b398c899501d8c07b3ed335f4a1afeef5ee7ef25518f27dde31ec1ae1c4e027e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
Size

656KB
MD5

4d2b8ae47f2d3ea549634b8ebe767e30
SHA1

ee94af89456eb3680b9a6451a0a2ddc04acd3288
SHA256

b398c899501d8c07b3ed335f4a1afeef5ee7ef25518f27dde31ec1ae1c4e027e
SHA512

31634ca6d2eda9fb5e863bc6af358bfa24c4810f8c0e831d5a3c8f16bd258b97502bc87edd6a23f13d6b847a7831aaa06112681b0b88cca66bea0f164e77f729
SSDEEP

12288:aEZjg47dIxn85c6S4Hb4849nIYVjIlCOU4hog96o2gZ:3Zr565gcTVjUCs2Vo2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3980	alg.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2848	fxssvc.exe
4428	elevation_service.exe
2888	elevation_service.exe
2836	maintenanceservice.exe
2216	msdtc.exe
4700	OSE.EXE
4684	PerceptionSimulationService.exe
1396	perfhost.exe
1392	locator.exe
4944	SensorDataService.exe
2840	snmptrap.exe
3112	spectrum.exe
4284	ssh-agent.exe
1864	TieringEngineService.exe
3016	AgentService.exe
1636	vds.exe
1836	vssvc.exe
2784	wbengine.exe
4880	WmiApSrv.exe
1584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\59708523bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a73efca53caada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000494923a53caada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006811cba43caada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b54d1a53caada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003760d9a43caada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
2732	DiagnosticsHub.StandardCollector.Service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2188	4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
Token: SeAuditPrivilege	2848	fxssvc.exe
Token: SeRestorePrivilege	1864	TieringEngineService.exe
Token: SeManageVolumePrivilege	1864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3016	AgentService.exe
Token: SeBackupPrivilege	1836	vssvc.exe
Token: SeRestorePrivilege	1836	vssvc.exe
Token: SeAuditPrivilege	1836	vssvc.exe
Token: SeBackupPrivilege	2784	wbengine.exe
Token: SeRestorePrivilege	2784	wbengine.exe
Token: SeSecurityPrivilege	2784	wbengine.exe
Token: 33	1584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeDebugPrivilege	2732	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2988	1584	SearchIndexer.exe	113
PID 1584 wrote to memory of 2988	1584	SearchIndexer.exe	113
PID 1584 wrote to memory of 688	1584	SearchIndexer.exe	114
PID 1584 wrote to memory of 688	1584	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d2b8ae47f2d3ea549634b8ebe767e30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c63a452ecfd6fcafccd5b0b6ed772d8b

SHA1
86517ea664e7e8750093b0121c0f2eb3fc4078b8

SHA256
b35fdcd4f29a30e52b2ca269efe382e0eaa3dc748ec04bb766793d40ac3d898b

SHA512
d3e09ac75d7ece69d2da1b971b8693a1138ead8b7fc28ff20f238b504d921e21fa4f357bed1b841867ecd51203604423f22e9afd6a2adaf09b6fd9944d5302cb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f6e9e40f22f750766b5eb6210b543dc0

SHA1
cfc5a2be8f9396a8d689d82c3fa6b3d7a192e0e8

SHA256
4deba121d0d6700cbe9f794ce76bf8513523556ee27656fe02f86a16a366e98b

SHA512
582dd703240291c86cd406f1355818b1400248b19831b6bfd7ac2429d9454964360b443392ccb69f3a891879a947ba0fc0e099e08951e84e019cdee135dcabb7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
433a823e64ae510f952f8dab698e2ca5

SHA1
dc0974bd9d4d82f3256bcd826b168d3ce9ce19c7

SHA256
0fcb9c036c5d397e23bfbd055062cb42c9cd4c304a14ea9ddea11dccfd34e993

SHA512
3556cc6db825196d9f7eb1e4f6f5392ed21d9f1a0f2b0eb74af8a55e3bd6296662e7238e9448dda48a132976337f5138adf804fcda43fb5baa4fcf57637552f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c9f0c5df9a5af77e2e076b4ae88a4b88

SHA1
adf71574f8fad1d2ed5e3d86cd7efbf59cc99320

SHA256
5f26b1bd458ed5e72ee7e7f8fc72cff091b5fac2dc40fa042c0d55e957e46c5a

SHA512
555212d7dfad71b8e5d23a44f9bd92520ea90181f48e1813745c57b98b193e259b979fad4595efd44b3d7af4351ab0aad1326c14844d397e51d1fde6608fa57d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c1bcd9a3e8e12e6a829e54ee2a01df63

SHA1
6d7773ed255322a34551f0a044f968df42724ef4

SHA256
0c507a399529efc5418f9b41763fe3064822b7ed00af8f3e973688cfdda750e0

SHA512
b31f57478074de01fbeb7761abbee8831a74aa5fc247e348af070f51a9371b1b8522e9b9f1e99112628915a47d1e6f5bfb5e0589662f6c3da8689dbe823288a2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f49ddc9040383bcd9968342d1f2e03d0

SHA1
e3b7caadcdf039f17ff8002cefddab67cadbe111

SHA256
e49422644861bc0252f6ceb015d37698a5da8fe858d5e55f5e322761b1f8bd23

SHA512
aa3e1fe84045655b86cb01babe6a79ac373122902f02a03504df6fe86eca46a5f2e598f93bc9b0ad0d28823e7f30226f7cb4b1f9ca6c5db8d889940e759cdda4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bd16afbfd5f2aa5124f8c247aac0c61b

SHA1
c501afe317abc1864337cefd3c068fd6f01d81d3

SHA256
a2221a7b8bdca9fa726b1e8620821696d35ea669247981b2201cd2c715515f1f

SHA512
b949bdb95a4f3627ee73f860fd69bf63e3d684cf228e95889b890d7e62411a190ccc7beca26d09277cb378a3412c4681df33e357d9a263605095fe2db7e366c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
de9e6060ec4e4dafd2d7d031e0c73a3d

SHA1
3ad9132ab4dac16c5a0f1c45b43e526ce2c10193

SHA256
6b84f182ed496825e860192e892c505fe47899d6c21183e0f65f42ea5fd21b7f

SHA512
d15f3785f2efe8244af8ae97155d06adf6bdf012a0dc47193f0005b64b283a09059e532b822b345114da441a9bd8bff517295765163cbef268e526989b525f0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
39e7f86316f96731f64562908713062e

SHA1
50d352d58ddd1e5e71a0cf1965ce74b27996049b

SHA256
acbb2b5f1dc27f355370140abb0d0fe24a5d10067544a4b0d613f759d1a95817

SHA512
617157379f69301bf60eb100999fc8e3934d372d116c0213d3b94014ec638794e2c7ca90f326710cb12f98722e27c32d7eb6cad8ba75c207114391a6b9f7117d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a3cfa67cf130201f2558003ee67cea7

SHA1
68adfe056ea8356b671458fa331b323bb42e3d04

SHA256
d226ed648a9fd9497b63b9bc06f5dda96b479f9e79a9aab2a5ae29d28dcd75d0

SHA512
eb9ef13056a0ed17fcbba114cb3fb290ff66d321f47080338f758d28dd5c42c520b4d3fba43814a86a2889dc49e7702492c64725dcb4d4eca6581f3b12dddd5d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7025bd9b2f8c04da4bcfcded9ff0d5e6

SHA1
5aee9f4e8755a53b29068573e2cc3a236c29b1cd

SHA256
f42a6f7a83ce2dde3cdddf703f3b1898b69479e5684d552861d178d2c8f429be

SHA512
6a309ee335516cfd8ab573952f5c9e3a2b50a5b8b7372d64b2c265b2bd9f765661c6b265e29ecc3dc5964beaa4ec3c4c1fd7ca1d63ef5be38c874b54c8ae0bd1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
daed7149bafba66bebc6a02e1e130db8

SHA1
690a21095d6e38e92545b20035eada8be85caeaf

SHA256
99e7e89cf85abcfc37d553d5c16ab4c9a1e17aadad016f828e26e68377e36b8f

SHA512
1a956d4120b71172d934d4868d4d970bc9a9559f25303cb93de47f00dfaee56ca9870c3af89237f295e2077363b79b29208f1e3fbaf7ef4cc20c6078a6d3eb55

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8d302159cad818ad732070da88757c1f

SHA1
90dd89a3d8f96b0eaaf1ca02c0b7040d6e185fb7

SHA256
db2f696e5d3e7415dbcd29cbe8985697f03a5bd77bd5e14c5528dd576b8f3176

SHA512
1fb6ab844ca21c4b5b5decae151262f0fde67526dc5c854be24ba76c7481c0e97865fe4a3514cb70bb4f5c674e93e9bb1075b02116890f7278eafc076b2f1373

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
84c69483e325da7f8caa80a6132a6c14

SHA1
cd60f708558a120b5cd7a736d158ee68d49e3159

SHA256
255fb062e314f3fa4cd3633beb07b2f2d037186706ad27bd42cf136f4885f424

SHA512
fc596dc67ca80503d8e0d20fb5902a76c55b4dfc1921d02b874c87e511cb2a3f4f227fd651da98bebffab2864bc1a8d01ba62206a67be84b1f48d9d43a467220

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0081d9eccf61791ff367c44deec1f51f

SHA1
83ce16277002213baf00c959bd22c4658c305d50

SHA256
95d9c43a26ed0a17b41e4df47bb24fdc3a7e4c0947a6716c426c2ca4f515425d

SHA512
ae358f63d4d1e02809ce3867710e4267abd92bb83fea280338ab71e743080889b958042c7a3d289e6b6dadd6a8e99a7141467a5fce7c71dc29c0af5b8dd69c4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
46b22bab01071ef67990d7b793428895

SHA1
ea6fd0c00c4a536cdf65e833c627810bea54ae1e

SHA256
37f978a66f01103823ec2dad32b9783a64cbd65d8fdfe4c04dc6b26bf7edc3e2

SHA512
7302449d7623a121d2aa8fce536b720368d5804afadbbff80a24cb8adfe358856aabc7e468fd6db39a4cb7809467e03a4b4215290f3b0fbfd11e8f66f65bd9c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e6b23ae53fb5f0ec7ec028462089e2e0

SHA1
32f6ec2718825ef27efd75c18e00336657e2c521

SHA256
ded4d86b410ea8d2aeb955c48d6a6142c7bb4b302b569ec2a4acd17d1ddc0e09

SHA512
46ca52eaee1ef9c21b70a5ceca9468abb6da1d5e083d445922f630acf75cbfef733a844f1530e3151396141aeb798c2fa8dd2bc5d114fde42511c9c1aebbeb67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c3f47ceca34bc0788aaad6510376ceaa

SHA1
653d9bf52113d9c48df44e7f81f48c94bb1449a6

SHA256
2b88c4ae9a43b7444311c490c715e3fd70c85bdc1a5c27bdb08b1845c9039405

SHA512
eb9919227316abfebbbfbb3f0cd5cb8ce6a73f7db391c4e1ad956dd1cdf1d8d2df33bec8448e3b1f7fdc254da75be9f7848fda3611607f3860123f4ab977ab10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0a6af4dc079725e096382072cc34deee

SHA1
bc3accbf4c5a7a41bbf7b7614d73ab7a4155aa3c

SHA256
1e7db1f107283d039b4363e2435cb1eafdf4eebb356d1e02109a9d80b09963e2

SHA512
5e057178c6cd6e5e9dd813b9facccc35458531a9d57864b3aa9a978beaf622b9959da6654620aa49a690d29b017162e283e5dcc9e8a56e2d8dba170b7dcf741f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fa6e266f9ba65352aaacc0923c27875d

SHA1
9e06bb5a840d48e3d624b316e66bb797d6e83a01

SHA256
f76f382bfc261edf81baada1c7aa6e981de968553f8debd19fff49afa028f7f3

SHA512
49796fd76bd14655e77324a4ed79fd07a69cc77e9de1fb165810bcd32520dcfc802c44d60bf450d6ab029866a7961f3fcaf11324bde227f18b0709be150e3031

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3d6bb0a161f00d2f6c45925dd075a380

SHA1
ef34164426a19113181f37ef9f6a3d8831da06ac

SHA256
4127b6abfc39c84e1afd805f5695b9eb45d5065919f9c75264356a25074ad62c

SHA512
18baffd4ce86fdd8c115019a89fc19a8acb2766227f01969fd47b6bde450c380b516844574ac14da212de81cdc48761b1b61dd0e2b56977ca5de5cfb0badac42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c36fd3c8966789f180a823cf4e497fb6

SHA1
e79cacba7e575b89cbe61d24a4de2c73ea36b6ae

SHA256
bd88063101f4e1e450aabedd09407f0bf76dbef14cce1d8abec496802b99b42d

SHA512
f3a2a027ad30b3f2dbe3dfd61c2396320511d7704691b5ff19766454106690a2172c88f9ccbabf73607d31eaa0bf42126d513b01cf15bb9b77eb3e8412075328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
90b92e980a728b60152eea8ff99a9212

SHA1
7229dc9efe1befb368e83a25cb12c3ded12006e0

SHA256
814461b1bf3475436bb469f8ed9284bd3328f0838d46c7d5cb78e847f45a1701

SHA512
b77d66a6734f688e05a0c083e647338d884aea52a40b9ba62f5e0bc2efcc24e44b7ca0d9ab4043c27227e79d8e4795132e26c39c103b4a24f5664b55df4a9f2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4e345b69dba7f44b3b9faaed9f9c8255

SHA1
6bdfb78534988369e3501e8c518a3f992be5f2fc

SHA256
2a398b3927bd70c0d515f7aa4115f38e1764aabd91d21026f237a582ede1b38e

SHA512
d4c6c332016d458246fe69269a839ea364b925401cf32f20da6d96f5bfd324328aa25a36ac2c77c337e414d444a47651c0daaeef195a387957eb5ac006434682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
45667c9b8ebe37f9b8b0decb0cf2b3a3

SHA1
8cf8d81e50fdaafff90bff41e120ecca10a40d91

SHA256
dcc2a0786c50b66984916c8502f227e21011abd708e1c1aee68732daa624f294

SHA512
ab09b919c135957255855365f3f80e8e31455c6d0a9bc3ca517e62363d0573de7e0d4457f5574cc0e082dccae8ec98fca0ac65b5bfed2deb57e4e1ad6cffecaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
62c88ed7cc66c78538f047fe3d576cf0

SHA1
4195cc4e2176ffe533c6272c8f5d3bf639117f4c

SHA256
5e759dae43f97fcc3ec642300e238731d0c62cc7f7d589379fe26edc61f66383

SHA512
24797328f7d7df8a0cb70a80f1061ef6b6256ab872d2b124d02b0a5dece1a550d27750276d069df74142ce6c6f1492266e347d3e8412d0f3c268872faab561b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5240eb3c63935115475ff7d73e948576

SHA1
d761d96d428c29ace78d138f638606c2e41a3d4e

SHA256
8ee4226415159a20489f5f4adc85f677815b2d5165d97ae73054cfe446e22c44

SHA512
21f32c7dabb2ea1e7ddf9214cf0e81d1e19acc4a05d823bbaa33643496e33ece6763388e265302a40bbdf08eda8683230fb39662409990466a0fa8d5d716b471

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e760d7fb7528e42953f038a44d489eef

SHA1
099396541af4ce0be746d881f6055a1e7d897559

SHA256
a5dbf39e89283fd575f5dbd40d6a1d49c7beeee76309092de8956a131f56dad4

SHA512
b4036502948f6a78410f71b103e906953c4753b63d990dd7deee1f365f20eb6fb9fb9cd76e8294d015342ee8ee3742ad6dcfec8ed530ce3d85f639da310216e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7af213d2fbdee8160275dd9bca747535

SHA1
ac9068ba828accafd1921302443327bac5765fba

SHA256
9a9b3445ea8f5911e9e15714fd9c9b88fda26b5354cef935769f8beea6ba8af5

SHA512
dc257d2a1e2a7feb46e6884c1806a74b3d590bcd52bb7d7a16cfcba09c5a01eecbac327eeaefc2e30ce2dc089612f7c2c425bfc1effd85b185d0ac6c9c8b1fe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c617cad85ed0ad6d9741ef23d7da21e9

SHA1
58a35d6960bab85bf368c2e3940868915a8be3ae

SHA256
64fb47aa091aa4c196a33ac107aaf00618fc011b5bcac525fa32685353ccf0a4

SHA512
35f3b444bb6a66dbcfbbc8c2d58effa74fe12683e2f44003418e27b445699dc52fc3101b2e1207e7c4fc72a85c0433b4a7d3c07459a12485ed40781e95c1f560

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
aadef05086b3c222ac4cc4539a257608

SHA1
0348c4f3aaf1bf87c84f1a81b36b98784e23227e

SHA256
ba51282518873c773112789e92a42689fec295e9a4b90f2384861623b16d150e

SHA512
828d4399f49e66d2d48ca2753e0094b113e4be006269ed2d5bad3ac2c820f73663a39ae520e0f03e534b735cb514fbd7a873ae8a4077cb3671c3488169ef2eca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9468b4dae6f36a196b73f02a2cacc6a8

SHA1
7b9e97acbb5b7d274c2f6d233194aaf5cd18e7f7

SHA256
1379cdaac682cd1c8975407a3df1b92a995da133083256c024368317695edad8

SHA512
de386583a322ea757918a69ccac0250686e653f233dfae19a36b59a578107b3c3723b173a374650d55c6fd78d560cb23656b1e40d804dc70ddf35be6fb04d28a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
50edc1c04dc7d97b7b2b3db0d47d60bd

SHA1
4da7abae0b9a107118aff272ab95d8e9f395ca65

SHA256
1a97f8fa00ccdab8259e5dde6853de2b62faed53f1dce2430a3440f3de963820

SHA512
69d2643da1b34ce90d540a285904b667afb162c9952e2497d63c7327578d7254cfc69ddfa23a2286de40157fe2d48c5e433a38c2f73290940c1f81a1ef4a4c04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
89857c4d8f799cb708ecf07a12f127df

SHA1
9caebb3095563c98b30bf4ba46781e4aa74953f9

SHA256
3dfa209cec00a6c99514c9499df085c3689ce022367a87c6990d110991a46989

SHA512
7aace95bb5485d9f8a6c5799f0e4824e5c6b3e4385e73098ca6ac632bed6943487b0bac26af530ed99b3ae4ddff9d5260db224ebed1b3891c70fcc1c2504dbfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
de0355c623d5ef98cea47d5ea0a18c54

SHA1
d0e5d422e2d1b84f2d56d698aa297053fea38ef5

SHA256
e23645f84f42d0977a36d697270826e7ce1863576e272ea7cb94188c1ede6bd7

SHA512
d8ba1fd661040400db6b51947b874246a3ef4b5b9f020c6d43c8680230a6fde3b8e2509eb92ed20f3a751d9dca864e6fbc1db42459b4de1188b6be342c241f6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
90168384733ef3cef2c16bfe240fc83e

SHA1
32e487630e7405b77fac71b0916d2e7f26f59920

SHA256
802822203c35ff43b59f22b133f29454686c78877bd7b064b2b5f705e03825e4

SHA512
ae1bf0f5c8859b89d1ddd2981dba9e7cd21a2d2707f419deb4047fad552bef58943bfcebe9789067a2ab9d2d5e8b65c6e60047e12c204f6a22da8f2b7228c4b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d1f9bfee8892e248e5f604d7adc256bf

SHA1
1a6f4fb8d383d8d72e69a4e368c8e91613102cc0

SHA256
255362ed998593a80654773f196206a82f65d71f948a79682d990adb8c3eda81

SHA512
ad9824b200b6edbcefd6dfe4d66f70be6d1b260bcfa605ca5519060166bded64f26265f47713a455067c04136e1e308ea29f36b3818be4ad4a4852892db7e722

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
22b4ebce9bc27fd96e22d3a0dbc3bb1e

SHA1
a2d2f3cceac2ff7b60b816155edd3adfeb815e4e

SHA256
addbe9cb8ac280575010e0560a9b7397780e8cc94be27a5b6bd222405cfa60c1

SHA512
a4c922a24aab6c5ac49e6e6df4a3c0bcb0b9bda642c03279dbc3c75c083820869aab0c05dbac6773ee5b5e98635566ecbfdb8a0c5786f2701ffe3f84541e00b0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5bdf7ba5307a691150c7ec511243a7ef

SHA1
443369de6541e6369c63a6c683ce37f405f06430

SHA256
8e97c1e029f3ab76b5898f95f4def706e6c95cbaee9af603afb270d94da18179

SHA512
540421e68910ab4ca4c81e6c9f303ccf082087ea0753ee57107746058f02f3456abce6b01dab19e224f0ae4028ab1a4c13f85fa982eca2ce4ed3ec562b4f5a2d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1bb57a1014230a46a055c05832a44102

SHA1
b751ce29ef637cf7356af03d74a8ad8a3d9a8a3f

SHA256
f6d56fe09f9aa0d2b567d12fa2bdee1f41ca564a5210bf174bc63c8fff537432

SHA512
323cb02c7e754b6a9867c2d03b97e560ed571860f37ded40e4589d3adc348d291b12cdd874d2d446fbbe4e4e24b0aa8d4e9e0ce2e1063fe94bdff9107f8ea8c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6b0d593c5d7c2f398a721162ab847825

SHA1
3cbf2a7a218b52cba1158d220809938d13ce1e47

SHA256
e6bfdf2258582140e837801b236a68693d05b1b337f2aea9714e6572dc8f0996

SHA512
d3776ff719164843cc2abf8a65da3fe228751ec7a3f32d1e95e1ed7bb2e46cc6b89945886c8618dfd2300b52a760178f0f6ba5efa78e50d0bdfe4735a728ae2d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e5316817fac28028268943aba8ca4f65

SHA1
eac6ffa759b5d6c0fefa1ef56d3a78612c7017b6

SHA256
30d8b3e8b54c68396964c61b5102ac2459d69be9c8c7df09c777617ceff81340

SHA512
1e15d38a629fc96affaf2a95efe45b207cfc9759da916d182b715ca9531437daa59778f05a455798dd2a80b5d7d03d92d14f5aa96409914c7364d612ed553030

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
61484c77b1c5bd59347990e09b2f637a

SHA1
a8246e421c7bec06058bc69b72e02b36b7d1c008

SHA256
32c6fe23bd092afeb89c328e8ccccbd3c2a09b83be06ec6925439cb1bc1aeaf2

SHA512
d363374cffc5f8d5db20eb1c15978d30aa88ef8e996cb12d2252c75cdc7dbdddeebfddb7b69554d4e3fcac87dc5640e3dceebb4174c8134e58e0406267179af2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
526734ac8d828d638146e475e2889b6e

SHA1
97dfa4c6d03e84a4df1bff865c200bd8f310f369

SHA256
a821cbe8d508a363bb24606e6697b841e9c86bc0a5d84f05d0c0751a6eeb448a

SHA512
c9c0c18b30cc0ccf3871e44762bca63df044b606e6e8d49840cb12dbc89e77c78d159630dfb41e9b03608d17c5b397b7681dd1ff9d8441817f56926a39b3ad33

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
43cd69a99b85b2df82522d86d3da3e55

SHA1
81cdd905fdec6e3108bdf25f8f0c7d7509f1d458

SHA256
e2e438c1a556395207587a9c89e1ea93b6610554a29549a814382a9f11acdea6

SHA512
e717a1ce98ac9c94eaeff422acd0ead6a2dd136e037028324f45e1fc9613a476671ab98966c7ab83c2f19e8c91107a6a3df84c7ca18806ed55d0f159bda2b4c1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
33c1634ddcc347cc26852ae6500b2259

SHA1
90bc2c22eaba6865736f87b66f59e9e9a2aabd49

SHA256
f5a5d56aefb96558ca5754f61b50cbc64002119e6ce83a87d5c048bf38e1b2c2

SHA512
50bd55f6014fb7a618faa2fa003c6af03cdde331e5370a43ac62a93b54aa8261a8af4bf9e21677fb5fd2215debead22ecf728ca2c64203a5e8a6d164d6f8e2c3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
362bf33a50fc40ddd14fcb341fbc0cc7

SHA1
cbad6fd80a72dc40440d00610d39312c2d2102de

SHA256
62df0e7a32225838a33aba120ebfb52c62596d1ed55ad4657b55b39944126238

SHA512
3c5480421d51b470f9953f1fd2f189213966fb552e7f76ad01dfb0b86095586868d8a59ca82353ef76d67301ca8e097592306172e318a6e1185f9f366d588d94

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
de7502a2927582d9f1d596e258fc3852

SHA1
e4e752a816d83c2ce1b3f69646e9464cdeefcb8c

SHA256
cbdc95093f817b6fbcdead052adc912b32f3589a336098791743529cfe38efef

SHA512
a7d41db8955fd104f807cf6dc20984289a72dee936307a351bb720b07ce47acc8ad8b330cbe65b58e81102858c758811e19999c1bc43f057e58376fa904ab295

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
548e4df93979bf76474a205492b45a25

SHA1
8ad0ea82c7996076f18e017d63747bf68718cd54

SHA256
3212b810425c06f0acfab3c105876291503271170c5216edf64a866187fe0e57

SHA512
aa9278d6e4ec8e0fe2cb17298231eaee1ce40dc2835ff991746b0ffbefc255d360e4fb805fd9287d4fe418f6a6ec5173c813ac26c55d1977026bf6b63c8e662a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d721ca18967ca7eb35e8cf262eec4e60

SHA1
dfb7a049425fe8180ca30c13176c07a19869069a

SHA256
ddb7df199db688cf50875d7601ca36066b98453ec373b3a8f13c9ec9ebbc5ac7

SHA512
06a28f9e1c6259d68e9cee381f80fe9c1ade552dda6f27f9aec05d60a0aec57a803f578a74fe0ab5a41130316ddc23211fe84875dd530acb9ee5167d7f1aae28

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c92aaf37b0e7a065688a7437a8f829da

SHA1
81818786b39be985afc36fe799f8efa87ff0110c

SHA256
5c20fa26b40b7fbc291bd5c274403fa6df1c6cd58a78c582a71c81e836c9af97

SHA512
aaf7af72e67931953ebea4fb12a0c723597c323d5bfdf95676eec618b948ee2034b41607ec90e1c3ffe733571336cdb16f8ca5cd873e36b3dd6a80ce15748e41

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b0e59261a740bc83f501af088d2419bf

SHA1
a428059ac27d7ba98a883f47c833ac4ab928d5d5

SHA256
6161b338c2fd6037db7b6ff7049a5e10f48280392ee71501d1b160c2061ab5b0

SHA512
5c50772da15202a40d7dc4447d80e754964aa43e6a877fcb47ef7df046af44a08fb6d91759cf0e8eb1dd284f0d754a8b84b5118818819f7df2b59acf6ccd2103

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5c1c3efee3025d3bdc189f14655d299a

SHA1
97e40c6b0eea5c7d60fef4386e2af1dee15ada0f

SHA256
ffc3c1358929c1d75aa21b80cd8ec47762c912293120474908889189c93a178c

SHA512
5a76a3201130e3cd70ba9901412744bab90abea0c1a030e3f76c2760a78bdeb37523787586ffe45d0b3efeb2b3b8c2a0ba0cd25262b1df2a704104f8d32adcc4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
38bcc19af861ce9152f85813d05156e0

SHA1
9a6ea350f929a3d59dd5ae5d59b1d54e3b265326

SHA256
b39d31a323b8804a10a161273af1c1b9a4e3f7ec5f800e144d9e5c47cc1abb1e

SHA512
9fe8f41d6ff04f01e5fafcada059870075e9877f838b18966b346effa8eb92dd1a4218009899fa614ffe6b17cf20c143e675c17535612429efb30eaa8f22dd0f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fccb8f9b92226948e737150ff76069ad

SHA1
f0f586dcd588cf84e7be62e39a8e6d60cf330192

SHA256
81a2f8f8c040fa206fd4a47639774ef847ec6936061b36c65580bc44b1a6b0ab

SHA512
b45ca239a4f215e2db2df9eed3151a4cac7b47cb38eeb0d4c51a58138c7f3b0e26a2cad400bf4d1bb522c624eae70085afef9413d72c4c8a1e14187400aa315e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c4d200d0de67564e1b33f36b2bd1c7f5

SHA1
2daa8a861de02a4db3d70c300b83c3f6cbffd993

SHA256
7aaa0bce7688448609d6a9ead612c8712bab6c002ba283ce7912a0fbceb26e25

SHA512
744c3fd3709520cc5a31a1ea325908c54cb126e8f068608b1a23ff45f05692add5bc942ea5aaeaed8ec419024c427a92df5765892e36ce7d6e97c3ddf0fb0b6e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
643f9777463a316e41c5bc76947242f9

SHA1
907aa268cb6b8a591ee8286fac74b716388d3c08

SHA256
ba7dcec55ffa0c609a9090ef3481d4eece34e6c1053de40417ed0aa1ed93c3c4

SHA512
468edd50c91e55dd0a580e4d9d5300f285851f18f72d07427e4b2c9ebf9b706b9e821ed155f585a1d82780c8f9baec400ab6cf6d426142edf53b19f2c4eae554

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c582e8c848ff96533544c0bebf7376e0

SHA1
d6bc66991fd08b21121cae56698589d8f591a248

SHA256
5778c3dfae2079d685f9a335f3cf114f071bf8cfc723876376dfb51dd8fd7c5c

SHA512
fb197f09e7c34eb52e30b3107dbf2a9ac48395f1ec5658b89b721091b0fa90bdf3c455b4c462204a3515f531ee7e92791eaa61829701e602918a03b110242f24

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
cccbb219b85be645e39be7984729567d

SHA1
55e22f06b4e3d5a83db2d9042af2efce468d5256

SHA256
c822448fbdc42352b24da353d6a464365161b6585b31f186025ac8bc4a56b357

SHA512
e93671a0195dcce03f073424df65459667bfa1d360916977fbf2373acf1d28df6185fc33f02e6f5c6e048e5c195ffa1f4c9a4b4c9bfafb485b0d8d39a9467505

Download Submit
memory/1392-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1396-100-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1396-105-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1396-106-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/1396-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1584-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1584-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1636-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1636-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1836-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1836-548-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1864-544-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1864-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2188-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2188-8-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/2188-2-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/2188-180-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2188-73-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2216-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2216-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2732-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2732-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2732-23-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2732-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2784-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2784-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2836-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2836-65-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2836-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2836-61-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2836-55-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/2840-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2840-457-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2848-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2848-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2888-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2888-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2888-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2888-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3016-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3016-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3112-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3112-541-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3980-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3980-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4284-543-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4284-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4428-31-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4428-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4428-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4428-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4684-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4684-95-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4684-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4684-89-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4700-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4700-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4700-78-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4700-84-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4880-550-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4880-171-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4944-373-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4944-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4944-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download