4eee27cda6df1c3674647b3830726a2742c27a81e0e56dc96c3b65df35aa319d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
Size

1.2MB
MD5

efc1b784fd5c5534af59f28984e7e890
SHA1

7bb2d5037426d775e7cc8668671189eabd452a7a
SHA256

4eee27cda6df1c3674647b3830726a2742c27a81e0e56dc96c3b65df35aa319d
SHA512

964305d8f127d32ac65bf891845da7d3783fe06d1572af7dce3f600943958c765a91414f1bcd5dc4885ac5bf46fcf76b5278d2c0b84fcf7a77fe70e3b21df908
SSDEEP

12288:v2G+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:evMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3120	alg.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
3500	fxssvc.exe
4616	elevation_service.exe
2996	elevation_service.exe
4056	maintenanceservice.exe
2636	msdtc.exe
1328	OSE.EXE
1116	PerceptionSimulationService.exe
3292	perfhost.exe
4764	locator.exe
3356	SensorDataService.exe
2556	snmptrap.exe
4392	spectrum.exe
4536	ssh-agent.exe
4232	TieringEngineService.exe
4100	AgentService.exe
3036	vds.exe
3484	vssvc.exe
3516	wbengine.exe
3640	WmiApSrv.exe
2640	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\533232ffc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf8c461e77a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9989a2077a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005890542177a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1bec02077a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c2d092877a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f5edd2877a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048ff9c2877a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd11722077a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4284	DiagnosticsHub.StandardCollector.Service.exe
4616	elevation_service.exe
4616	elevation_service.exe
4616	elevation_service.exe
4616	elevation_service.exe
4616	elevation_service.exe
4616	elevation_service.exe
4616	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	624	efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
Token: SeAuditPrivilege	3500	fxssvc.exe
Token: SeRestorePrivilege	4232	TieringEngineService.exe
Token: SeManageVolumePrivilege	4232	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4100	AgentService.exe
Token: SeBackupPrivilege	3484	vssvc.exe
Token: SeRestorePrivilege	3484	vssvc.exe
Token: SeAuditPrivilege	3484	vssvc.exe
Token: SeBackupPrivilege	3516	wbengine.exe
Token: SeRestorePrivilege	3516	wbengine.exe
Token: SeSecurityPrivilege	3516	wbengine.exe
Token: 33	2640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeDebugPrivilege	4284	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4616	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3612	2640	SearchIndexer.exe	117
PID 2640 wrote to memory of 3612	2640	SearchIndexer.exe	117
PID 2640 wrote to memory of 4352	2640	SearchIndexer.exe	118
PID 2640 wrote to memory of 4352	2640	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\efc1b784fd5c5534af59f28984e7e890_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0db332aa6a05ede35cc144b89e4ffb92

SHA1
14481d63d34965b36c259f83509558e80a435a5a

SHA256
e2573c05c20ce94cfc73ab20420e8d52307e201d75dd646cd83957db2f617663

SHA512
9db61386904d20c3047f3941927bacfaaa77f05a71de62ef33779cb8669bede54586a81d3c6d8500520bf53fd554f0b341c911937adb214cfa7ac995cfa94b0d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ca6a4603b132cd61bf5351b6d823d294

SHA1
8cad257ccfa34a7ff79d16f9fec79b4e1b2ee4ad

SHA256
fb62889403bef725c825d194cb963d397af49b89db4fa84ff57441620afaf645

SHA512
5a9f898c4b65e7adc044e0c51c7b996cccb0a41e4ad008cd45e76465fef2d799ebabfe1cccd9d00660e2f8055565eceabd198eb84b096254704c0c4ef0c17a8d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8017cfba2ae5a706b294b91b24261eae

SHA1
07df2573e0fa2d3fe8c1d25116d2531afed89a1a

SHA256
31e3972d0c6443cf29655ca669c1a42f6373c2dd438efd0e295070997d2fe713

SHA512
0c2f553deafd7ee79a6d98459ef6e50bf009b9f533d45cf936130683543ce05f82486c7cd04e1924601613421ade23ded90fb8bf14ff9d9e17bf0e791def78e5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
86f3ec450f7abd2a9940e4cfb6929e41

SHA1
6339e27d589ccbb074b23f6ce244da2bc25facdc

SHA256
a993b2c9f165cc69efc8551939ad35d92d7fe25505169ac4e2b1a66e6f7585b0

SHA512
486f31559ae0b208bb1b860805c02a9c67e3905a4a5b3ac43352ded3cc31e4cd032461b6b82420198346dac50bfd708d35f5e857e4c0f99fcc27b2a29f71f3b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
019171acebfa50ed9b2f56b47554911b

SHA1
2252c1c5827a9545363b7dd781896be971ac841e

SHA256
05384acf63fb1cd0c3a79cf4f53a91414ffff5638b4900fb2c3ccf4c2c4ae554

SHA512
f44e8420e333fedea4b9d5b6c6e3d3ef8c7ba41c2854eb9364e0d94b87f4a2935f6b482b910c22d685a45bb36be9901c23abc7e976892864d13560d636eb76f7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0ae02970398954f782fc84dd796e8696

SHA1
ce7cbff75fec28c4b5bf505551ad4831196ef054

SHA256
61dd2759f5490848543c0ce1a76d566e04190b0baa3bed9a8a8e73bee002f93b

SHA512
1bbd98113bf9833874fac7b6994f83a70d2215c04bd5203b6ac31e14e3412e69745f0682750f4b54ee058b2f92cfb2bffa1af0383be470e13d538679d709ae1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b2e85accff5a19594d4838a7a039171f

SHA1
0f0eb9c72796a5b2a8ec37f629b405861eb17557

SHA256
1c9ed14bf781a6f7f7d1a7f11a1e0b1a4554dd04766e6d7372f281eab3f9950f

SHA512
b5e28ae2f504a9feef9f7bf87f39185635dfb49fdfb95405fd2b0eb3d4d29230151a36282d42ba469bcc7e3200ab4febce41f3a37bdcdcec006b0b3bedf2db98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0e8eeeabaeadc531b3e3e0225b2d5c8

SHA1
e2f2b17711e4f00a52b03f7632aaadb37a024301

SHA256
5c7481b50f0502e2d278ac07383515550fef48e7945fd3b2046e08dad74087b1

SHA512
a55afc84c3325ced32bc9f90f1cfb1fd3db8327fab815adcb487ca9910362d5a2833371ec08c895a4ad2fa5a99df0e976afb017f04a1a1f2d161a7c9844447e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8c4bc5a1dd830ba3a0768902b9c08aad

SHA1
05f3b1d18fb9fb8d8ac3425166821dcf47555ee9

SHA256
38a54c1f718ecebaec53097651a9af9b5ab26862a3d11c155031f5eb7055bff0

SHA512
9f742d8da05e0f09f0ee24fe5b072e5fc6ade6ad1813025f42fe8479fea74f37b5992c341c9153fc5f74288df7cf8af04e3a794f7e85a484a2696c0f45c803a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
43f23d301a08ca4066c76793f84bea52

SHA1
6010f105085bf70cf21e2b77722189cec44fc4c9

SHA256
a4db87c6dc77e943fbe565b7459edb2a12020362c6a7d605965359f1ccc9d832

SHA512
021be236fd5c6ebe470d5d50d38a825044a5eef21a3c344135bb3139b53cbf09edcf317553937bbdd341149c7ea8091acda67077041876bfd1776f170e353a28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ffd28f5260e3fc6d1a288f0114ffdc77

SHA1
dbf47d92e2bc6ffa3a8f74d2bbe365f1d7ad13e2

SHA256
57d2405a955b38e1f1b7a5de66f9135112220c29225cf30c42f608cd9223cb7b

SHA512
249151bf7770c07efee4cfeaa56cb141b675dd3b3438da089c1b32437db1e049729fc24cc96927552dcc90e85bd34f409e06e935d4af049c2f90dd9737cf0206

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
587837dd954bf020804cf0f6de9b6612

SHA1
b61182066349f9b6b5e06e6a290a6950c2d01ba4

SHA256
697ce0715f9a0ef695e826f673fa3a333abb1e64e27ad2edbddccdf479daed62

SHA512
bd67a981d3e5f58f8b467ed6a0408d7e67ddaf53ebdd505deae2b52b04d56188f16a9032f6b8b489d3e349a56247e3c98f4cd68e67ea5701b9444260b5150467

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0a4f9578f78e1173e6c04ba24144910c

SHA1
88cb12729fb9367e69b29e093ff3695c343a4e03

SHA256
3912c80a10ecf6f1e9df1a4b35c43df62a1a725fb2f6906075bae1d1262d50fb

SHA512
48b0cae63e91b17948ed979532bb3fbb2efa18869b207e506c7bbe35e744c87f31f73ea8554554ae921af16708c3a3d2f2b955a505b4a77d8bc34222120e7f8b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
97303a799831eafa9871f281bc74d945

SHA1
84fce9b229cce8bc168918972c92bf90159e31d9

SHA256
2382084fc2b3e675f8bb5eea5fb1be702d0eed163a787ebafef68cf965f2b03c

SHA512
702253f1b0ab4d6358b2fdd5e3aaedd58184ac100547db37e8ddc79e936a1143de8177364b364163b595da14908e5f9f86b0e32f5257db54913999857b6324fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4fcc43a250f7ad7adf27d48a521a3c04

SHA1
06f68032979e781254aae35aebd2e65fc2f403da

SHA256
583fda1103aefd493bfd76a917ebbd4bed19191c0a65761ad5003c76d5e6846a

SHA512
b9bd17f5132c9ff3c6edcd875158dfc78495186c38a159fa3d121b3af57bbc8ab010d4c98a5315d5cf05f775b81859036adbfa83e29125b52a5b3b0822ea6529

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d3111b8ee02e09d8192219cb1eb9b9d1

SHA1
b1e5c1e1ab7884b29bd43f5a6e0634424843d6ed

SHA256
ed9db910cce76155c3830818591f9f00df4ebaa35d6ea033529393a1ee18159e

SHA512
bc2fc432eb05e459e15715038b129a5d5c16309ff142e2bc7496f6cad3da985d0e3b73681036a50f64243e7c020c7edc0128d85111b01ceb59cf015be8f231a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fb8f84476c9898e13790fe425f36f6a4

SHA1
40d32418e42c41a5bca6560b4f81a2a876d91d5c

SHA256
75454c6ab39b10b987734c6a27a4e178f1f678a70e3571be0616c1c6808b5e42

SHA512
03de1a9b93162052115b987743dd76aa2bd4eb9942b3fadfd1f1998f114d1c90792db50c7cb6d0fc5faf0ed654f1749ab0b70f9b24a462bb92aa8003850534b8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bd441f163738176b73d6ecbf50eab845

SHA1
70d78846eb3154e33275885218b3db372c09e78b

SHA256
d4abea377ed4a438effe14d73c8222b9028a201f4947720ccbbd4a9c94d9eb22

SHA512
384715837e02ae7152b24b60c4b7c9f9f9caa99eeb5348bce68bdddbec392500fa27839fb015a6301de79782005aacb87e9eb0f82bb7595e12c23b1d2f5817dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
14b19464610d4e8fd579950148cbb148

SHA1
6c5459ca470e35fde6918c367399caa5720c491f

SHA256
47c8b48a2f5c0804c3653bf14afe2e0a5b0a8edb31d1c510d725cce83e4e8b47

SHA512
c9997ffb2ce0b77ab07a9a32a69d5bd1de3ac0dac084d718670f41a210501437d00d18b0b217e9d672e1416a140fe2550175a4ee6619dd8c21b9df2b3ed0a63b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dd59e0a4affee421b9e72465a947ed1b

SHA1
9c79520b05af79b47145d797a47754550beb807f

SHA256
7d9e7d5aafb98527831e81e3457907c85fcd5ffa72389f089cbbb4a3867cf587

SHA512
909b02d01e027d8aff8e86fdca582fd3f8a71b5f1b71377b8eab6f7aa69e47687506ae43a4868ad1433c4d7ec38ef3aa9bb2e0d091d009c6107318cdf6e66490

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9039ff9143c66e86287a75931a130b17

SHA1
50abfa5afc60ac82dd57cfb51d3d035c6b68085f

SHA256
ba97244d136bf2c922f632db4a76f27a515c7f5c1ef54d32b02dc558af5f27c5

SHA512
27ae324603f17137a7ce1ef8e4f90e248ec6d4309f82f8037e72f7122e5349e92f0349a19a492359729e28d1bd7552fe4fd45724442af7035a5226c9ebfce495

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3d0b66b1eaab1474b6d3767b7d123d32

SHA1
2f4d6e71080e3e6aff8653504154a06256875e33

SHA256
60b03bc0529af3a61c6168a107d6d22bd05b96a235ff8a83b792059659c7d05a

SHA512
9e9c3b904ddb77e3dc59e7b4a176bb8b4c7796af6bc9e7b7a0846650d3fd82e38d66a15aa1a35d70edbb4e18b32139582dd81a8f5bf6f136ad563bab14dfd63a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9b07db5bbea3736354acc5435c66277e

SHA1
a02a272771e389b2896c617e0ef56abdf34ce18d

SHA256
cca35da54d99f285fd715597f7e2bf75b406b0b469176fbc67edc66704a69e76

SHA512
cec4a9d9ca7108cf19b7350e12dd3d2280a02405e81269a744b2b9fafc0f4bc504d1fa3687f35cbfebb7e6d375f4ff047faa6a6e77dfd6f2104574e9486f761c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3331e10e8e50fa73ef66ce323ee0b85f

SHA1
122472a71d4faf0bc601028cb878919384af81c8

SHA256
cfd761242a4d71465dd0387248604ff9bdc3dd5649f16377a12c33d1b838c5d0

SHA512
c77e18712931e57291b3ccc7fbf50c2f3e1562b95a458c2ee8a63618fe0b1121e9408ac8a8473341e6e92b8243c20e20d91e965bae27c1cde11cd8c8b8b42b57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a865dcbe9d1329011e2fb84de09d9223

SHA1
7fae052bd35337b351dc68293eb687987e7cc3a7

SHA256
cf24418913e5d9fb4e0a8890d4b19c8178a7c6c9b9a25f24ec844dcfae082317

SHA512
bca8cd9f14f9af1d0b35a5abe0dd2219387b75826b58c3b7cf5180b63afad26583ca01e6368282a90e102cc61b24ad8ec8fed6149517aaff9e18f63460635ab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
8fd2bd6ccf28cac4e05ebe762be097b4

SHA1
abae6eef93f9c4c40255259ed40062437f271b65

SHA256
132f00ab2779b46ab193e3f2dde472be7ced128dd530a17d9fd09f77b8b9f9a7

SHA512
b26ce14846d290fd18152aa4f8bcf7a73610b4e2e9f95deb455187d652a54d4eeee26dd3e781e5df4e1f8f9bee9338276a71358e2c6aa1f79671d4a29c47ae02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8059dc28314899b744b3c4d80e2a3eb1

SHA1
b6cb831636100779c0096742d036ad4141303519

SHA256
5388bf0feb8463e305ba2200ab6428d471a126749f9036d0b62e2583eb2ffa03

SHA512
71dd789083410c1e5448a34c3f349036c098a5b4ec5da74bddc00f3029733d1f73298c1d0e43be912848c559eb2412b96771c0b03c662d5031c8f8bb8b3a9104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7b3812077f89ed74e660d186613d5710

SHA1
1fd189f52f0a4cdb94685d82cf1563273c2e53e9

SHA256
0a9bde762de846090200a35504712046996f4ef24e4694d64ceb5041237690bb

SHA512
1ea7375096a14881bc51f7ff1181854f34348c4f941362618ca35dbe4ec320e586919c8ff27a09d6a5cf574aa9f3b0e5859e98bec31c66e87153813f8bd6f463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
83bb5f558107b057684a257ff6207b91

SHA1
d8a6f5f0d464cfa515de52d8ea0ed41af1be7abb

SHA256
2e9db0501c11fd288d54c0d9c8693cfdde232e6d772c1d1312a5712fce82bba2

SHA512
4a2bcb10d7a7a5093138bbc3df4a62403dcf1c970408e510afb6efb07e77c4c8c1988d6b2ee9f4dc8f8f4010a4d849e67665087728d7f922fe04dc2f661410bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e1becc60935810954c81435583f60f77

SHA1
8c25f5bbb06a17bb58e035f9c702ffb8c284ca18

SHA256
106eeeb5a3858cdcc778e1535ec2e4a7bb74d14fa76b8a137df7cf8b8c1e776d

SHA512
fc6f1ad45135840474220522e4c1241d29b6d10ecf4d53e703b7e8e326687dcd4cab4f3a089f277bda632893883c7c2c35cf80f9ec89992793d3bd062fbb2405

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
85606e84b1264062df1b579490b80749

SHA1
a38782ef9c9c2fbd8d3b9fcc8b167d76d156e8fe

SHA256
f552b65aba922c9aeb3de9609bb7c732489930fa15de8d97a3fbbf20b8d656a8

SHA512
ba2c9c2456ff9e808336b5b923a1b21849e0e51640c28658366971140c37d664b49a1dca4537d56f6d2d54f7169ea3e9d4d96515f63bb2d0ef3128acc7b533b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7bf5e8bb710de6065d6146fd82f3e500

SHA1
569f8e9185f2bceafd3f3e24f6f3a03095c3fbef

SHA256
d4e5be72768459c5fd13e65de90511f3bf3c0361f1087b7d292ebdc9e7f8beea

SHA512
d2a4f001b7ef54111e5ed214c8bce2854bfca0e94958289463d905244dd5fdcd3d2ea5e54ab96e32d882755f9e5025661950f578755dffb56f258e5118d49e6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
03cb23cfc4572618da9d4266d2f5db19

SHA1
ca8d98d2957df27832486d268b4cd55bde7fba1e

SHA256
966db5b2f555085ef81b6560535d6040416a2bafd1023dd24b11c389b6f83f6b

SHA512
b6806acc8d38327c96170c6030e55cb809df96339c20df1797edf2c7ced0a2a5157c8c381da18ba0afcd1d4470b4ef24dde341563f310399da95cc4982ae8777

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
773419a22fe0b4f7096ff4db47655dfd

SHA1
ce83b01523ad32bcda8e4dedb9e903464b578e2a

SHA256
95e4939b26ffd2a0aab55bb49e71579616e69fc30fc3e2d29c4f6d2046c34c14

SHA512
748239c33dd76798099cdbad676f21f3600083366863ae4c9fa30cec592b009336390e9faf594f2cfc3a30cb79a07f713c650631aee8d27ab38c401f8c112a70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5ca77967909580961484bb70cbf18100

SHA1
0497ffb269a5e68a7b4c68f1c0b879ec7f0a8041

SHA256
797560bc91f86bcca26319517efb598ca22156acf3dcb581c4c76533d31e4dd5

SHA512
c1dc45e7f6668e8146002c12302dfc434d13eb4a256d3dbd98247428a0149f08b0d8d7879d57c0215fdedfa87e97dc66a5e7fc75c833852b89274ba145ca7f73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1e9ab179f63d35c1d84f8c59b1610229

SHA1
b5de2951ecaeba06a42a4589da715997c76c999b

SHA256
7929b4167673ec6f85d34458f69724c101b577576d4b821ff7a4351308cabd7e

SHA512
abd314e4e05d1fbfc8bf07fc153953a9cb0f55ddff92e95381966953562ba6399e488c31483ce04d55437922a7e32091d0a6c3b0d4aa406e9d3752d7335d473e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
434f01e412d38ce3277e723f5e3caeb8

SHA1
118349f9edb515128e0f4aabef2fb61bbff7f11f

SHA256
14cba8447da64120f0e717a02f5ed91e1acbfeccbaa10316bd8ab1d8da71244c

SHA512
b79ea3ff301e3af64b3dbe2f935c8775d92118d627ffe5ed02319dd2f739286201082698d1e0a50a85bb625392612df387f4d093175867cda717f169c3330fc1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
10f692f4222b87906b3a68301b5e74c2

SHA1
f3dd4fa30c23ebecc92352b1d5dca1671c7d9247

SHA256
2175688e4a44d4dad85a8f649addf1ca71517d56f7f0ce5425534cbec63c7ac4

SHA512
b8d595be96357aa33a5b76c62af360211ced654a13d5bb6c7352c9f31a7b52880ef37c860afab729fdc7912d2e6e5b12e48171ee56328e9ca53d448bff9d1b78

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
13399a02d048befd9a1c0bb59168a9cd

SHA1
f396bd664e0dd0f9de7c95d3978c64f9c662eb3b

SHA256
43c1a25711369b90980ded3f464fec4dc942f7695bab0b52dc957f4a2fd51913

SHA512
283dd698965347151031a7d11a8708e0ca8d4418ddf7f1001c5d9169869086d916e8b5f9cfed789daa6e91395508fb21cdeb98318100ff818e71c7b580040224

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2b6008edf2aa1e1db8f2d0d0696974e5

SHA1
5c34f93ad28aad9f86356a1259d322c2a1d1f00d

SHA256
e7b551bb9c3f38ccc2a076de255cc201be00cc4b6b0eb3db31dcad7d231884f4

SHA512
27d52e739075014416d7b1633128d36119542d2a40f20794a86524b3172cc4b57261f254c9c39da724677e8f799e9af5d1c2986c373b2bbae637c5d3bc98919c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cdd3aebdc178810665310affcb0a9da6

SHA1
65ce5b3b5f3f338418672a2cf2b820b9e908134b

SHA256
e0e2094843f724c3da8c52533c1c3d8b3451dfec740648cc257d2390d9c2ebd4

SHA512
f690637e8d6507b005be7fd7fa21dc6c00f03ebe6fb088ee78e2ea77707d17299bf3368435901d221cdafa971c2a4bf50abb6a7869d1b62322e1caf9ac3f9d18

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8a06e7e267f37756c750b79dcf2f7f03

SHA1
2285c431c303bf838999e60e9df77fba41b45b84

SHA256
3ae24c9c1668927bd6371a643772d21e4317392805aea2c54b47220379ba92f6

SHA512
801e09a70c8b2a010a885ba17f20a7435334e3517adff0f50fb64564a594edf4f8503c3613200e4cf3cb8843046db6dc8803fb3504dcfd07fdc3c85db45dafab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fff3e2d1155182d0f7e481b103497f6b

SHA1
514c35526adfab267067c8ddac774c7787dd1d0c

SHA256
102db31e94a0de599c5f69a7de4a95083c1f74fd1e75cf8234aa690a90d4dfd0

SHA512
560c029126f3e1977d75b01df0b817db9862596ad9052795de308e87c2b1cc77a173dfd330d9d6656ec34d689e7cf75332e0e51e4dee3913c655e72b8cd05c1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6872fd58ac24732237e663ac3f8b859f

SHA1
f645e12666a9cf9ffcc0a0e122856b814cd770f7

SHA256
8f3f1257006d16d130e1232e477e3212fa5fb0074720fcea905c225cca491781

SHA512
6c9ede2b7c2ed61527f7017db078940afae243fcf64e9cbcfc145e0b53af506a97fcfc689c5a8ea9c1a2e7b04d2414cebcf67cf58140fb89bd4131fa00f2935d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a84e63d460e79892ac41626b7e333d0b

SHA1
b3830d90591c2b49ea8a767f06e8c20e1a9a0acb

SHA256
952e3688f94a4e27135efc707ebbba5cce8a7887f499188b3ef58327314f6a40

SHA512
1ad99bde0883d845e20cbda804bbf984eb1cb331404165d8edd69d276ff473b59aaff7b510739139bda029a5068aed3eea23105750f9882aeeb4b926b14141c8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
797122837dde5c34e54addc2ccd476bc

SHA1
359b53ec6093fd29fbb049faaf4209494490a7c8

SHA256
be87af661ecf4582b4c04c233f399e35b2fe4970732c727a690fa3b74800459e

SHA512
8c48a5e2890d2e3d484ba0306e2e452f0fc5ef50637da471f1feeaaf5d6528be9addfce164ecb0e807d41307b20dadb9521fa4fd6ad48a89f83f77202ecd48a5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
71695309f10c1d5b940a3562f5f786ae

SHA1
b53203dff5f793e4ad36ee67add7ae1e12d31eea

SHA256
49819eee1dcb496f1e9d591493fb02e6f6760b569857563aaff8733ff2d9a63d

SHA512
8dda9bc40871fea43f11f095fce85707ba9be70adfdc93e72c444932bc8502ad984c6adc6404afaa5a9a98d75f42347beeda1ccb8d1e6dbd0d8124092bdb6579

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e1b337f0c3acab613cd820afde4de670

SHA1
b6074006d73ec79f7f088019074342437d3bb124

SHA256
b19d7f681f94338e8ee20df52b665eb3dc8afdc100948f700ed7926dd9d7fed1

SHA512
597fd20d221379ed0e1cc62139056b18e6edaf0d855e54e8500f973d792efb06ad608428e64a11f53493c6153c542136a7fcbc2b931680c844c085bc8ad77dd7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cabda6391521d5ef8e3d422d312b705f

SHA1
169b08c888b8d8317b6e753898a09c9bc0496734

SHA256
66aa7031ddc7853014ee31ae40ef4263a19416728085897d6bfc5a3df28488fa

SHA512
0cdc7ecf36450216fceeecb8f01be66987a8198693a589efeb5c81cd21eb34e97cfac4fd1ec61ee6682d975d3f8ee99a16b7de2583812347c7cfb8794dac5393

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
54ba332db27717109aa9fe609ddea2a9

SHA1
1f77fa3616f4f8ea18c7315fbb249ef0206a56e6

SHA256
c1b58934a26fac2c1cd663258379e59b1ef965e5145a0805b7fd5b44610091c4

SHA512
bd224965498817d163d60eb9a81fd7ce25a6107e61e07fe9de4b5565942455d3593488926de017585d39b6216281e441d77ea386c6dfadb68a4970d2e47120fa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bccddc78c6795be410c86a0e869bf7bc

SHA1
22e373ae07107b64921faa3e1a054d8960ed2fba

SHA256
ae746b0b7dd9e4c50b65b083b88db8d6f457f61d6e623cb4f31adab9a2504348

SHA512
ba57d0f4b3d3b52eba2a9ddb4da772a4adb73de91285a7034e86dc1a83b2a346385eda381eae73458ae930cf1931b103a277fc5a80f49a9941384b2d398b29d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0dc092831e61a2d7f178a8a111d1bd94

SHA1
bf5c99b88c9846b10a82c4a4cfdb02d881c5928b

SHA256
d06e39011bf8fef7388f3478f69590f82d396a0b4a80d74fd6294f69095bd50d

SHA512
7e54f86a16a37fc89d6528fec1be798e29c045a84412761742e13e05c274c9f4727000a45373595d7fd325e2297400953b0386b4c2dfd7c04e21e27780d5acc1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2cdb5b50a174c84f6262cfba5641ce01

SHA1
c0a5e36ab1e9f43b924f46101c00ae30f52f4061

SHA256
da8c2adacb577e4aaa93d32cfe2d422fd96fa79a72a3b7a02f61760edf739e3b

SHA512
847e6cc9e3f48ca5da83a69fb980c6b4211c73e4b35b811176039ae3aaac89d5c0c85e2030abccb470e8786b5bbaf1f51de30513342857174c5b9c706277fca5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d1cdab7d9733527c1369180155b30bbf

SHA1
c6b6cb357ef077c00fd1978debcb7c856aeda697

SHA256
6c88139129a51b719736628a1fa6a6bebef1d8e274b4d6a90e2df4b03fb03256

SHA512
e94191559f472773c5a0540d8682dd8bac7579cd4f2525b6c9ebb62506432d78426e1df7dd353a88926869c258198f7cdadea69957d34678af53d8f4663137f1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5fba588586ed4436f1f3c7c3a1a05ff4

SHA1
d2fc8c7d218eae480fbcc0bb9e49827ccbbc053e

SHA256
50392e3851c968e1acbcac9f4a65d92d3f95de627e32e669cb12fa0aaf3d3830

SHA512
1dc248e6ca1572a184177673f50cdc78ead848c0be0023d756febb7b3cd52aa3150c963380c6f6c08e6823e41e41c4fee034d68f4d9aca1e5d2b89f2c92ba2b8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3e50e8daf389cf2c94705562a64a9459

SHA1
cf3984b0210aea893cc39c9ce0d6f46c92a27b4b

SHA256
c9c3e29f527dafb4e49e9a2e3c19c4260ded5294b0a4b05e32d1735f1e2a5028

SHA512
d2cf9e5be2b3eb7147e7e2f8991773aef501b9a64e118dac34b2cbecc0c214df107f0161ed05e145e7bd1c07b92db790dd3f785773a517052a30415d9ea16ede

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e983483bfdfeee4ed75eb12fd807645e

SHA1
439c751ac71d773e22da7d0a5703ac7b98b3ea43

SHA256
a0fd3145c344b6f5ed9ca25e37fca5c13c25a79b3400095ee4a28c986338c09a

SHA512
77436a087cdcf223459bf41a402fa0a15bc08c0d0c319e8dd7313a027200199e9279358311c8bcbbe03b22ebaba58935a0b4f8c7cda19021f3193b79dfbc6be2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
03999f8091043c140f5ab5040b6150da

SHA1
37f0d597874f5f126a22da50b3acca84268dde85

SHA256
cde35d4d5eff1a65587f0d61e7cf7b06dc0fd9d868e9ab7ea8b01cf20b307d0c

SHA512
f3cf3cc6f0ea43ba327d2b4455685fe009ae40604e78a214097dd58e9e8b454597744931602bae90af7c1469d94bd3eaa47c15f6ff73422a326a797012ca2013

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
33e8f58f2040c50cc1a113dc4099c3aa

SHA1
bd6a522eb77b49aea32558c634b6fabe0a12c65f

SHA256
1607166991d500a330effd6440d5614a0fae1421b8b04b7c189f2ad638055cf9

SHA512
6e0d73d66d42559a313d29105a938a6f3f435c5100fe6fc0dde394d9a53886958b76c58ec7a33e9b2e532c3d9e10b84ba468570891ed5af97e8e4f0292d08e08

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7bae3a139e2c6b0681ac5cc75eeeaef9

SHA1
271c294bdc861e7220ff12cbea0a43029327a0bf

SHA256
7f6cc3f19bfe343068c85a8f978d2ca205451af983d252de4a006167173bf5ac

SHA512
97e7d95b44d0d9c019676b3a951f5f6fd1a149f89414eec21e63c9113afa2fe7e301ceb71416d608cdc2d44158b8cebc08e7c59508eb164aa677714f452946a5

Download Submit
memory/624-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/624-1-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/624-8-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/624-74-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/624-254-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1116-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1116-159-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1116-97-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1328-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1328-75-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1328-81-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1328-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2556-119-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2556-384-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2636-150-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2636-70-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2640-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2996-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2996-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-447-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3036-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3120-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3120-100-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3292-102-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3292-103-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3292-163-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3292-108-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/3356-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3356-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3356-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3484-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3484-544-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3500-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3500-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3516-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3640-553-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3640-169-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4056-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4056-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4056-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4056-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4056-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4100-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4100-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4232-446-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4232-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4284-101-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4284-22-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4284-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4284-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4392-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-144-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4536-445-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4616-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4616-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4616-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4616-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4764-168-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4764-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download