022c009a5d5ed07ca9e2de394e0b5ee54f1

SHA256
b031718fb63d7073885be9384fd8823d1177deb53bdcd19b40c637b8784f4842

SHA512
bca7ba7b2a453136b5be3670955b3158af9afdc245e9dd78235720108b0b095f261a55374c689eb2f7b262004c765a5ec513fdf5b3e7d65ec9d8ea07b2452000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
3010db017d609be8efa7da4ef86d09e8

SHA1
b448f8ab894e2a4b55db20efa50d5df330c2ba89

SHA256
e9688f051a366c0a29ab25cf6056a395e508e81ec87c4498bddedc1bece15a68

SHA512
8820fd0a96b5433d69e0f20d5525cd5dbd0f0f2fed3c54e64d5d4b17964a8597cfc46356691f3b9f44da48c129b677efe61e9bc8a2a67ea73fa34723616b0180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
022a497acb0b7c87c104f216d5cd7818

SHA1
0cca6815f1ae2dd0a60c16504fd0e1686d5b7342

SHA256
0d94e45426738f2078bf3130620dc13c22776cb10f73cfd93beb74677c31b530

SHA512
e2bd36adabe868baa7d58ad1f884ff81ae954a0517999048b2cc918af5b665bf5254d4e42369c3cc371b29e361ef2f19e1c9598efa8a3ea805c66489b2ccb2db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
307f41d2de90be566b6eaad8f5deba13

SHA1
75aba411eeb9d64f7e6088f8f524352ef692c056

SHA256
415f04b8ce2f3780d7037e5afcb2cd95851a576119eba251afcc76af30be4d7f

SHA512
b716b639415af68e1839861e8d6eadd0ba95b0776364d817d22d8e6fe6ebf80f1bbdd0922a2a9162c1a9a26a073750e02f2a983057a117282b8285b4edbdb6c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
038985762028ddda5929adee0fe8e0af

SHA1
959c72096e7dea2b76b220625be39e28d5013695

SHA256
408e91723e271e6ca6d9770f21609b5505fe3177368e475bd89e049eef9a1b17

SHA512
5341a6dfe21c83ecf835fc6af622592fadc61e86b8f96e1442f59cfc832310de800254fd14e9002ed98556c8ef49f81263a5fbce4d5d384f49327e890e8b3d04

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7869ed775158c1083f92b7f5a9dc27cd

SHA1
97361874d02b11213ccd5ad73bfa4128155dd8f7

SHA256
2eb7cf6d2db02473605c2b2d23b51f41412f3d919787f0cd193982d4a18d88fa

SHA512
453408cd21a32ac866a3fc1e4bf1f567c62fdeb386f52f8688f2901ec5c815c3e34d5d37526722a99162b7b78084af2005955aaa75e0b71ff16407394b4284eb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
0ae7dcb13affd535e8fbc150691477cd

SHA1
36963cb313789eb87322f627d0d2cbff10aa17c9

SHA256
ba183bae2030356bb6d315e700755c33b79fa557de23cae2cf59b24988562e36

SHA512
8399d186ffbf6e1c4cceddb7daf9f80798d7822032170f35d6882c798baf859332ede0a2054a34325e9e8f56ccedbbab49b267e9daee914784ffac30887978f2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
f7471b2cce79604d03c821636e058718

SHA1
bf04786c3780b97c8e201c757b59e1997dede03d

SHA256
51c6bb46463ef2f6ddd8bdfa1bed83a2d57a9733dc3713b95e7d63f5e6baac5e

SHA512
0e4261e99889631e412e8782b7cacfface736a4c56297beae84ff20ba160660bae074aaa579e63416f950f169a0221d973bdda9c38707acec39e912689a0a0d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
18400c2d8e3c87f0bb1c0ec736fb0670

SHA1
56277759b9dcb34344eeb9d72397e24696c56d65

SHA256
9bc503297214c03e0acc673699968832693a809f230d42d885f119e9e74bbf89

SHA512
079062ada10023b43ffe00313d3115d107270e361b45ddccf722c8f8f0f60e95d6f3e02adc7daf9b28a8a9beab75a71bbf6b601912c94bc24fe675458ebe59e6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
25154b8283bf3a97f0d258d5b0b2f885

SHA1
0cdc591600baa28290c78b4c62d481d9d0b8ec19

SHA256
bae2d2b41ab737174842d3c12eb5a2e3f6553895346e289f7be07fa99278dbb6

SHA512
65699c86b393a41f366a33bf8832e4c8af874f9f4d4ca7f91ca380450e599ed15f8bc703d2c1deb390023d8c851d140198be0fc68a8081833f96c1db27b2cdf5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5de343c855cc7c008b2493a2ff9dc8da

SHA1
ccf06f274affe12a75ad27ae7543c40f8a7c7949

SHA256
b545b7b9b5d195ca5b6dcea0c20a52100b5562f15be2a0d02bb92e404db020a2

SHA512
2c601d1fc39d3acfed18f1081a8d4b8875360aa3436b08a358accad7f6e31409f2d1e44c1f9359f02014e24bbe085d19effc5cc851b28f7ed27088f8aee5be0b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
d82f0d86e02093262b99626b64d2751e

SHA1
dccf7d676a591f0d8e9893ce56b445b1c6c42ec0

SHA256
8a93806ca608dc34d105ab50ae091006c87ced7bd013a8897c8e8c7f7dfcfc1c

SHA512
d5ab8254ec8342c9d15e3e236622d1f926c430f24731dc26e293dd6341747ecb2298f5dd923f4a03b2b24aeb03cac8385ee39b2dc0179756383747b0a215f2f0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6f0918ad715cc3c428cc9ed7c2ba4fa2

SHA1
0644f18b50583ac7543a39f2c732d0f325b33ff9

SHA256
839727e547c78309f0daa4f59481cce3629f52e111233c0c0d60221ea023b00b

SHA512
6c62c6a9b0af4670b730a19d5bd2c3c5e676acf72151dcee5fdcdc0e3dc393a0158aec3cc6b22b7cc3f3c77d71705d605f7961995f179341a7040153c1646fc2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
6ba1de1bbc114e70cda35973c36eda49

SHA1
bf55c2bc83fd2c8a16cf4899b18efce016bb0b42

SHA256
6da6147656a3e523f2ade6f33eee2afa226b7ec41ef9d3aa245f909106eb2aaa

SHA512
3948da77b310963651fd63b7f8c6c0fe453e56b66bc55b3da44e5253410a8cd3a55455da2a0ae214c97d6d3ab5514d3b3f89401cc17d532fcfa40fd50d810819

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5fd10184898b4b3d478c51da5c8c3b13

SHA1
662d96f7c8de120dbf4a40ce260c7a5f23759530

SHA256
ab8c466d501279b9f40d343d1008f6616b3813c7c31f013f18cfdac5c84a2b69

SHA512
6f1175a55403e13a94db8a7c8db436de3ec8658ff46ef6b114393309d40fe0b56d434f008c58c1111ad657fcb790aeb2e98012ae14f6f54ec7148a9aaaef3cd5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
817e459440a5585aeb7372950d2695b9

SHA1
627979a15aa279ba0c461cf4f4e796348c180335

SHA256
1fd13c955179c4151d7371544320b73083322b2b729a545fa7fdbcffe5abeeb9

SHA512
0d151a7136f0df5ef098bc571a84ccd6a8aba45ee13e7d7a3955a17f39ca8124802dbffd5a034baa8114c39542b8607135ef728eef6401ccac6c4d29c3ecb5d6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d4c93d82a837917a10a391a12c038374

SHA1
7128d83520e5746aa297f2d06633c9f504b3ebb5

SHA256
5a0628221a97491421498ef1eb6a7fdaacc58926757a022b1ef645fec1be72f0

SHA512
390d63d2ee4825a8b8e9a84dba2d8ebec64962781da0bab4e8facd1efd7789072e66444fd4030d0d9744293583aeae262bdcb50eddfc5adc7b077ff6676d00a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
3c4bce5234925db297284cdcc66528b3

SHA1
45fff30ac6698c797276dcba39530ce052e2c614

SHA256
b89c7cc77b4356cdde48fba5f56c3de42cd215035b3c9f0966216a734d77a7b9

SHA512
3d5b20e4cb6f34d95ddaf47454642951367384d1244e3a6174c691c885462541f0a632d970ee82b018e28fd039d65ef800021431dfc27f870054983e282d93ad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7451b1168428111f0258cc8b2cebeaac

SHA1
fe981237af16cd5657fc3f908d65d5a23e93342d

SHA256
76f4c4f7e84397a28e38123e9e7152866ac1d47686230cd35e8c9605783eda49

SHA512
901c43b151b9a4720ea56196583e1e0fcc014f0eef1931c3631c4bc184e741bcd96b3e39dfac11ca3bfbec729a6348b2ca353e0fb911dd16dbf51bc932c26b49

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
37e174b04f29df3cc800026f0c2d2f99

SHA1
0f7921ef3c3adadf072d1c9dc77e9b02c4cb4ac3

SHA256
3096121bcc31f0d66e4ea6108e5ec36272881d9fbf030f27f104039da6ed8e5e

SHA512
12413c35115ccf088b47cb5058d93f379a368a160bc9b68b7655d86188c2b36d83b450da31b262e11afbc9379c5ab0913213a683d6bd7188d5071a24821d5762

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e6c8188b1b1166b4e38ee3d2d3305e57

SHA1
48779c74e68c38b17dbb843dadab40a84d508325

SHA256
4460704c4ef7e06b93e193aadc826b01600a78dd8b6dc1264dfb02ca6af3fd03

SHA512
f89ddbf195f1ae20098c472648494f2e96d7c34fb3400e19c26d312b87c1b2df730db535e50fb2feeb277ec4cfdcf9c73eeb76ff233bcf517614b88776f4e2a9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
0dad775a43ba92268945e48eaa0f328f

SHA1
68962e96103cd46030868119e828ca41dfd7a892

SHA256
19afa9c8e6709895006d9a7599f76e061f0e5d235d32164ee8c3a4ea02dfcfd2

SHA512
f7b8c2f999b2a12570f69a895436e9e18bb8e3b06d16d51930f9acd95ed6d8254c4bc5cedec5313b8ab692f66e047e53b0206a6e54025263a9d8188201285abd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dbb80516a53c6cbadcf192d67e1240a3

SHA1
ac85b7f9038e3ae9e865aa53dd70044808aa3982

SHA256
4f51225066990805c54ba70bbd6a4a6ed507738d5807356c42c532f258763f7a

SHA512
304080a42ab88d4a28fb8f20f9614f320cb10fcd3f86179e0e0db9d8c5add0b67c6e151a13de9ffa63c0931093650df8b8616c89af71696bbcf8401cb071dd7b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
15daa73bd717c11d9944a09a64ac28c1

SHA1
bd86cc467844e60a30ff4d8a838a68073db12471

SHA256
78856e942a072df46d31ee70f25c1ef81c599e3f204de24d530cfe044041a88d

SHA512
bf072d22f9343d649a7fc0af39a423efe3c9e716ff58e0efe48c8778a56de15b3996bbba976f8b87c814e66374ff93b2d9da743a4c20acf4f61ec2fd6692f14b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2630b7e7d03466a04accddba0ae76e2f

SHA1
6ff7fe484075d48ce17140da30cef2a51d16265b

SHA256
4942aaa7ca78054b321795db631fcc074216a8d322a8cd135e0c3fa390cc91d2

SHA512
1b9a58e7498eb930a11f590d1d409a283b238f7f1220338597425048559b0d6cfc23f60769e1a2c9521793387a0741ffc9bddd0205be112f0a73ff5f4a7d486d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4139e401454073d5c092c9b07cd2b2f0

SHA1
d3c1c2da873d86441c90ef15bc05d11febe3cba6

SHA256
a3f51e098956bea6ec18f06607068fd47dc3125ae1983da71771168297420153

SHA512
372dac9cda795fe802945de07fb980057248579192db81da66481ba0436adf3a36bbfaa27899b2ff9495d68a615078d06dbc8343343383f6bfb9ca8cea56a4cb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
1ebbc5965af37171ce18c7f2c4ca0673

SHA1
3f84f30ff36c25131165546177fda7b81c29ecfe

SHA256
8ec006c03cf4bb7abb2aefcd1dd25d2380e97432b8c5c682ceb95a57f4be9faf

SHA512
1545e0f50e9787036904fb55a6ae70573bfb5075d452271147961384f65b0cb9dd87a94078f7e2abafc3d46183c05064e4868ddd0acdfe8e7e061d0dc6f02ef3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
90500694345f6ce5d3f72ff251e5503c

SHA1
79ffa3b63454d519c21d00b466d04a9f4162ab74

SHA256
5c8fb63994f81460a6b16124e67e75d995970eed31f4421a71432c4d31da8856

SHA512
39179f3c70e49b055f4676a52842de58b94123bce02052dfdabc6b134b749cc097a8f15b2c7316040512e7a8aeb79fb73378c2da71f99615eeb48050c27b200d

Download Submit
memory/540-661-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/540-186-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1168-1-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/1168-0-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1168-8-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/1168-383-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1168-73-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/1256-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1256-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1568-683-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1568-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1864-97-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1864-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1916-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1916-679-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1972-260-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1972-684-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2164-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2164-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2164-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2164-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2164-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2300-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2340-121-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2340-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2340-31-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2340-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2340-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2416-12-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2416-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2416-103-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2416-19-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2456-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2456-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2456-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2784-74-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2784-80-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2784-95-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2784-84-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3100-124-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3100-226-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3176-223-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3176-112-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3264-505-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3264-153-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3748-678-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3748-197-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3792-246-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3792-127-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4076-682-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4076-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4348-130-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4348-258-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4404-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4404-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4616-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4616-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4616-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4616-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4988-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4988-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download