252ddfd386a2288bbbad003f1e6a2dd393a71e786690b5ddae914f11964b210e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
Size

648KB
MD5

322eb58e5c9c48cf81a7ec6d060c6de0
SHA1

ac3370eaa66e47438ef3b825673325d98a9f9e47
SHA256

252ddfd386a2288bbbad003f1e6a2dd393a71e786690b5ddae914f11964b210e
SHA512

6c9d7ae5621da541c5e1a99ec2750407ebe15a4e8333107ced892f1eac51e1a9ef58e47ab049940742614330dd3e5c98667a40cb485f75da4c215d58f2757096
SSDEEP

12288:Gqz2DWU9UMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:Hz2DWyatr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
984	alg.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
3776	fxssvc.exe
2692	elevation_service.exe
2016	elevation_service.exe
1840	maintenanceservice.exe
4456	msdtc.exe
1812	OSE.EXE
3940	PerceptionSimulationService.exe
2444	perfhost.exe
2952	locator.exe
5112	SensorDataService.exe
2412	snmptrap.exe
4672	spectrum.exe
1604	ssh-agent.exe
4336	TieringEngineService.exe
3928	AgentService.exe
3620	vds.exe
2824	vssvc.exe
3384	wbengine.exe
3948	WmiApSrv.exe
2232	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\96ce5d8293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083af21a109a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c3f36a209a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caf88ca109a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d1043a109a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c29a4ca109a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe
2576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3076	322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
Token: SeAuditPrivilege	3776	fxssvc.exe
Token: SeRestorePrivilege	4336	TieringEngineService.exe
Token: SeManageVolumePrivilege	4336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3928	AgentService.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	3384	wbengine.exe
Token: SeRestorePrivilege	3384	wbengine.exe
Token: SeSecurityPrivilege	3384	wbengine.exe
Token: 33	2232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeDebugPrivilege	984	alg.exe
Token: SeDebugPrivilege	984	alg.exe
Token: SeDebugPrivilege	984	alg.exe
Token: SeDebugPrivilege	2576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 464	2232	SearchIndexer.exe	111
PID 2232 wrote to memory of 464	2232	SearchIndexer.exe	111
PID 2232 wrote to memory of 1976	2232	SearchIndexer.exe	112
PID 2232 wrote to memory of 1976	2232	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\322eb58e5c9c48cf81a7ec6d060c6de0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4280

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6e093db0d94de217d9a85f892d78fc17

SHA1
8d0ae856e9f2a1617e93e0f4ff18fea31d68cc6b

SHA256
50e2661aa1ad2bc39e86ca9c0994b3f6aa4a432141be517541747327bd40347d

SHA512
7264b30187071564744090ad1b4003b59a64e9540d603bd1b673ece51cbfb373bd9ecb617336e121176bf5a56560629cb15fdfd237360f53a82f833f6007ed90

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
607afc4acdee06208721429a6a7250f4

SHA1
726aee24e5af51f7924c534211c614d5e75a1c39

SHA256
8d08dce06aa4bdb805a6f6672415f450d101822bf8115116717216fb35085433

SHA512
e092fc091ad9631186147dd1daf331555478cc133289a269042fe341feffe2f0176e13e7eea29bcf905fa4110dbc3f6b81e6731bb9450683cc9002c19f403dce

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ed83ec654e295270226e7a7b965ce9d6

SHA1
b9000d366a0c46e8d64c3a24f5c732500f1897d6

SHA256
323ddccab6d955e390641499a52df8d0a0bd0a699bf4f9252bffcf944f31531a

SHA512
6ea36ec164c5de7dd5cf5413584b19d9050f3560897a3848a929c88a9ea2b894e6d6018c19152586856741f151ba89acb83b876fefc19686b5224353c66b9aff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f21539ef1cf9ebd486c7234628da92c1

SHA1
d2d3c7598ddc158ae2c99f87becc5594f282977a

SHA256
cd855ee7f15ecdd63ae087332ba36be727e90c47b4f2610928357a746a513bd3

SHA512
3733df001b59cf344208f8e1f5e2a46c5071328e89e5c0277922710df35815fcf30645728abdcb55a7a99f937652d02abbe16c31c9e1e0ebf8dd2055439ebf6d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
285fd08c55e350834d246139eb96d4ab

SHA1
91b3d7da8c5a1ba3011f37ae9d3e8747585efe9b

SHA256
3556d563da1b1b3fff8340bedb46521467b2e45338923bb500b605390e88baf0

SHA512
9f1e7eee88e427927bb157b32ca3099bd1125624aa9970a4d7df7d5a4c7e9ab0b1562143660169dfc08e7ceaf85e269af831c8b4153cae63bf3174d81acce0ab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0872b77f5e8885d59788dd338e6489a2

SHA1
1bea9dbd696cf0d6cd6fc95f7fa833b2c6630abb

SHA256
3ec9edb7e83c729b5a5b6a13904b8de1bf2fabcaa0970e3022c19e03b710515d

SHA512
6b86243fe9d81a3a402e7cff10a23c2165345438171956534c83537d46cfe65ff32144016c606ccfda862ca873d80e9db1705ae9bc0370fdd233c5b4ea1bb5f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8695e53687c3037e0e057284a31c4aa1

SHA1
f5629810640815ffd5f45a17cf676149955d99b0

SHA256
b58cd6341c1f3bc063e6d7aa303c17a152b8517c4b1f1986734988eb5bac159d

SHA512
df7c654676b8f1ce7b7ee7a72bb6481de435604d9870d9445b75d335259728d6153ef2a8c3a499a624e0dd745dbf55110d3e40b238637c3a4d9e66bd33ddeaca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
88ecfb67806badc30fa7dc4fb13e09c9

SHA1
be6adfcac61aa13afb6c9f4a3c0b3e4d7805ec50

SHA256
46da30dce08c45de97f73e8e15b974a2763debd0519d84183fedda34066ac8c6

SHA512
31a646ea99ab86d065857fb9bac8476a628ac4daa68221d722ccb5fb9d02bf2deff9d32c64e464bdaf16a0b4c8b6a399cd92cce0dfc4886febc3230886ef56d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fdc369a940f6666f826636d6bfdb7f80

SHA1
40344953c1a0333e41b8290a84491d2c8aa26286

SHA256
539df9c7e1cbe30df6d8f7ed22ef7484ba7ca007e21e5986184c6039cef29c35

SHA512
325c113769164ebfcc6fa05d16fc5b5deb4489dd02461e1db78ecffeb5de7cc50bfbfcdf75195cc28f5f0c483ce27f19bc33974915317641d7e6480d363d48bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e236b2028939882c1a7c3f9b9e659059

SHA1
679e3ab178e5f6b571998af4d4b154dc258bd0cc

SHA256
c2a8739b7744fe434242c870970ce6793ab6524417762e8e05421ba92a3cab13

SHA512
35d2cef0df66060443373cf007761a0e7cf3d29a002ead967549929ca86ed9aa9177bea443c4fb8189a1bbe1a8f079a9ee4444170307c0184a2dce9b75ed2f65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a9eb91fd73c1d38d42134b6eb912a345

SHA1
81584df5e61b83d1a7a4cd354d24bfe090f11995

SHA256
5b924cddbb84f1dcbfa5599adad1f116c16b31026c6f441f863ccd7f7fb5cfb2

SHA512
a85623b61929e3a6f5c5959cd3fea504e368cb270322de739c834e5fa2de409b5a606eb85b46e8d61517136b49c7b07852b7dc8303f9dbb56906ec4fe6bc5e7a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b7d43dbf629435a7689a4b38ec360d39

SHA1
9f2e1f3f3b4c4af93af1bb4fa516c3f384d2ba69

SHA256
afc5af29705e2daa8f15e01b071684a3e7af911f265d49b733f3f73c99318259

SHA512
3964184dca16f65edbcf0e4a3bccac0b64f464cf6d6dc6ca1c3feb596edbf4c00986fd7fbeebc0e4b99102c7520a4f04b4e9bcb56f2421d170daf5fc9c99bd82

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4d63ae0513e47f79efbc69a34bd177cb

SHA1
63d9ea9ec9efb0e37dc734c0b7eb92546b3ba41c

SHA256
c8a065dbebe148c8d549452c5bb05b1fa11ed4f7b6ccb079649d5b5205212196

SHA512
5aab1986cf63a346e567b74b5c48c0162326880c60fd41a1aeebce434481773d1690034e9655680fa87b4fbecbc7cca992605b4c5eb4ce4066ae74616ce51f93

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c3f02e9c7adfb5a8f09171593f0ee98f

SHA1
7ecc29e07582c1a988cc521a918a01b470be0af0

SHA256
20754669a71b38b771946c0c160c0a2bac53fde3e652f6b61e883889324751da

SHA512
2bb653bd0700fefe2f54d7e2a9cc958b0455f65f265d49316d08290aadeb141ef300b740ee19f9fafdafecdeeb17eb7ccf1d7eb86d2efea3e30175506f26ea9c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bf471d6a72d217035de1e51b7930c5e0

SHA1
64a4d8dd5bc7be20ce37733660a897c330d4d582

SHA256
93508fcc25a209ace531b73ed9249d09ffca8d1d7d9b22bcae905d4819dab815

SHA512
a91285ca017997ded2e489ac12fdd8494545fab8ab1fd5acd996bca431e68fee819a96704c0f017a90521021c6bcc764694a72437262a461aad157c65e4c2001

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
93163586e96c5d905f12e92657bb2dae

SHA1
afd43563f0b88c1d3d103941eb6326a63ea317a9

SHA256
dbcc4fac80f66e7a2f56a14c66457d5303cf47b0184fb160862862aaa09dcb1d

SHA512
f6a57117735516416dc650252872887d80c89d4cdbfe40f0c5e7683ffebf3878adc66a356332dd8a6d9ff9198c27f070e84040157c8060d24ab07bf2f142c393

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0074497ecec82dabad4b7e09e111d43c

SHA1
dbb5e6ef296ba9dfc6a41c8ecfd66c6791f8035c

SHA256
4486b7d3146cbd8c58f6364a9305ab8336e614395b87127b4d4291bbb863f619

SHA512
7e30bee23dcf77627c7486a0376e2862c1895a97cc04cd5b5cb0d3e08c418553a921455382c751ceb7c2c62e19a2523d867a05c404836b02deb71b40392a1e75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5ab4066955568d361fcda4d2ed764635

SHA1
651e4b17dfa9bb74e0df5fbce53dc629de2d4353

SHA256
ddeafbfa86633b668abfaaed0e608332a00a6ac46872774c79cb065eb120291d

SHA512
68b14c28b6f1bba4a74074472bc4496f73e03615e12b51d6053da0400e4d81ba991448084bf7ab62102e317998696d839dd89ef0dc844d752782f463c86fd6d2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e17652d88abdb5891f0fe4f20149ffc5

SHA1
18a2616fc88f7642762e8d7d0cb1e8497ef2694c

SHA256
cd722a25f901a01047b2f9128131d37a606901e796ca085c009d11ca0612614c

SHA512
86c526cb9cf02d26cbf0abaa598e23945a7612db6c0ba18640814cb1f1381028f34247b17699147af3a94fe26cc0b5cc6046b7a1a95452244a12af5cb44ff947

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2dfdaf15ed5861e57e946c231d5145b3

SHA1
58b67a1b26d0af2716c72dc1cbe90d6ac1da206a

SHA256
b83b4355f7cd0706545c344d99c3811c92b7014292c04d0da64d9555b0d86d3c

SHA512
8a7c5ef827729f1ed1d885be876619403e447a62cbdc1148a25b9d5e0f02107844d2960aaf0545ae1fb14173528e230bb930e84ecb423cdde0dbad827d3124ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c957cd42004b1148c5412b168b2fc78d

SHA1
790a9a04b40741932e159ab8129cd01dd663c01e

SHA256
d0d6cb6d2ea1f806f19949e92160295a5be0f6931c56dc1a7c0daae1da5e719a

SHA512
141d6ca3f6a2b9a5bf6ef466d1bcec6576a8c60cd3a5b13983f4f83bc77ac67906ae08b8b3a89f8f8ed52d1d1003989c355068cd57ff933008e7456cc19340b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5f65dd4466d64443375c7b659ff236d3

SHA1
b278504f1d5d5fc64dea5f0e2cfd496c2a1039cd

SHA256
a88949c31edfa521d6f7eeeecd89d62503f3b8af5d9cb64dd70f566174adea99

SHA512
43c3277cc8a0b5f3c44f3339227828cc56db5b86f4269cba1e2639b0e60b07924b72b5bc77850229cb94cb56f6ccb5f8e6453513f0e13d54c88bae4a05526dac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1acc6aec56c08771f489b86bfa8f038f

SHA1
cf852b50a6d741f3f545f8109381d83e3c4779e2

SHA256
4cc59b00ebe9cd916bef29bdd7a942eaa7ff9b3c8d2270669b91dcdb42e86a1a

SHA512
71e8ec0a4365bedaa84fef863908278ae403598ee8eb49117729e48a5e4caac3b59144c703053f537ee4da4a886d119e742b95d90aab01d4e89d1734f2989770

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3f265151c746f53147f43ad7747deb98

SHA1
5e1b1d1f54d7749688ec9d28f95dcadb36430e0c

SHA256
71fa232eccab2fbba561d2ed25908f00b1821de75f6feeb5c37fc8e0a90580bf

SHA512
c965ab6437a8c155fea7771e313b3777d244d0b03288bf46439e18610dd74dec15215c677c8e5031f457752bd0fc7ad93b0e1bea5f1c7a6b3a3310b8d62deded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f139fb071ac45b97b23fb6046e362e38

SHA1
945f2d758ae7ea54391ccf84fb5247905bf2aed1

SHA256
fc626207120973bfce33eea0b06a28841cf015452d8d33b8961beedd6e8047fb

SHA512
79159d07d9f18be5dfac69bdbd06e73bb4404cb83cfb2d028b5f1cb40f1b82c9eaab521e89c6023e907c962918c0ecda52720d3bc20de7dc8a420cb25a6654fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c38bba6e724ff4182d8f466439a2b241

SHA1
c071d3f7ce58775042e28b2f9144d9c97cddc0bf

SHA256
0dff8ce5ea42be9655040c1d72d51046740c69729bcdad4877629f90de33c335

SHA512
6e7f6050acdd32eff5f073c55b1cb6d3b7f3949c91394d910296b8b2d3446ecff86cd8d4ba4c131ddee1029370b2f420e3bbb999edd79e82f62af7137d271020

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1d4bbf62ce07f805f8135764c46b1c33

SHA1
5b7c5a6fc9bb342ee85d57d492f99f00c61a11bd

SHA256
1726e66770706c9c13f7e99420c50a2784ee74fcb11a63814317d96b0bf20ae9

SHA512
2259dd913db127c5712017a73a12f70fac331f77052cff8e1e8b38adc77d1f1049864bba2a1089cfc900b3188adfe9d0c0d3c900deb1bd74295fa26a5ec33d1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4bf2077659032de1710d5cc90aef170e

SHA1
b102699e05e6fc062d4c4835f01db5f5655e235d

SHA256
8d79224b10fc121aa7ac5165729a57575c8e1b314ac47fff633e27fd0d97fbc7

SHA512
0a477f569cfd6beac63ccad948b35327de674608c05e5e9d03a7ee5947c69645d29cf235ca4e1eb2b0816fdc37073b9f6fc1c1fa1575fc098aa26f532c847a53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8d134023b91ba3a628ec806581789f55

SHA1
487ae237cb01dd04e48e3f9e4973c14e9d2a4b6f

SHA256
81b7f8fe3136b6e5bf2c10e4ac170dc9d999ed997a0366830cf112e5a9c13dc6

SHA512
dbc2a7bc6c47b9a55bca6ba435103467804cd2fb118a6cfe406f8b2de157f321c07d457eee5ee392af611e112946d6fb02ad646775c86be48d6228c5c93e75e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d6d1f8e0d476f3a6e92a1629247bbe58

SHA1
95d4b526253321ec06a90884bcef4864aa306ee7

SHA256
7a2a42000557dac352e7c3ef6738c7904984f8aa830cd1c593af1f7d0a97ca0f

SHA512
fc54d68178dcb161cb6c318bedf53641094a467f21d556662c9fd43c2f51805c0c5457c985a31f2966e3de29df6765a459c9b14c4123c418475a3c646542873a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c26f66256b65492c2abcf683ca95b68a

SHA1
46357c94c5be6514960a5753abc546e6b7c393a2

SHA256
98bec99b19990f03b665615a57dc7f20d9763a52232b41c4008135d7535f997e

SHA512
5c725c152c2fb80708b7c1f3575c7aeabe09691cdf22815185b441fd9f6e03182ccdc2d315188b509b488796e7e664e7d7c42d6732c374336d9a901d416aa887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6434577c3ad149fbd98fd2fc35645210

SHA1
354e55f670814ffa7e8b2ab888016ee3c1bfd20b

SHA256
ef3e1faef51aa702e7919a20d92f9db5e02159f0c47dabf1580f88427a370904

SHA512
faeac0568f69e405ed2334d8317366fb8474d939555f54e5071b949549c3adbf822399c88f46e75fab7691798bf58d5107ac4f31806b3348db91f5a9b5f74616

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f05e2773698a1e16954f74f81ed34599

SHA1
edefa89445e1038c9e91e201d375791b0c5a2cd6

SHA256
e67b97be10161d6879e4798ea6c82a5ceb80360d14be22b5d9b90d10e99d02e8

SHA512
ce9eb19b306ebe2fa6728bd231029eed0f17bc314d8f1dc26b51c1e53cbe5f6a2a9ade9351d387e34789d911189b569361e40cc820bb878e88462ef8d1375c71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e9512a27bd423db28e9cb14789cc7c3a

SHA1
062a5c76ea2a3505403dc35cda8e966c16b6c8f4

SHA256
1e401ae9cdbb8f8ca6fe7a2f90e8a450755a52a1766992831f51894c79d44e9e

SHA512
77ba424b2c16f64328ae0fad45b966a1e4567ce74e6575a1adaec877b4e9f06a533b9a7bd1d1b77b97b4d95ed7286debb0090b84bf0a1a9aa0355b8c77cb2dfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a7fb6f239d89e06146cf0087c40f57ab

SHA1
fb6afa1d9cf3f5e2322273a95dccb2c14a28ca9f

SHA256
572398c6dd6a571b6d743ef0c4ee95f1f97ca55dd20f8a39f60eccf553af755d

SHA512
7a0b17b632fcc6ef5d25145bd640fa3661bb10701d6dee39fd7393236ceb4748b8017b06194cdd76bc9d26596870bb15754a76773ce26878e579f330c4f59bdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7db0c84835a01e4ab1e2b1016ed20dd3

SHA1
66b7e59cb6a5e23bd8db9fb74172aacd74feee31

SHA256
4952397ce5323e131cc13debb4c9afecb4eed01b9673ebeca53c30ca65c310f4

SHA512
c6b3363f863b6b3a2e403c269d433c80fd99d910052db7a05995935535332ac8c6bde13078b4169e9b1ecb039c22a0ad22f0de80803ece936bb46ca573ebed0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1ba64760dbc6c63454b9457c6429b05e

SHA1
4de19747d8f5b6c4e57730423c6ebe73a7d16b4d

SHA256
66dd580635d081ef4ecd24b95e8923a00cd58d14a40c2f191849ae58143c20f6

SHA512
2b98e6630c67e18784ec220af967df0912d0d3965b50ac6cb54a07ebfe3a60368ccb819071333920e5e5b5ad430937592be374e112d9255514d0fadf1c58796f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a4cb3925dc13262e77291be3b3e146db

SHA1
0cab854203a851d4ad05045f2a5a1017e8342cc3

SHA256
42f8337f1c3b24d6ae870450fb0b1dc2d7513c79eb272abfca4b98651a30adc1

SHA512
2064174f2bf8d692be47a599c4b32fc0451f70ca10f86a59911b8a51c97a5d3f57a3e9d85815cdee75ebc9dff8349e8afefc502c78753934ad5b546b7f3b3116

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8e10b854e8c6d16f15dab1df7cb13089

SHA1
ce7f2833ba4d5914d2c124977e11d7ecc6ab67d4

SHA256
e4516d75806e623a22ffd4f40a298c206936f9f89c7ebb9c88add57cdca8549f

SHA512
327515625ba5cf8d4a41b3de4bd903a48a8d241542ea52b6748a1f19bc38192f5a5135ea6f60a0a82f100571faa2572f6ca7fb4261b783f7dd61449b0ea7ad58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b64ef63203247f5b74a9d13373a4ddaa

SHA1
3cca8cbcb9a349fb745c32f2584df6c44a997fdb

SHA256
7a0e713ec0bf2770c997a35e0d99aeceb501d68b943b9804394fbb63e707e1a8

SHA512
c8dfce2460c9826f2a129962130105a4ecc6a86aba3833b78cb9fd72dbf9c580a908b607c667210f7f2e4ac3e5a44d72565f31b37acc4777ae4c8a9c86735fc5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1bce25891d35d5657df87662717a8f98

SHA1
228fb36a848fe1a37e9390b2c51e661d62a4c569

SHA256
7214ce25620b146152639535cda8907947984706f194414cf62285a0704b7954

SHA512
f90a38f0226bcac18ff315a656cd3f33bf633c352d5b7b4513d5ecdb2bbe2bd20cfa5d071c7cda1a3954cc2cca868efbab19491afa4380b19832ac95d85dfc99

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
42e8b905a8fa0b4b6ca3062c4d9b617d

SHA1
8ec36c8210e2a0f6e981249bd251eee7202a3223

SHA256
2b621cbc95cbef1d9fee5dc239c81bb275ea5ff4ad2be41373c38cf4158e9f45

SHA512
6cddc23f666f8fdfca8dc682e962fc458f5a2ef2ef8997e2cc1fe2e34f82fad3a524fb1e95bf1f40ec62b5b05ce02a0feeb7d32ae6e3a13fd88dfa7c595b24e8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
26679687a290b4936cf1098aa4a241b8

SHA1
eb62346bf5cdec9cda9ba19a5a418aae2d7d4f93

SHA256
4eaafce96f18d88e91b03e35b166f51489ed63a95342aadd1d1c658e2eae4eac

SHA512
f9a1d60ff2cbf8ecda4dfcbce6dddc9061152a90916c2f1ceeee863ee3fd4386558174986cba77a7868fc1ef43942607979b2b525164304b118146c7d4f52f8e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
42891ec21993406fb3a1e1b5be046f22

SHA1
3967ac7a955511e7f9331af254ce843a44318171

SHA256
8bf24f29529f552b7bba43fb55160f820c16749242458addbbdee1007e387cd0

SHA512
74f95cae8c45c3ae296598f38a2e63a4aaff41fbbb1495f012aba8635da507bef8aa1521b5ca5926017f44091db3ad0ef4db980754324091ec37d8de23ed1eb5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
29e69cdb9746ee927f787325328ad866

SHA1
38dc8758ef1938a0df3f54c0a2796d5dea212312

SHA256
ffd09353b99b0900338f515e4baa1851a24b2fa18da478da76e2364413347498

SHA512
f7cc0e5be1049ce3ecf41ae2d1205bee5b60c98777f1b6e8e1753fc79b92989727c400ae44dc472ecd949a210abf18c9afd442b48a47db057ac868c8856d4bc6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
307e73e75462a630c346c6ed73dc4a5d

SHA1
feb58bc5952d0012fcce619b78d83f266be7b7ac

SHA256
952a65adbdcfe0901e5ac0f9187b8c4e94daa93299efafcc2d23e8e9605e891d

SHA512
b302fe9bf2e10b7fdd38cc295380efb094570ded052795b9e6a5c29414cfa59d3ad4a666cb8f291ad48a7ed63f3af6444996a29734db9af298da1ec99991e0bc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48a6949e2dee63562aa504c98aa5c2e4

SHA1
4c4d3c8f5ab64843171d55bd908089a512f5d4c3

SHA256
6ca5a41995b22f6c7f5460f65d24d4d53a441f6373a42a46f3db4a0a599fcf25

SHA512
93c73e4bcb25b8c09f7cc12e7de898597b65e453c0eebac466bfc49eff8b16df4a20557be66e265be29a304cd0830e609c1fa30e6397c9d561fd35c3292173a5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01f38084a7066d4fb871b671b9aeef36

SHA1
ccd4d46ff3596b107611c87bf52403adfc611362

SHA256
434148eccb1031188b4b97df4e4f5f0a7e6340f15fd7ee80d6af3ee4bd209af4

SHA512
4a98fdfb1de6ede2cd1ce152189f5a06b0cd0ae1e1e2f6bf3892456c4b96cc84b7185d3de35b4ca003607f4164345082edd72282181ca2fc75bfe1d553d62c33

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a6dd7179d509b83b360a039373fe21e

SHA1
81b5e886dda2bee98d7dddb2dbda03dacacc7238

SHA256
f92b4473843ded104df0477c56044305947cb6911c697aecdb6977298939275a

SHA512
01e27d12686d94cd9274023598fb311770e66c556c11a3f0e773480adba44cfebc44a21ee6760c4c7566923936a804f306d661e715c29f059ee1706f8b6ff6fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c124cfe80a1bc274ce6146c87c1df0b9

SHA1
2e6182c4d2de60e550df9ed1b61332d3d7dfaa58

SHA256
51f774d7f59954b7b20740220534be62a0d28cad0509c59fcb7a3dbb1a6695d3

SHA512
9b0da5afb99e454c00a731fe61fff528fe634f26a3b53eb55f55c7112b1b74eacdfd0107737bcdd23edfa12cf913c856c3fd10450ebe3cfd7b219438edbe2be1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
556fc4970c1ad39e6bed0923bfef3186

SHA1
c436e8669a3e1a8e92cbbb973b803eadb3363e36

SHA256
a069bbd9b347bc7d09b5b8bf229d1b6e3fc6aeab79dfb9c72c80d465a802ee1b

SHA512
01d1df173d20b4c6e9de19a24f9ba4a845d6ae075e03693694597c0ce5e4e37b3bea41e7d8b2a54dbbfaaa411f6d5b1d4b5e488e57c17140948478ee88b57299

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6262bdec51a513537f2d2eef729a96e2

SHA1
5853c1453d3dfe008f55afe662f7701ceb9efb17

SHA256
f8f5c9195424cae47709f21bb5bce7e00b3f4ca5a32f2721af68a819572a2ba9

SHA512
a3157de13fc8a8ae5acf45120c4068e7851c2995de4a45dd39a239435786975cd015b7b1902d215ba304cfda296fb4804a9db939436cfb9f7d253cb4f8575ef8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9ac13f05aa269014ee86cce28f75afcf

SHA1
13acff37c2a6862221f8178704cf9c1295de338c

SHA256
5fb762c1c9b6cb6ec478a00b7a37dcef26927b2cd0dc8e5be2f6363374be8537

SHA512
0f9497aacb93b820270c6573a28d19902bea0d29ba793701b819cd56659f376251aad47dffb174ed4e397c78ddab6528c70db2f22871a6ba8a50a3adb79de465

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c53ba62d7c9ba6838e034d7ad114d1cd

SHA1
b98a0b95b57f4b570e683cdb8739ee50bc70d44f

SHA256
4b1028481c8959e51fb0700e1e6b9eeaaba7fdf65a6eb30e24a6b11b74e13897

SHA512
97a1322efa00e13dd8abd2abb0b5db4d182c3ead9c23777975c298a2c238b67941879b5683b3724c9b68641db38ec260dd957613e1c1b44ee591faf7ad41f087

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dc08e065aa414c316a1ee99fcb80ecc1

SHA1
82afa90eb14542b827e3b96bb5b3a3dfb5bca0a7

SHA256
6594cccf09aef9c112d239df247c4671a530c1ea68c180628f003096cd4fdaea

SHA512
62660d41aca9369ea813129f395b59566acbe61062e17dec42039dc002cce2e493796964d5c6dd6d80b2ba93ea5a85e797ea7294c7e652d64e40b53938747ce8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cccd66dc51d74ee7aeb903040bb5309d

SHA1
189821d5fc2a28ef8bcbd4e1d4a5a9c20c77772b

SHA256
a22d93408457df4ca3bfe5848a52d8a0b57969352ba08f6867158d0abf51097e

SHA512
c934991bfbb7fa6e287257111093097977e90db727acb5b396711c81c58f9857a2acb253638796afa0f4568fd43e817a812e8ce9f3c44715b514fb6c6cfc3f27

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
21ddbc9621f9f4cdd271814e996ab321

SHA1
f2c4c575b433b10d13cb2b9b9a5a68c8dfb5d97e

SHA256
7ba86d42cdcf45c2722f174ab96a009679bc367890d6c31c102651641a941185

SHA512
36a7c03dcf770eed24137dcfaab85afd4ab59d606d0a0aabf421d3707a766bb0f33a31eb2c15f29e76c51640d203ce493ac292312de7566780fc5da4059bc359

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb5b32b433bb5c6162e13148b0af8a58

SHA1
1011bdfdfbe226dd6fd1e587d370e4d9a298eb7f

SHA256
68558fcb051f5b6ded217ef1ab2643ccfa90ac91c4a1e79fc894103d3e91dfb5

SHA512
81a1741b1e4cf9e56f1d2955a995ddd08356e03fe140a8eaa61732beb851befa0912fb94770fa534864aa25f62e6dd1dcd6b87e201f08831cb28ec8108037019

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
47f9d88d0f12d2c0a94ef181e1d656da

SHA1
8525ad0f696839556b407f68757cd9d9e41b64d2

SHA256
4a515c47db21674e198602f50e24e8587ffc231ec3a72a2acc7b56249f24cc80

SHA512
c54497dc338d5892855e99e8ed37abd0f913cb45fcb61290552dd7698b83a178283a6b7fee4debb8562f310dbb81897ce9a2f7c5d4645ea86b275b60a845405e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
952715239a58f6f0fb6f2680be3957af

SHA1
a00e39d063d0cef0b525e5cc736f160d91b74cd7

SHA256
44c128095459daf719871f008307a909a4b51c1b7f0b48311ba7ebcc4b227e49

SHA512
f9072fbccf9a8227fb903c705d5d1af65be54dd0f07a8400ad22c3e3d5784b72349ff0ca369620cfd16b86e5a4baaa4b27ec3c30814ec5598534699e23a0e450

Download Submit
memory/984-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/984-19-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/984-20-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/984-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/984-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1604-525-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1604-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1812-210-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1812-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-198-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1840-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1840-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2016-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2016-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2016-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2016-197-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2232-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2412-516-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2412-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2444-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2444-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2576-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2576-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2576-138-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2576-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2692-185-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2692-55-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2692-49-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2692-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2824-660-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2824-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2952-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2952-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3076-2-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/3076-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-474-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-475-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/3076-110-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3076-7-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/3384-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3384-661-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3620-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3620-657-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3776-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3776-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3776-46-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3776-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/3776-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3928-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3928-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3940-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3940-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3948-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3948-662-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4336-526-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4336-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4456-89-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4456-111-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4672-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4672-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5112-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5112-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5112-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download