e89fc09c42496246b3ddbe53306afa54ff3a0d3ff5ac3cf40aa43895adb6189a

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
Size

1.5MB
MD5

247b33c0588f68cd1b55b085748aac10
SHA1

e1ac604e9e89442a9ba8ed3974056e350b1c8d9b
SHA256

e89fc09c42496246b3ddbe53306afa54ff3a0d3ff5ac3cf40aa43895adb6189a
SHA512

8ecb3f8509fa4bfd0e94602cf3643e48f473f7f4d36cb2b7b020269c3431eadd776150f510b7308046a3054ecf890893a57fb14776d6f1df4961c199db6a08f5
SSDEEP

24576:+MTI8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:dTIgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1180	alg.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
3664	fxssvc.exe
4044	elevation_service.exe
5096	elevation_service.exe
4576	maintenanceservice.exe
1688	msdtc.exe
3976	OSE.EXE
4560	PerceptionSimulationService.exe
3660	perfhost.exe
3964	locator.exe
1360	SensorDataService.exe
4744	snmptrap.exe
4964	spectrum.exe
4056	ssh-agent.exe
628	TieringEngineService.exe
4468	AgentService.exe
4576	vds.exe
1104	vssvc.exe
3848	wbengine.exe
2868	WmiApSrv.exe
3756	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c243557f293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b06b03093a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000476c092d93a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008467b23093a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000459b593693a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ca5232d93a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d766d13093a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f7ca63093a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3001e3693a8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe
4768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2904	247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
Token: SeAuditPrivilege	3664	fxssvc.exe
Token: SeRestorePrivilege	628	TieringEngineService.exe
Token: SeManageVolumePrivilege	628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4468	AgentService.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeBackupPrivilege	3848	wbengine.exe
Token: SeRestorePrivilege	3848	wbengine.exe
Token: SeSecurityPrivilege	3848	wbengine.exe
Token: 33	3756	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3756	SearchIndexer.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	4768	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4040	3756	SearchIndexer.exe	115
PID 3756 wrote to memory of 4040	3756	SearchIndexer.exe	115
PID 3756 wrote to memory of 3316	3756	SearchIndexer.exe	116
PID 3756 wrote to memory of 3316	3756	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\247b33c0588f68cd1b55b085748aac10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1360

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5092

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4040
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
15bd34f7e06459959ef6494bc93b96a6

SHA1
c7d8da6169d98fc4beca7c8031b6cba3ebf9be11

SHA256
1755bd130e6f1aaa5ad67605ce549d8543de4fd5a46ee8a3a20b4f274853f165

SHA512
412946691f6fc324391b8aea61ba5c22925583b8da398c4ecdf061e5af40a124710f4a8ce41ca277be90e17e9e940d5976d01f9df34ab79a84966f9ce324201f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
c6c91ca168100afd9ba7bc4352571cfd

SHA1
0b767b246f8c49361fbf09ab88005baf7efe73ef

SHA256
3f92ae15d0c7bbfd2e1521c32ff581d37ec02e78ac28ba0cf28dc71d415d336b

SHA512
4dec0688169951ba28487ceb9d322c46243bcaafdcba3f811e5a0009f7fbd2e0b97d78c679e9d14203b7a90ba60d4a9dc182296a5940b3a8857b7197b17e6d7a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0922c47e5601010a9bcb86c2775674b8

SHA1
90ff9e2bed74066d2719076dff1da1d4c14ee7b2

SHA256
d23797e2bc591c119d116e6abe32a930c9f553b943dd3488242d2c4f0fd0a19f

SHA512
81a178c367ba09c5021bcff340903b8e1cf281829448ae001681a7f52ccd2b4efa25ee3e82162fd111f664f98f1091759e70adcf4a34f6d11a4918a45166e5f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
139b43758a938acf777e88a3a6cc3449

SHA1
41161b93eacea1a561f1bb8830e2d8bf0c2d71c1

SHA256
61bd54025b4ea369f490454687504b95bee6d1e06241288c4514b8f346d9bcd5

SHA512
86a4cb9f2c58fa74b6956e7901340d727651012c9d085f08d7f17917a30a73581a5646ef7efeb35a00db5b85d7b6c8d3242cb640ad689ae4b53cc416a443f217

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bc3cf82a8e21890d5b535d01dbe5d4f3

SHA1
b4a26091900759bc275b810c79fe7c1077782058

SHA256
6b2e68bb65deb4564316a4ff9869627389addbb47670d648a427698ccfc12763

SHA512
11ad6043077f8630ffbb77b8bfd9a6dbcc2379fd9f43e88a22514d8fdc8d395c561dceaddfa4c2c412929cb97a7d79ce67580f370a21cc965b9c30095b313c22

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
6ec4347b408cfb0b142c1d58209db315

SHA1
dd6d81e3f03f17841cd3d1490afbcd7a519786eb

SHA256
c8bb94797538e13ccbd69eee7465628d9e3ffabe893b5bdd78b12482ddf567c2

SHA512
f77626d0c6745c7448220d19d4b047133aacb98061dcd364d821dcdb325e87c3b9d0767316320968ea2db0d561ed56fd1c6de090de9d3df3bd3f6f1521a78182

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f184648186328904c991d1cf56680d31

SHA1
35d207d7ae6a2b9a1b0260f5aff9d1463a598c0f

SHA256
466a0480f627e35a982dc707eb804b22127cc46ca29c12f710eecf6e271a9f67

SHA512
40cfa395832a8ad8c77a590c2e91a1e696403e643b16d827a217337ed7258b9549b753a199c1c2aac48813c1a0078ae48e7c7b202368ab6dea884c9b5e95ed1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
16eae71dd4534ba70130b1c528b42d93

SHA1
2b63612c00e24a7b11455ec529d55e9ce076b187

SHA256
c9376ba57d02cb32218bbfdbba9dd37c8b6f30f5f214100a4ebff13fc72558ea

SHA512
86d3f7c356a67a558f9506fc37af2f2f5485d43ae086827d2a161ecec15f56156cfdf2cbd68bc26868c43ab0b663f319575675810cf4e9fc5a9dc99bbe6ec2b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
fc51c540d4a3ca9c357192edf52a9f71

SHA1
a11cd3871f843c07755bd346b2b6c1c321f07a16

SHA256
0a1de1ddb8557948730bad5f1326be7732e44ee25b3a2be0a66aed2ed3213812

SHA512
5d877f2f3f3cd98f65134539f8c926f2591d6a625a100db1e5eae5262c4eec8297afcb0263843fc662b3934edc8e2a0aa2a0259aee61d0e3d7d6f4a0f0f29b33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
19a9bda4e64f33daeb305806ba13a152

SHA1
a3bccfbb9c9f8ac2fe0e28755d31a1494268163c

SHA256
d6e26612749dd7653a704e905ee286123d6adb39375eb3ef913cbfac40b36e7f

SHA512
8102e40b22184ffe47c6d42321638c8c313d76085322e2eec21d936d21ec79d7256f609859a7b801a1c7c725bce94f1d004f89166a74da0cea9e45b9575da9ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4c08e73f4622514e3dfa35fedb9a5944

SHA1
c7030dc43ccd95a889b9ad70dfebb6352826bb5b

SHA256
2ff26edec0c9efe38da107e4efdf90df8e805cd10a97bb0d990d701ae0f2d9f9

SHA512
4b5bb88da07991d59e9afb23ead10b4a2d5790025929c44a1f0064c71ee102807deb68192e071560682a84e3474dd6e6933acc7c34c0ddaadae2dd0e6551908c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d39e850df00afd89050fb3c362004db4

SHA1
f79bf70bf26996d4a5c0fd116524b41f9ff89c33

SHA256
b3dc047789eff01552cc11f912b6b4e1156acaef1003ce95b7cf343928d0beac

SHA512
dae2ba246115203866ae509ce3c9ce07b1a37a94f750d2feb52ee3f46f8a863a410028587f11000072765ba26e46b84a469aef45523446f0ffe4f2b999d187bd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
86b8685295c6354627553f7a851d03f1

SHA1
24b771b4152db8fcfdb7f0f58c1bbba8d306ea56

SHA256
13a6ce6425ca20924036260d3b1ea1abe48c83fdbcde3a61483910d50ed5db72

SHA512
b175e259147921a03869eca20759d298c525ea19a442429a8ed5a8e595a511bfbf44a0203befa9241a40d1d8ebf79e7ca9898313483a67861c25a8e0c84acf65

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
69b2c355105efb821f65e3b05155d6ca

SHA1
6dd00d8bd3fbca710ac5030775623f56ac860102

SHA256
ba3ca747500c94599561276ce4a8bbd699f89be9fa512cdfa9befcc0aa74fe02

SHA512
1514c200ecb39e727449dfb89f93c50c7bc7cf0bcbc50a49ce4fc35853c20790ae163926ae28aa8f70a0dc25e246f610f4069496c09013c4a87d06a05281f40a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8b5777325ebc18d0d9759b7589505ca5

SHA1
aab151784b995d90b098017fbe67301885fc7542

SHA256
d53c295d1e082d14abe1a85a55baf022b9740bb48b70cc68cfd4a91c24725e85

SHA512
cbe7542709afb7bcc0c338d904cbbca7ba768da20020d638bb4384e3f5ab4180f2148c969ab848dc510b8b98063f94867d71267a8893774c193af704bdaac488

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cb975381f02ed74ef2fbd50244e30ebd

SHA1
700083124159ed40dbbce2f54b494d5b2ab9c811

SHA256
661aba5cd0585c9050d0693c6b2ea1306d36ad52e296af373331aee5b765e0d3

SHA512
ea7cfb2f2b541bcd458dc9f63620d70e146326f142d7f675fc283bc0784a9649066f09145a9e6562fd5401c0c3bfa81b5be3fab56d77c34c4bf793da1c63d59e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
150f3b146777344b59ef705a21320818

SHA1
35db7afc9c889024e297eb996851d253d0b0f5e5

SHA256
e0240a69aec717fd6df560408f4cf2c375357c2aeca0af85e5fc45f3d9cb1dbf

SHA512
7bfa1536f31b7eefc147aad86c73a71574fb397c50522988a4cb2e8488e72ce171f1c0c8583b7896c02be173d03391859dce20b09b3151fda0c670ffa1d5f6ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a70a2019968db43c25fb526bad29f88e

SHA1
adb80448c58a757553a5b51f0ad567900403a2ff

SHA256
75f9734e86e0911c3930b2f448bb695fb0658c033c886167713cc8db1af15677

SHA512
fb6ecf7c23b8bc8cd62331a7b016e635f3f48518004f6368be9a921cc2130f1817be5db8791054d57197a270d3b5acbc2868f6b0beddff5c57018b174f3e84e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7c7c1dadf330281df3d284ccf2210712

SHA1
25a1a16c605aa9fea307bf05e67913d824f7a03a

SHA256
ab79d63eec570fd6c028d4a0531c3d9f29772bc5ec3d031848b152d89da82387

SHA512
cdb9a29697b06991d24e7949ecce559549349d2680182c9ad93c72f26fc669e63b4c9e40a6903e91a46dccdd1198cdaff6cf184b8ec9b0a75af3867ca0d16a40

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1152d7fd1e22b3d14a41932a4e791e1d

SHA1
3929b5670deb95694ae65475e8a7b63d0b71cd17

SHA256
86e4e6351a8ab376a390a7d81ac6a4fcafa455df7c6239187616d16378a1675d

SHA512
401faa7985c661b9a87ff04f27573db6399855bf92cb06deab1e0b23adc25a217aa9026803f1abe73d50740bcf2f85ce3ab75df9f0fb7288815d0f11cf932fef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f336d738ff91fc9c8cde5bf9e43caf0e

SHA1
22f4d7470c528419528210a255057c1442c4ec2d

SHA256
6a9b8db72e65a7cc608df80a8a33388caf208a01f9c7b35fcb7c0382b1571992

SHA512
f3538f8af0a573b50f16d3e2318f48356ae9bd4239a03428c73cdd2baea3964470f5cfc0f53e5375f20ec2c783b9dd15308e53a6c575bd6152015c9385a7b5ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b714039d031ae104c5b64940ff713578

SHA1
b1cf69d984bad2bc95d822fff1819e384e6b4d82

SHA256
1c4195ec30fe159fc60ac94996607347a831272e4e322740f6ca1b05d64c00b6

SHA512
c236430ef82861dad00aa419ffcf732dd319103c5f5bcd9848f4c3f7e7677cb70aecdb99a2bb9658d2e82cbe5c1694bd2172aedc4bab3b022a3d5c8028c7f23d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
6cd554c003f264f9a0401bf3b27d2880

SHA1
2162bbcb47e9f1e77369802d1df16191f3d37c75

SHA256
4117fe8facb1fabb832e3c8ebd2f5a05959f9940adc4892816930cf68623f258

SHA512
c4b3f6095fdfd480e2311b1e52592909c78173ce30d7b26d76f06fbe5403db9dc2ba8af61b4d19e8080b9888b57fff7431feb1d1d21b1bf3de7f3d2c0d698c88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
87e24ee865104bbdfe063119a14ce2bb

SHA1
ed683e634742f5964fe5729dc1dc8a360b2de6b6

SHA256
692f784ef46cc085fe03390f0fc3470a1bac63c44d4634aeb04d183ed8010253

SHA512
54619d7d8f337acf9ab33690f5614fdfbbaaac513611ff0087584f1f09daaad64288b7d2f8525c4b6e403f0340b0219b2a1e1710d9956d72d8fe3b8736d7f3f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
910aa6b2aab577c13fa9b58c954ca2a4

SHA1
b0d41af8e84beae0b241fa6757c2cfda95ed8075

SHA256
6f04ba13b4cb2dc92dfa1e25b83dd8387cc005b08deb9e78561d472e8a36c6f4

SHA512
41043b101642b0b15f5816c3418632e552526f7243cdcbf9b1b4beaad92947462fce5d899a25f401cbc69065b5d5159ba590b02960439b7952d4e6fe31c16572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
eee4b980ee81e79e4fab59dfb1a658c7

SHA1
d863c375f68a387abf1a186261968df0a4843a34

SHA256
dc5f2cf48bcc2874de2810d9ecab376c879b6d34bb0028b51086274851e77762

SHA512
27590f591efc90acb1eafc0f3bf347821209c8c2c4aaf102314f1c875cec08598b6c31290cd9f4e1c9a935e43dc5c94edae39dd67e9a364097e91d3209412680

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6e553eac0d97d56ad315080d955499f0

SHA1
9616cb966916e4276df8090c78974f99989b613d

SHA256
629b72fbd1511e1974bc0eed342a61873f64776d2056401d04541fb44bcbc7d2

SHA512
0ec5f17ef71dc015b11db5663501cdcec9038a31930a5d9659c826aed033edb727c03ca31a96a85ab75e57a4185d73b380ee16726f4e264a3795edc958c85966

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
59a99e5ff9228ba2eff2696436875f94

SHA1
afcea5028409af8bead8bb26a70fc741c42ed9ab

SHA256
15c546da1a64eb74ae2ebf8b4c20acdda9683ff7dad57896a9dc863e03fc0e87

SHA512
52d1c780ae310097829447eaa6b742ebaf2a0bef5692c8b313cefc13fdcce704118c47a811edfcb39bb8480cfdcc3e6ec472712ab5be0efe96af422f6f6f77de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
04982b6cb0feb3381fc763c2e1d01aae

SHA1
201946daae293c2841c254526c63e9a23d7e6779

SHA256
31ff15b09eca82f5881dffe9f156057cc79b4431be1288f6d177e73fd714a1bf

SHA512
79c52e31d1e134cf1440003809f95270b8b8301db25049a2325ce3db7c154831c924918b5b723f92ace2037913aeeafddc6bdb57de78095445ce59f26c42f065

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
cf30c0d16b68009c5bbdeda42a26dada

SHA1
0841f54c241ca3babb226a77e95473f3aa9eb8fe

SHA256
2957ab21d22363a334da1d8a9a8ec014289ae98eaf65a9a07a52bb41363867de

SHA512
3bcb830b0222130978c3db75728b38bc9e7d7af2c6602ffe73fcd81e345b286a4186a49e63ced9c27a08577e60d9a6a55a783d7bac2fac731f17a380a8574cd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
cdecea5837a4de1ebbddd89284b52d4f

SHA1
bc027e7266d66d753a0d83eb71f7295856a06328

SHA256
bc70c80672836ca8ad3ca135f86ddb4e235c6795fe111f723452cb953a65dbab

SHA512
45789101c500a73c9759a0bc3cbbce4336a257354cbfd5b7c570da35fd4a06c295d9f29e9fd30c6254f8c0a8f7320a1fb5a53197ed3d3ed99940030fbaca63e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
676a40485b8090135923d1a46cc0059b

SHA1
f27d6969140d655552f5011d98af80c4726bd65a

SHA256
65f71b52e4292aa2d7a84e0539bf9731ee62e2e64674960d8a2f81ecc734c97e

SHA512
ed59dd7a3b68b74b131c7af01ae0bf4b586ed1352724102c80bd4d13be0dbac9409a0168f8b1438afe3f96bdb9b4319d07a06356a8220f2285dfee5c8dbf0206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
57cdf49d53b4e9408bb951fe68dca5ac

SHA1
9b46c2bed03073f24206e8b908f56528434e56d4

SHA256
35bd7aef1483adc2804642bbd91b7f9d4e2476c26dcb23ff08d1bcff658cac5b

SHA512
47a9aac1d1c0e31a7f7dd5654eb63ce2e065c88e532f91a513d7ad16ea544dfab056673a4470d928ffd7e00e4392a866f26c1b3763a692682525bd0c97b5eabb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
7ed92d8c6ef4a09ecb7f6b18558c4962

SHA1
dcd3dba88b7cfe665385bab1d26362cc3f243e82

SHA256
f19d0dfc882f26521b47bfe83d77f1f9fa48e31c9d89eb161e9208abc208de91

SHA512
271e06dc97aa24994044944ce38afb51de0c042d504faa66d5ec5045c7cb1d65ca02a44dff4742e8f619221a1798a5f06a67517ed25f31a0e9ae2818c98d8261

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
1c73c61d9c0598f46ae8546ada51fa86

SHA1
bf6445dd75d11152e22d91642c9d029efce0200e

SHA256
d24a00f5b0a5d334aba9e4ead6b6ea01384c0701af2eca026540ba114eb60963

SHA512
c200a893ef9d3cece9219ffaf335384025c2877da4556104c835329dcb8091c7ed618a9c3e7ab9123cc01c367899c3e0ba7360c27792bacaaa3f1205157f1947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
567c2cf3409fd82b9b3ff85d00fdf911

SHA1
a1d1e18636c49fdcbc17ce9c28b0f687d2257f12

SHA256
a8f2b144d092f5d17bf1746af40967fbd34ac35016c4fc7276f1e432729f805c

SHA512
33c9c0553e90cf2829c2a025c7287c863dcc26c2a1d7827b565865baf0b581cf964bf44ae680d0c8b12c06723c926d033d82fd3e2fbacbc45779cf51453552a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
9155fee2d8d2013c4fb417a8e7785c65

SHA1
a1ed67868843e59abd169921c96a64cd0bb8c8fe

SHA256
eb285dc8f7c4486516b03e61e5e6d28c97d2cf75fa4b56db5e6c2ec8d2552d5c

SHA512
542837921c3a5bdcdace38d5e706843105f4ca79251c27a7d209d2c7242737b7289df7a26aacf77c6aebdf545c54059b7ee8eec6570b76b12872ee26c04d4653

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4c7100c13bed03c3cc0f0702974757cf

SHA1
1ba718d49e605a38b00c015a690cd383a9d4a093

SHA256
4ea9fe0380bb5a4f3c63f7b38cffea10ffd590673c023c04170fc879c563bb35

SHA512
1bb368dbbb01f99d8c77ea9159323baf0daf04925b2b245ed93ab28ef352143a501a6c6718eac48a00d2709694820674d7b14444ad4052bf75d87c24e726eb12

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
35cc3c4cf43ea62f7b77a0b13b0f31be

SHA1
fea9d9973243091ad365ce3059c5f6c306583081

SHA256
fe887f142509935e5f42bd3b75751bed289f2e180ff86e284b200b48da1dcd04

SHA512
5e8440fffffc939f1ab7b1dd74839151ca881c6c82a4d5dbc65226703e5b910c1e65e12425f2ae7082e36ec0c40ef9b7be4ff4d9717665265463c1d2fcccaba9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
100baecde2b8945153c73a6634e3aba7

SHA1
4a9139333b982b5748db1317841775a473f13627

SHA256
85c763d976ee0bccf1a3fd9992d7379f00ee0a7a333b7cc31431a5fdd0769d95

SHA512
056a00568c512bf05b11bd639ff8d51233159de4252073edc914f892d6d9d3535574343773074592ffe1cfc40d67dd6d8e89463fd8273f6b72b1acf84ea4402e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
653da027c53f655e817f9799006829b3

SHA1
ce1479ce8162ed434f360e86012a2de345c986a7

SHA256
f462655ba0558569c6b34be415f8b4dc0ff6acec3aae6380fffdc65118a5be6c

SHA512
0f5b1bccb38972d22a1183046336591976869b1da674b49611cea0ac08381bb1505b75ca48e0ff7f403e4ce0fc0cda5c02bd7f68dc143225462b815001eec22d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
09e4a8fda39b588d269f783a7bac53be

SHA1
67a1de4844938dfb47ce59bc5bb0ab8e90ae4e01

SHA256
c427519e7bbbc482cb3aef9751195bab0ac0ba9493393e362559c70e6c27a45c

SHA512
e6a16d0f56a8fa8b166be5c5f0a97b3746387be8ad39349ce82f76cdc06d0af56978fe2a4cc3bda414679d11d0582d36010b66b693bfba8c889a333192757606

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c474ff8d867eea69daf1725402ad9229

SHA1
1fec310515d31f794cb7896ff7f1dc87633d9eea

SHA256
ad8b000e161f77a812bb6e7703eadb77a10ac6b412e839b023455fa602214b95

SHA512
6179b447ead7bffc84ade1bb3746ae3ec34ca1baeada271bbd72e466d610de785f86368c90c513a2098a79d6003bc26fcbc81ce1abc3e31710fb997116da4a43

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
05ffefffc8e3390ce35875cd8cdc4fa9

SHA1
978f472f82e42a843bf325996068ae718e7afad1

SHA256
b18265d8a933de21144699d9353bad7fdda29b3382d6e803b3c8ce938cbacbea

SHA512
f36f6b868841d407bfff3aa91b0f142a8075c2ff045a648c761dbd63cf8d71ac81ff6e1210ee10935fe9d4848c051920be7960f1119b1d4bfcca3c82599f1fe4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
d047a682bae471dfa822906b7986ad6b

SHA1
db1eed2aa018283a6fafa2f6e517c02862c7dc3e

SHA256
047aec8681ae062d3bcd0701952456a3efac67ba30321ca4cf1435226307c982

SHA512
34a1a02024c0406adeafccee801049070f823c59dc0ea4db8668c5a1b2a7de40f24c866541bec356d1d2b74d4a2732b1049536b3120fd7d5ce17bee6d6c45951

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
16791fc06b64dcb38512cb595b30cc80

SHA1
e273517c33ef211ee4918d0bd5f343cff91beab5

SHA256
adbdee7ee272666901b5f908f76f5fd773e3c501ab5cfa23483b8d22f30a7b25

SHA512
6f9b5bf3999069182bde6e369da37bb5ac4968fcd522b46026a7083d75fbe7ac53c480e782295a423a7f1e5cc9ec4d97a41fbf71dda3eaf711b1aac6f6c33a9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d163a573c738b00c62255ba2f19034e8

SHA1
3f1b0f0f6705fab8cc60bf78ce118809ff1fae9a

SHA256
6a3db20deb26d740730cd28cf3262d78007a4798212361d6af37379f4aed97d8

SHA512
8bd374cc60068a2b7e0f763c85fe9b86822f0fae5e2f5c06892dd22e1686eac6b7081673f243f32f5de3e955fa99554cdba7dd5566538235f1a962a3e3d5a53c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
570f68099aa7450bc9d32b5baea12864

SHA1
a58a82d058704a51b6355962f934403e0f2314dc

SHA256
25ca66b61a3ae7e0d6b03439ba78f8cf0b05b630ade100e58184ca48ec8bb79a

SHA512
fc4de1af784ffe4b1cc5728bdce9b463f7dd99d873ef9fe64bddf9521a943d436c15640e04a0975fca45ddcd2aef53a5fce2f4836619ac3cfb3db0ffb190b91b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e446488b0a0c07447b28a12d5e9d55a9

SHA1
e4a7cbef2a5c7ddfe5e535277ae90256f7e95ed7

SHA256
181432b11cb63a9b9c9ac5afd7cecf9ceeea8a4058607745a272abe0a4521a57

SHA512
28c093dfd538c05d3835d70144e4713d838e49e4ece07fd53a6320224edc3a1ede815832aa409c231657ed95aa1ef00615495d90785c596dc8fe4220dd7e4c5f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6fbfc1f9a0cfb76d3c8a265b218676df

SHA1
67f6979e5071327d187fedf8ab4b4f6fc3e42726

SHA256
11ff674059432bf0796544e4b19bafe3b70a438fc40bb7a48f608f6b523b85b1

SHA512
1fca6d1749af87265953b99f7e4427d3a647f2b9c2b1de9607764caf665cb17c294766d00031b2bd9c3ff8f73377d2b595d25f6c9d18596d3f532904f1f16830

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6106bce4acba4e46c6d07d79db79b65e

SHA1
60227fdfbac51d058d9cb00f0dd088d202128574

SHA256
fd80480fce2ecfc3031b5eafdb97aee78d840e2ab0372a2b55b1243975e8185e

SHA512
1c8af499754f88445245f5662ec6ec1de152266f1522e01f830bfb67e0841f3ec93af0e1eb80204aab28f525b4cc8735f0f5f207029406bcfbecdc0d91d9b990

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a48ee3696b1e9a07ba3a867b9849c965

SHA1
2010ee39924c9b358290aaa04d25359788c2d7c0

SHA256
d4a115b06e874b20873116fb249e289b1d91c3647125e8f44d3c126797bda798

SHA512
c6f7524c1dd09215b8b959cf98a69466699a85ff2b2f14a7d8ff24450dac154073a8f4a63c69ace46ce8e0063dc3d71fa44730db45aa385a9ce31f5435c29c32

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e762f2469f730e2bfe012dd6d889a3c4

SHA1
6ceb6825f0f3105699174152cb61305d2ee044b8

SHA256
a94b9cf4f4a8d1917722e0654a30c469dbeb793b6e3d52d387b9ee71232a62c7

SHA512
ce41d4044081452a0e1026839ad5bb34225083e8d86b165005605471f408facc078d95dd7416b7b3896c2e08a7eb2f82ee046314d8afc92de49e621e19de7894

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
823c5e3cab51d80d10dc3e049dc84c6d

SHA1
972eedbd89979f735e2037df79407d332523cf27

SHA256
717a18e269e262ba6e57c89ceae1846170ba64b362544f8fd2658c28e03fcf0e

SHA512
9a14c0f1b1b5177fe8a8676106bb59ac442aa574cbf5397bda0c83559d25b0c3845e2ed34e62ca2a21216cd89133f78f4e5e239b26f2b13b90b1ee6e5d7a6d3c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c071e905803a7fbe47f5281b245100ef

SHA1
b9ea34bee2b0b280a7d721d1a335ed7d1d2a102f

SHA256
5f9f139045bd21c26edd12bbdcec3de4c94f17554133386454bea3024432a3ee

SHA512
5594b4fa2360464ef3460f0dcc4a98e60b0da49a99b0f3870f8050f1e51b17fd2bc9e90f530a22124901d853dca60a2835299c31d45b0875a58d40b89e162e78

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4a1f5b1c8dbfe5907bac00dc8c6d9eee

SHA1
4e7867fd6966782b869bd1a45b754520c8177da3

SHA256
d69f22afd4dfc708f0c83eadf288bf07eff6f432316fe6d358c8c27c597a0b2c

SHA512
faa46d97ee273771fe148eb8f353b9e516af179c859ae7dcb98e50f4bbdef6f8f7deafa4e4584ae28a329f71a389459e00243f4ae7c5c5a229ef38fcc05bfb75

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a5c29ae4073346e6fd5baa5488b5b4c7

SHA1
5445dd9db7511ca9d6a90104c19baf14634f9b77

SHA256
074fe9a60c8b7b67bd7789bd3beeb5df792789bc03949fe04e00789f5192f1aa

SHA512
c797e4a0b0a942271cf37a9297e1842a44b53732ca5bd2d7bc70c0c8ebaca05e2da1d9dd8eeec8b0f93b0dce5eb5be1c9cb862114491eb568f4741480e2f2c10

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2b0f22c5163aa1b90358554f0e95b5ab

SHA1
1ebec400568965e92ecc895a10161af898d044d2

SHA256
1fb43b2d6eec0fa6fbbac4e4ebfa66bb3439e572bd149b6601a3b7e764c610b7

SHA512
772f7fa1327979dd50b50ac20456b0e58c26c6bda24efbf739196df9360f6c2433093a2bbdb2acf578f58ef8fe70978568abd435a624a76f08cb6f800000d8ae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b78ba3ab3a9706a457a5a7f82a1dba22

SHA1
383ff5a4632ab56f21ad8f5dca1b2d59b1993f9b

SHA256
35f0f9809d08653ad4392e5fc5771e55c9c5aaa2b8c6723386b9def5bed39a07

SHA512
8b89d3bfdd500ed308f61f7105c2a09ba6846e9960288aec3ceaa942d6403b18de83b5960331f8508ad495dede56c759a8d3635bda8bce8a77f99484a39a3db6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4c917915aca52d2f02851b4be0f1c656

SHA1
38983115af315d0bfcf78bc73352fc4b0c454433

SHA256
456160579eda699010e9d1101b3c095d6a7c458f5963344720663386bb5d406b

SHA512
e268b077861d62cc424318f0a56c3c08267402e9d534db27da99f3edfb07a44033c6a9a6a54ce9966bc64c812008bbea8a53bc00ee643331d34af0576d7e6630

Download Submit
memory/628-196-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/628-571-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1104-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1104-671-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1180-112-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1180-12-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1180-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1180-21-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1360-485-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1360-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1360-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1688-89-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1688-90-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/1688-207-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2868-675-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2868-264-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2904-88-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2904-0-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2904-1-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2904-6-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2904-8-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2904-361-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3660-135-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3664-47-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3664-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-44-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3664-38-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3664-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3756-676-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3756-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3848-674-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3848-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3964-145-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3964-263-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3976-225-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3976-113-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4044-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4044-57-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4044-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4044-51-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4056-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4056-570-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4468-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4468-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4560-234-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4560-116-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4576-74-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4576-83-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4576-80-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4576-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4576-73-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4576-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4576-572-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4744-160-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4744-478-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4768-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4768-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4768-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4964-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4964-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5096-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download