e0adbb362b2f12c89aa8759a460241ed76a623eda4268d051c4dc1e384b9b564

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Size

1.5MB
MD5

122cb37522c16f57ef995678df6dad70
SHA1

2549c9779c07944c05bdf7510c9cdbe944d53b44
SHA256

e0adbb362b2f12c89aa8759a460241ed76a623eda4268d051c4dc1e384b9b564
SHA512

72dc4c13d13b06738edc64ef6e8fcf5f70a7e4f18584355f7db2cd84058341ef46b93810ec468c3c886707561b3b0beb5a649be39303159cadcadc22a91fb8f0
SSDEEP

24576:JFASpe1g6p7HF/w/ftDsBUiScD7WGfWVbvf4CNQE:nRpmgiTd8DsMcDKGfWbYCGE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exefxssvc.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4916	alg.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
3276	elevation_service.exe
4300	fxssvc.exe
4352	elevation_service.exe
3656	maintenanceservice.exe
4540	OSE.EXE
5012	msdtc.exe
2120	PerceptionSimulationService.exe
4008	perfhost.exe
644	locator.exe
3896	SensorDataService.exe
4528	snmptrap.exe
776	spectrum.exe
4716	ssh-agent.exe
1604	TieringEngineService.exe
244	AgentService.exe
4496	vds.exe
2520	vssvc.exe
1228	wbengine.exe
4428	WmiApSrv.exe
4268	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

Processes:

122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\74fbb00c92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

Processes:

elevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e7a6cfbdcabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8ee81fbdcabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd89bdfbdcabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088c015fcdcabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f0457fbdcabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000032b7dfbdcabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Modifies registry class 29 IoCs

Processes:

122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09265	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09271	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09265\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd104000000020000000000106600000001000020000000f89a0a06041a3e755de53df08be061f8da548e89672f7cad56bd3684c3e41efd000000000e80000000020000200000001a9568abf4926e9524556fdf5b148377c0f6630006cd4e2ac33b456a5ebd9a53f000000072672e46ee7d80cc9edefb130daae99e4aaace5daba59d9f4b09e65e8fa864eff46e7610be781a68a6f0ed7b6e2a386788803ea22545ae2152f1abe20bc6996e45a2b1cf4c19fdd76bc1ffb0603602f8391d7271ba418c921307789c51a9fd7fad8e4791523ee16ebe2756f22e010ba2da2e446d0c2837e4deee82832c8e1ec6b8f59e22bffc7a9b758d51665ecbbb1bc8a769f3388e22ed322299067db4cbdac4f8a8de3c9c334a378357d53ce28cf4b7d0930746986919577b2e90c9f7c32d32eaf914d1ea1d4f4cb678b0eb99c26b4fab5da317ee6ecc8e31e5b61636ef313f353b564ef781d26e9d7940c55c71de4000000004ed587a5b607c0e45a44d50785b9a75e09bb586eec0a64e62f2fa3a9d687bc3c892201a3fe50d6ef5ce5c4ae9b4bd669ce2dae0221efda75f35726713dc9741	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09280\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd10400000002000000000010660000000100002000000015a04d2dab3d20457205064a29c176a59aa37b72c5a231a874bb413c1b0da1a9000000000e8000000002000020000000121a71f398fd2f8d5a2a6a5b42179060132a907d6e542e53e47035836184b09af00000003132cbdd673be8a9dda58ccc9ee18727b3a101c8f135a7f9ef0e330e820a628b390ad4a539b91b99ff37ab76836c39bdd2dc33ae93060985119004f845fe970a22c4722ad7f27d2c1f242906ab5e75c02719d7b66eaa0c65d117538697eb1d0b4d8cecab9429aae18447383fd2e3702bfd4bdf3df74817735b51c494a3dc5b6630c741edad791c23305ff95dcc94a2787572317c142abb4e7a500752037844c97563b4bce5052c73e20f9287274e10231b48ed867c13c386f260b389d7957e044e22d6105070f9c17f31fef379a071280f2f5874beaf2ee21c2658bbfdc4788b3b201ae039eb6b314dfee9c43a18f7e3400000000ba0545db863d47a1b8d103005a9bf02c16e82713f73def1689edcf14e60ab05834b05d93bb37a4e513d9aa08aa5ef193013086ee5b697406cd5ae55aa473e03	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\0bcad\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd104000000020000000000106600000001000020000000904f75cdbd953b4381753b6275de3c164acf2c66372a94b362abeb337fadcfce000000000e8000000002000020000000dc14b5bd079d96429422249931b0cae16bf2c908847c659578f74237becac5fd50010000ea3e4e5d78b55c0efe85f5ff1be430f4a0b0744037ddcd2715c0b5be048d2ba0987b9ffda12a31c7b9d10ef9a6f8980ec9091b706d00129026ef185a19deadc6f80993b76b038d0aacdd64761ed43e92750f26a177d3a938cb589896d34eb1897c8df491346650494a01430b015a2b496c1569eaa7fe9947a2b3ada871ce1c12c950cd8ac478844a99416e1c1d23f407801164e05070504d7cc1008e59a407b20f0d8fa817e3d80ee7a7f62c74d94ae00a95a983cedc003df02c319a52c09dc0ab6dcd0e6c64674343e633589ecb51ccc419e6ab9cf931e88e31db7c6a6f2b524e224e30eaa316f8af8a7e34a77ac7a532fe5e7bc9ddd338c31deca89c77ebadcb038dd280397681f4911cd4e44d0a1ee431304e92ff11e7754fa7f3ede97d3b0ea5db50b75332c8e2a83c1f1244000005c79c9776a6458fb80e576a0045ed1bc6d06677ccf62968bb5dd1985017e87d400000005a85be58ace724899b399fa6a25eac9b99cf4a1616860913a455e3b49b84c69c7002915e701ec6a03821ac18411cea73d47c9d4c07ff0b4d36266be99e949f84	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09260	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09264\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd1040000000200000000001066000000010000200000008c0817d507e2051c087e8143f11cf04990bf2a7a6388bd1523dad2343261f04d000000000e80000000020000200000009c12d097e66fb63531ab687f61edb8ec7a8fae35d8fe39a474fa078979d94f01f0000000349d518f6ef6244570129419e18d4918eb82981866cd4f055958469b45f5851f6c6cccf669b1036078ba42955311958d664767a35b94b8c9a5170ae5b0066af199b7592310ee74c8edfb893d416fde8b1de9d5b679f7fec92c45582fb0317cdb89cb20a58e106ea86552e7c0ff369fad8a7f9a5ffe05e3a30c7bc8aa4a037afe6b5ae33f4779f727e613b09b24cbd9ff1b6e2a13606f8dc7e2ef1b4ef68f8e89cb7ed67584c57244d929ab42ef11616fab2bb36aab251d8e1906f478542b9d2568fee739bc3c7929c11058055d0959468bcd170ff65b69e04980eaf43b2424ee21c6c1e2f97eea8d0d11c5851990fb3a40000000f665d4d1b810f3ceb6fda9bb9ead176c12d8e1f07cca55a11f508192b2db405d09e9e71dc9cc5f395f1189e117ae3523f27687432d9e0210cf17a7862525ee53	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09260\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd10400000002000000000010660000000100002000000061679860dbca6344341e35fabe031beaa6c53b1f91aa7a75e669b923d2a26daa000000000e8000000002000020000000666e723f8bd18b3f90d3d2a47ea4cca7c63af739e7e439c5fdc418066413ec6ef000000077e31058186f485b01fe309c3cada0f63885703d0b95ca937b64e0de0bf3733fa1dd35d1e792560fcc8349817e1fa436c95da544002890fa5598324f9d3888643234af2b8c3ed2b84335a0375e31ab51a4fc7c81b625ce360bb0792b575f9686908691ebae34d5dffe6675204c739020706ac0a32dbc59f71514d395e43886b2a69fea4eee9c14ebc518c0100124143be9276f36ba4a713ff00b65f2595c43b39df9f1d393504943b8d91d3cc7f5800e9b8b87b9263bcaf914f7578bfc1fe2c9417d187cce59a60d32bae33901b0883e0b372b58a1b6f1dccf1ce41138f460b331814187feb69d585717fe62f1e5bf08400000009752043721b5feff34ee0e7481e456b39951417783c30e2a89351989e022eb58669a1927669bb3ee0c9c792566572244ba0055cbaeb3154dc57b6eb467c90959	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09262	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09275\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd104000000020000000000106600000001000020000000fe0599d2d355fa38091ff9e092809298108505aefd65035651d483aaf67d9ebc000000000e80000000020000200000002a4c946c96b5c81cfde86d45e0d969a7cef194328572f1b78e578929d8ae091ff00000009f0d1429094e9c2d7532452886ca5ef798b24289f518e203775d094ee1a962219f1a462700855287472de67c497b87fada96b4ccae4fee3584c522e5070efcac30ffd72e799b2cb368771e41c61d3695e5f6809091b177a308f94bcd2ef3ff7d950f930c83095c7235d54ab0d46fa8d53575e51ba80d0dac0a5f5ba1436e43c301478956114aa65c597c58209a4800d267abf9d1474b9ed5fb2d271f8c2e713a84da2ff892a1339a5cdf36cfa910637dd8959fc17ba897e3a892591af94a8aefa5ecacfb2ae203813734e3ce47d6be966b3aadb116ee4051b171ef86e4c41c1ea40b03bddf3e323394ed482049dc89d9400000005d91e43bb20e01eaf668af1a37642eca6de083e0befbc8e9a4b6192ced402021e46fbbc67cee7f251bb7be9b016485e3a6bc0c1b3b558360b7cef04ee120e963	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\0bcad	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\ = 480affff430affff3e0affff390affff340affff2f0affff2a0affff250affff200affff1b0affff160affff110affff0c0affff070affff020afffffd09fffff809fffff309ffffee09ffffe909ffffe409ffffdf09ffffda09ffffd509ffffd009ffffcb09ffffc609ffffc109ffffbc09ffffb709ffffb209ffffad09ffffa809ffffa309ffff9e09ffff9909ffff9409ffff8f09ffff8a09ffff	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09276\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd10400000002000000000010660000000100002000000020c86bca8591e519e3365be3400e4c1dcc889e22f288b8a6c1a5585f3d6faa8a000000000e800000000200002000000010a85e4dcadca5667640552bd4bcc52638635a39424f6630f822a6593b2557bbf0000000b99f7a5f604ba825d41b2238dff263037436b72aeb747d376ef75fe4498b179dce5a96e7f73d727ec809aa1ef84279b76b8f362c6371d4bd6dcade2a0b24da281ace9cf2330af69e96bde127a8446b91589ae04404ccc6454714fd8eed88664622d689e9523557dfa0f9648e06b4522a0aa89f201ba2ee55c32b452a0b25444ac7cba84418dbbf4087d756d119ac70d5731a28b4c648e9575e19726730a8eddc0264b55fe2e00d613219301df342164bb6d59a063d3d32db5e79890339d0bc79f6f7b7a873958a18d08e12959c21330c6821a1544984f353451d6fdc60c4f09fc6a02793ae8d3154c5156f8549e0563340000000c8178b1fc09d991c761444366f4033257c5c22b0ef3fcdd980fd8d40a814a9719ad458fdd60760e4e7641e658561a7f69a0ee3afc7ba762f1c4536806f349515	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09262\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd10400000002000000000010660000000100002000000018ddeb22ba846039810cb010f6513dd8e930a115f11edd58a2ae904eeedb9195000000000e8000000002000020000000cecb94d03cb44854028cb39312063f70ef616bd689ca0885715fb9c8b9a90888f000000088491f24fdafe492b77fa2d11cfddeab2de952a1f9b93e81d13a1257567deb62de406ab6273603544b74b710f7137dc97f66286eba174fc842d022311634c098fc9b04e28aee6bbbab0a1641bbeebb5171e2feef6c5013dce7a61ff47611e0f5fefc5de77bc6812f3c0761ed45b6a80ade37a1c249d7dcc6a43d29fed5a8618ada06baf3b85d9786fa3f9d9b2221c4bebc73f4b76a2baa94ed845e75beebd91a943196df1240238ec4ef3ab3d6a68a51bddb303430a8f6113fc85002c083180893a799c7c72343a6b1e0636525dcaa0d024044c6a635fa8e71117c058043d130cbdca95f49b39cc460ceafcf0e875238400000009c58aa21f31bacc145df9b34aff3a6957d911909a7644382dc15e1c61c91ad9c4b94b33e64c5a665e801278c11f1887c15acfc6fd6ac1325234b95a9037d5a39	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09263	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09263\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd10400000002000000000010660000000100002000000062921e42f8fb9ae9cf5291f96a4f096a655c023da477a8a3433b990b593936e3000000000e8000000002000020000000889cd7738fbca9b3dbad7d70830597558f820689e48cf950dbc44debdc606a37f0000000fe0b2c3c16598cfe53f29938400d7002f795f35722fa638641f5d850ffbe82eebcdbd140a1dc058c6670fa4ab2ab0a44ba2d05cb84334c70e3ef79791f2c7e2374af7077e3b0a20d4be5ea49c38e46bf19ee5c24397768cb4e965caba203f303b29337b85b89252f0cb0fe584c8fa1e80bf734891280f8e0d22743ddd439819e4a13ac7dda50e6615fbb713830b9c3c942c491e9feff4152a324804b71c1af53b0a50f741144a4529fd0dee1c1391b1b39b7e407f7f3a5000738132a5e820be1dc8796cfdb6082cc93889e708f7c40c30b5bef264d2d131a9e735a7a97d53573ff1f7c6f0d67411bf04e6c09d25cc175400000001c81137cda37a740af5609f007613cfe266127bde78fdf9283a86c317523102044b546e140ccaf479845dfd5113b8368c40fee295b96bb3f2970c9b494c28905	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09279\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd1040000000200000000001066000000010000200000002c3d5b696e6f062480ae8566ddb9bc9da05ba8549875238c710be074d43ad644000000000e800000000200002000000065fb5fb9df0a459d432b893a285cec8209f78bf1b6afbfd204fc02f422f226c7f000000080f031d56de1662983de80292273927d0704a4b1119bd5e9b50077f5ff2e315c53a849b323406fdce925ca875940d1ec55db230856570a4351d63396f63de33c7ef6048c89bb75c256530a63aa57ec7f1f0689a1607d95a1dd8c0acd8e53ca88315cd9c3491de80d4119687be7fc263586e1498b717fa6ffaa5f6f639ff770d5e3c48bf9efebdf68cec724a2a8820e1be1acc23f7177d54797f036b0dedabc37703dc8d31f7605d5635094850252898e44e3f91004397ec14b7eaf64f8e3ff27ac1bcc2afa3ee7a06f3ee055dd5ca7589d36b40a796af937fcdcc4e5a27e45c977db4273dabe17b6500fb14aa79b2e4340000000246f1e6f8602b10f55ceabaab2b571b8095932f8d1560818653599180ba44589a6c131efaf46c6d6039a5f778c6537755c1fdc04393d5cdc2b7dca51f7b2c067	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09280	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09264	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09275	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09277\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd104000000020000000000106600000001000020000000fe656427b51ced53f00b6f3f03b2f7f34bb84040ba81e6e559cde5d754ddcbfa000000000e8000000002000020000000d27338464d5e9ab61c7be63857fa2466cdb2c4c36af3598323db5d87d70de73df0000000113dfa46228c52bf03a73f15d0569356b2c15a3a4798b03b34ab4040c67b798f8a1bea9253ab9235e48a747227ce565fe0985d960c382877819e68a5c29dbd911fad36f7fa9d13b544fdcce6a05b21226674634580203fe2a05d8d94952e345a944c47a9a84cb9f03192495fd18d70412a4d0f798b91db2fc7efd1a954371bd886c2a45119e6172357d688cd13bc1181fda4822c02ac0313c9d44d128cb7738f9c1887b98fa7e546b4ad8065543dfa0f356e338e4fbd719b00807817d9f9a9ba83768c88d24315f1d727eb6103a95937980e5daf915999b2e90c9c734f26f423077c2ef3a2244bdd464ce3e1f3d5838b40000000d1ca292da15a39d948c919d932deae1ffadfb542a4dba00fe357a594f348516a05d277ca45ee80fa6f4d9910f8fc5993ff91e281046c7ac72b0159f15ae9d774	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09276	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09277	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09299	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09299\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd1040000000200000000001066000000010000200000008df1c792a0b0558921f9b472b16a7decc521cb96cd0020a92ff4e062229c7c3a000000000e8000000002000020000000ad44328da762007f26031a29e530697b8100d53abde2f3b27daf544bb4767f70f00000007ec72a851b8dbc7b2d3056d24a2d8130f000f328ddb6da7d9e00ad62bc990a2423a65e3d47201391d1cce799d054099c0353bd963d4e884cef6b2f0f7269ba8f452b2530f1454fb4dbff2c4b68efb578f39677b37ef5d1ba15a1a4d63e288f00debba8ffb728983c43fef91557100e00a45eae06d299d4b08d0e90f5ec8ce897fefe5a4aa1fb85b73c69db4ba1d3adc348831b77fa94e16cbcf90b97e977a7b7c75f0418719bf38860e8f5e1f61dca9d999cb4b49c9b801cde857ce7839b450a3574f6cee27739adcdd7823965e38326020d348d91519139ade6886aef56970fbd7dbecf32767458b712092f9cd5b08540000000313e7550893af7baacd4c06db3b395a1874ca4202bab884455396269f7f210ed2e0d993edeae2f378b897a1f7059c8b0b8bdba5f6435097c33f13e924b8dbd48	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09271\ = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000560421a645a4ba48bedbb571f8bc9cd104000000020000000000106600000001000020000000659f3a27208988649078af56b06a5c13ea72deacb30190849f37a2c223b96cc8000000000e8000000002000020000000849576b1fca012da6da64129a33e5dd6faa6b1565e774fc38b6793e3323200ebf0000000b342e0453623d2e257071214307a5f2569e8a4081df1d2cf3e036f09adb3e51ccd0ae1be11553c4bbcd74cde055fac678d94d2d562f661c0b652c21549bccaf30a050dfbe496768d483e1e2ae7bd5592287c9fe4c1494c397715c379dc5fca82a770a7586d8128ab2920b06581a24e1e8684c88f56bc872d2741ebbe71b49f166f33114fbedd3ea6f033dc6cd27f8b2cfec994f9ff2b67fb5c8995f6e2d5918f1b03c520ea065798617602078ced5d6465fe83971eb2e41adc1ca74424a821af5e116c66efdaeec300619a00252daacf1d30e95d82f00c70b985d4a3114e4a0237ccd13bdd0984db89ca6c910b8ecaf9400000003d9979fa052738632ffef9fc80e674d12c6433d65ba7fae34ed3d4d7366440c28eb37a5c31a3a53f0539fbe2339905e55b98454bd962f426021db58df40240a1	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA\09279	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
3276	elevation_service.exe
3276	elevation_service.exe
3276	elevation_service.exe
3276	elevation_service.exe
3276	elevation_service.exe
3276	elevation_service.exe
3276	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1728	122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
Token: SeAuditPrivilege	4300	fxssvc.exe
Token: SeDebugPrivilege	1652	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3276	elevation_service.exe
Token: SeRestorePrivilege	1604	TieringEngineService.exe
Token: SeManageVolumePrivilege	1604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	244	AgentService.exe
Token: SeBackupPrivilege	2520	vssvc.exe
Token: SeRestorePrivilege	2520	vssvc.exe
Token: SeAuditPrivilege	2520	vssvc.exe
Token: SeBackupPrivilege	1228	wbengine.exe
Token: SeRestorePrivilege	1228	wbengine.exe
Token: SeSecurityPrivilege	1228	wbengine.exe
Token: 33	4268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeDebugPrivilege	3276	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4268 wrote to memory of 4272	4268	SearchIndexer.exe	SearchProtocolHost.exe
PID 4268 wrote to memory of 4272	4268	SearchIndexer.exe	SearchProtocolHost.exe
PID 4268 wrote to memory of 1292	4268	SearchIndexer.exe	SearchFilterHost.exe
PID 4268 wrote to memory of 1292	4268	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\122cb37522c16f57ef995678df6dad70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:776

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4160

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4272
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4a120991ffcd6cf02b21207a2fbe983c

SHA1
9f56ca51ff5e9b1bb19db3d956370f46399d694f

SHA256
06b1282e488e879ff886e7cf5f390747bbf2d719875e574e57f01d020ce082fc

SHA512
8419e6cf7bff7e92c485395517509232930a125dcae53ca12068891839774713bab432a606229acbf5c71b71dfa73e01c81e75cf96747f0255c08a0d52951723

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
b7740d6baa9b0462229af7c7ee70885e

SHA1
a4c0e929d55f711413d7444eba189e35a39178e8

SHA256
d1da9a3d088fd5d8d25194a5f42d2fcb00da0820210d102f8575eb1bae1876b0

SHA512
e0004ea60aeacbf37fb3db28692e2419c786f25bcea4b86cf99c58865357455d8653d09585e7c7340c1addc16d026da2c60abdb5d2dc41ce39ba4b95e88a598e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
5fba30d5a4976e1ef88940e3b72991cc

SHA1
f2cd0c8ebab1a6e020cc9247a67bf59392f5396e

SHA256
27308e8983f22a7c09cf6f9b101e5f4751e656be234ed3af61cf57d6560e1a5c

SHA512
ffc9c04601f635169de4aad42300ec7d98c380e41fa0d139f54973a15b99a2ac6e39495bac1a783425afe49515009f1b55e04e6515085e1f374b254153ac7d79

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
88f0207c841f9bd3e44adab44bdb264b

SHA1
bb3fd094b9eb5041423adb70d74282defe4d1e1d

SHA256
ae17c0d9c204f8b0e53cb3016ec686b8ec3daab97ebc1d31e89772e1f038a1aa

SHA512
c7766e542d53a0f75c9eb3314aed649b54ca8360e0c9bfa991644b607bc7235dd66780d5d42152be3e5b0fedf3b972da8bfefb3b588fb05097f5f1ce874b64de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f2b894769c51651361528347c7284e86

SHA1
ba63396b84306bdacd6ff36fc60b7d1c86e82cef

SHA256
84a78b8e857be4e2c6df9b2c3fd77e16ff64cd2fe392a155a75c2ae2686a73ae

SHA512
4a28d4b2e1d15a693497076b749c696e1efb1821e3bfeadb624dbd7c57b2242c95688c805aa7536788fd2e6663ee93d0d3df98cd63c940b314cf2bf554424562

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b1d3f9efe98852936e5ca681c3caf8d4

SHA1
b81b9faefbd05e06d7a6d79b30fe001d19da653e

SHA256
a720d8c29cc8c87000008504d18152e786a9a7f386bda39b60ec212a1d5daae2

SHA512
d6795811f03773a0d9d57d0f7e69b22cb1e3b02b03eb4d549e0ca5b31eec15f644c9f9d2945e3ead2e2bda8619e6a2b8b24a48a238521840b6803313d74fc99d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
7004da68164346cf3500568e3542e780

SHA1
17566a19f5c34098198f0f1e0a2e550661e09396

SHA256
b87a26707b12cdc5313ed7b7c30a48c28918791eb146f4b4135fe0f281fb7dcf

SHA512
e288e5e1baf38625b23e7c432bf168fd1321f958eb0a5491cb9fe0b2c313d1f47b0985b1dd2f8f28ab0681b43a6cc5b808f6b9716bcadb060e4c77c2dc3a110f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
be5a8a13f4aecd6094c27a791ec1036e

SHA1
c7f5b7fad563c2ac17ba7fc703a0ba77a1f9ffba

SHA256
70b37ff3e8106a760e23611b3b6b8b5bf7dcb544e3cfd99ac0b9075a7dc39c36

SHA512
866008522d62ee0340decd149b3797aaed6a442f81f3bb8bf34cafaa5d2e3ef7faa41e15db033b340f69e4742a9218ab09cc55f454b8b9515b929cdcfc7c5ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
5b7728fd787f6a25e9e00e44e4798a4e

SHA1
4ca7b67b45818c35462c52d18cec003476e8f1cd

SHA256
ff2cdf45a593bca40c9b5556ce1842d799fb92017c24ca3d696d0b3e397af692

SHA512
33493471f6a1ac1e0d3ce5860d05693f1fc37069a300c65378d58690f607613d3e94e0f74870a0e6e31dbfbf8c401b641695987e630fb381e4a5ccd00376fbab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
48b1156a09b2e996dd9f08f4a4a9684b

SHA1
ac4c667b1dad3f099f0f00257441f6c091665e2a

SHA256
0a92f4408ce94b76681adc457b101f6b2aac44cf8e95bbfb2c5df6d55ea29702

SHA512
999d834713cb0c4a9449726d57c74b7a9e3eb538f6baa8f0c85ea5973e107a91fcd35f81202c00352db7efc658a929d06c67d1d3ac5f72d35a514134f5c0e054

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
be724d842b488b607fac6b6c84694a04

SHA1
b772e2991f1dece1edad7285b05507751628cddf

SHA256
b094e9ecc12b5ec74fb0d7e8199af9b4c3b51a738cf39ef0cfd8d58d38aa984a

SHA512
b0e8854c743e9dc1a4b7886110f94e2eac7e942e6770b905ba19f423cd8b1a0acd8955e4789fc6bc47567a5e9ab2f9b61f2b3d4b23d823981cf0ad2ee3895b84

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3df170aa958bd3c09f2ae27cb35e9bbc

SHA1
046a6616340644e6363aed08c492b3b3099dd09e

SHA256
62c7aae05680f39b7c1a487bc96744db4184166e69bc077fad350640a755d8cc

SHA512
8be3ac03e7f6fcb263f48ee9fe9eea2eb484ff946ada790bf450e4fa43fb5fa8c3a2166b7d4157808baf4456fd246b9f97d86ff55c1e6df34992b9bfff42cf07

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
e6aee45818f4501d4835b29b4992b6e9

SHA1
47839c8668d88b5b63e77c7094a7452194489ec0

SHA256
9b01713322acfaef6b0dadd592eca538b2d6c7cf0c0578a3087ad155034e0f20

SHA512
1e28ccab78cc619ffe9796e3305dab86d294f6dc9a8109a633d363a5f3882323d5e7073252f1450673c1c180e331fa75d967d559abf24d4e67e486fd064e6ad5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
d13f6af29ea44234cb87eab2c28c7ea9

SHA1
68527c9973fd38483d67b0d8e8fb23b35c496150

SHA256
80a0c68c8125806e82ff820cdc58d7ded1d6fa49b667e832afffaf1d71caa555

SHA512
bd51d3b69943ba4696107558158d0546bef359c1cb2021aa2ee92518d471156cafaa157020a390d7afbf9d93c36e9efe9eb692f32923447c40439f4e4f6ec423

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
65f0f3f626bea4d48936da8da51b7cb7

SHA1
f24f2ed6e6e3ac4c0e775f6c09f545aa9f7d0835

SHA256
cb0a62f89bb495b66811362ebd93e669694b3997ae7865bab918ad937c23d47c

SHA512
8a39711731be49a458d5782222e1c96e97f64633d92b3d74aeeeca027a2afe3ccf99e5503364f9a9a41dc4f6b2a45ddbd14d71edbfb505e0237d4a60f04f3024

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
91f271f5801c2ee0209b0e743bd8ee52

SHA1
6a2a9916efd5d989f61fbedf6be15349200b09b4

SHA256
eb4d4e572dd6b0c30f4219c8015e85c6dba2765cd54107fdd16e821befd8c58b

SHA512
d63aa85e6cc780d6a34228ef7f1a77d80fffcab1bd3b61ee0929fe355d434167d4395cc4b79556ccfd515d2a39d68e540ba30bf74e779031b045364ac78ec4fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d019103e62edbca1f26c8d4fa9ea3b40

SHA1
b7e7fd1ee7d21c6254c2220b43ecb18134676a28

SHA256
894e860b7695d5c33000de961e91735481e60567bf7e7a96be5c8cd3723a19a7

SHA512
9bea25c70648a6298a0931b1bd4458d36e5754ec64d88324e8988cd214c665b69d19f36fde3db7c4b92bee683b016c864601a296bc1e3d18860fde962521b315

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
057668d56cc1a986b64eea67386431b7

SHA1
db41bb38e8f6efa0abc6f615a22b53675806f7ff

SHA256
d253cca8f639d6b97c858be8f8ec9ff4967e44483eb8b1b49c7a2f4dd7a3e84d

SHA512
1aed2be8d8eb60867a3f366eef899b427a1831b7ff38651344a5d62fd771e5a36fb505dc68a870bd068ac840175f1a3d21a6f5db3e5a8f152056cd0e8317f530

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
407fff41504fe3a0c25062a0192d4d4b

SHA1
baf16bf722e3a3efc46464b7aa313be31887f59b

SHA256
6280b43e0325cf8c1166b29e420620233fca6009824f9c325dd82d24ab30aaa2

SHA512
a98607eb44defcc7a8a745c5ba24863589025d98fb29548686baafcc171f5a16873b17797ec0edbc6d76450fc4e96b0a91ece2a366363b18441b003a06ee9aae

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a330f090d6a049cbd7d481e98e75d964

SHA1
1bf00dd6de411cba5e1fa64df9a48f50e95bd303

SHA256
0fa097ee28d99c960553077fcae0ad0601223f8e4d745294e93140e910aca4c3

SHA512
4b14f90e32245d939e56c761dad72b3f6737ba25f4ebe062856877df8b11c28bee53fc83ea5a06b6fc72082d53ba886a80da7e87bd3cffeba082c733e0d138d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
238151fc8fceb7f59a956938b8159322

SHA1
9be1d3762cb6c4ccab3839c685f73983d034d4b1

SHA256
9796b9f1f675575d9b0115e45c22f3d01cbac6f80f9f79e3ca1335c7382b80c7

SHA512
666e6bb94e0ecc6d0632008fabf0bb2b69ee550e7947b70092187707241028253eaf5881131ba2115dc4e3f516233e9cf7bbb21c2017f4ea131988093a61ec78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
139b74244fae2baebc0472eb0c3c47fb

SHA1
818f81913d929af7e50dcf2a872e1d618fb5bef0

SHA256
dcda2f0d67de5e8e29f70a1821b7a546486a02eb14ec51f45ea2fcde9f65207d

SHA512
5d09f07884cff6184ec5df5d07797aa7500bec4ad5b06f2414ef17b0524b4ca23e032063ba64e58ccfaf2951a573f9af256abf2cc641b3bc19347bfd89f38ce3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
294194337946dc4f98d18293b05a1cec

SHA1
37563013c6b769240e8c2cb4a24688e0e58bbb6f

SHA256
fb50360bacc991e891f24e64ed33f2ea75dd9ec124f8a2c08471a37971a6af2b

SHA512
52805afb4660d8175d2e66b0676e5f3de9d0c505cd8d7df3fc2988f1d86d45d53c7e28a8b1cf10d9a49cdee90b13bc9f12b5c91ff51a7f790f0f8a0456b15804

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
fd5099788713b1cb28d49d0a57d23089

SHA1
149c60ac43fbe36810777bb27733ffdaacc0e6fd

SHA256
065bc1de2fdbf495955feaa9740329ee30293b678d26305fd88a483d721e40c4

SHA512
fee1682fe2e71112714bc02e7b225e8ece4c20718992c724b259e682fd311b82f890a7408353c7d6ac3e3e9d7e60c9857451d67ed633df27cfe6e504c9f6b20b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
a1872b5393eb4f4cade8d9b9a7b959fb

SHA1
496648b500c67964e0ec3ce8530f485fd1d3660c

SHA256
f891da7854a6e45300177f73a6fb38169a0bff1d7caba0e10411db6fce69a6c1

SHA512
76e47f6ec5c3d2690657e0a745bd58de83473db98a6d5930ee0feefee6dd7988e1191d3f73d5fbc5b13378e8f1e8b6290c594b137e8e2c9e3552ffb40a48c8a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f1078532f3c5a2785c6ce80f50b527c5

SHA1
7e18bb3fda8c0600bca1a198e546aefcb8fd4ef8

SHA256
7a1393a28f947708b69cb6109cbb263818e314555be98b7ee9bc4e80d7054273

SHA512
f015088f47b13a7dc0cc46f7bebead77c58ae0f17ba694499368fbf738ef3ac7b14c285024ed1c91204965dede71de3d6d48a921953e2249d92f85d641e03e63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4ef03317faaca07cae0a352c1e092d6c

SHA1
ddd0a3067cfc93a3df809bd3d618ee00bbed579e

SHA256
9d273f9b977f5d10f37cd2cdc559a1635612eb8e73b55b710c38d940fd190a6c

SHA512
d238daefccdc6879617872e8bca1fb7bfff28b5af82036444251667da724b91da3a451080383f63a2a6708f02fcee202e541381d6c18c50044c3c8e4c78e8328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
db70c9d8f9f0b852980bb7170c15a73b

SHA1
8d0fd1b0a74f4d0c82ed62b0fc6d5359f23a54a1

SHA256
72053dbe1aef88f7c586130e332d2c734dee90604c5cc8b599849c02230e0d33

SHA512
23ecd5477c12b03f3c7c5d63c1caae554a257b1a35a53f80869a01ad67491d3be7c3634e3cbdc79ce0ae4ea6e742463318d6bb223f5e8d57faed73e779a9572d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
17b074802b2092d470739239337942df

SHA1
f4f0b40c84ffbe60dee7b2695d0889864ccbf42b

SHA256
42b3a9a31e90e1605a7529bca940ce8e295ac0ca068534a9f81111b4ff64df6f

SHA512
35bc0f5a7be0c9a025fe5aa94f9bc4729977e5d48570001c8182c128473500807be4170137244a22ff6eeeedadd10d2e3f3293080594446b16a39173be4c59a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
e5c3a1c0b91d9e40e9e54b2272cc0610

SHA1
5747349203ae196c52dff4b2d76b2236eda42b31

SHA256
eb88b0590021c9cd18c54a0ac41212bf412e5415ef5eaee5a2a64265da7aeeba

SHA512
b270cdaefe6d6cafc2f9fe0c7d0604de722fc6fa6dffc4626443d5e55c53fa5dfe36259c515f45235d14b03893a7f64a69d765848c0ff9d500c76393f1594021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
8fbb687111aa1aef8e039d7a8ad7bb8a

SHA1
a321994fe49f0794675f3f2b8fbdad67c499ce50

SHA256
d07db510127f43ba428e8290bb2387bf9260659205d60b519fe3399d9b3db6f3

SHA512
15c01f46024a2e2638336e0b4bdcad4a105f54366b8be444c8648fb8bdcc2a5bbec8f4f2f4e1539ad40d27a9add2d6b2697a4d48b47cde903573e24a3794eb22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
b15ac1c7b95b433f825e75e5e1b70db5

SHA1
2bb3b9e5b66271514e15ce8a65fc61380432fc93

SHA256
19a3735f2612167b0d7acd6ded553fe61ab122e8f8065897740301a96c03cb21

SHA512
d46cfd69a343dde001622ddfbeebf576d9be25dea0a727cd9fddacded2b618dbb87d7c10fab69afdcbdb6d42e320b66f50041e92d54feed5a08c4f02194eb6b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5d33eade6370871212d924e324efab95

SHA1
c1c750bf40d5089394de66ba68fb9d976695c269

SHA256
55ec88d973efa56b9457014f732d5ac70c2994adeed15237f16b6f9566fda417

SHA512
0a72e9a4ce501f89b9b4cac5ed5a78f477082b1ed95d12c7bce2b88e42ea77998b9fa8b5c6bc93b46dcd05efb8637a7fcbd108b23d2a671323fcb810bea8ea40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
a2761615ca3fb29d0301dee00f2b4505

SHA1
9c8db5c48fe7a2a11e6f4082765b5119459fb76c

SHA256
215917be90135d62c1362d212626113394afa68af8ce32400681c6ecc5397740

SHA512
20c86a8f1580fbcc4fd6ec3c068d081193ef748d0078f9a01a127dee3f4ef634e5f11f39a434e0a0b4cdde783962fa9dea8b0b3c8f88a664d515064136c32ea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
ca53b09e04aaa4bccaa895e3a7a05e28

SHA1
051949a7b7aaa6becef4062d5d8303e540abd0ec

SHA256
975f473d432667dc8078b048d758f066291f6dc968c54e3643f865837176a275

SHA512
9c5b2a8a5886a3b5bdff8dda37fbbbc01ded8bded079bf6c46bf8e51b9f8dae3c0a5f4f61004ec03218e1f6bd457a5e106cf075c52b9e1b974534eab4502e760

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
8207d86e6322cfbaea4f17ddb92ac0e0

SHA1
9e2135ebf81471d508067ffe4e459f921053bd22

SHA256
caca69c769c6bd0a21735201527c30316d459e441f560d1d9a408fd8dd61f14b

SHA512
d74383f1a272d76d5acf19f308680427b0b975fd296f50bca3c64f221ce4b301cf2860d8f73971da60656f3deaa5386ba58380499431f11e0e58d76b6d8956bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
2291354aafd82eb16008ef996b15ea92

SHA1
52dda7d5fe74e962d6cd8d4d6e2e776bdde3f9df

SHA256
42ef1ee583aebb18b8bfc6f92cc4a860559a2aabfd975d4eff04016cf22d87b0

SHA512
19c85fc7d9d28d190fa63a3874896e0ef911b3230bf1fc58aa14f9195fa132182abeeeb99f89c7b15323984b76e1e08db78ca00492bf94722062ed70b7fbe634

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
0424ecbc0834c40a54aacb370c57b6f4

SHA1
88648827ba7d2d64b80b76138ee3c8321bc80dcf

SHA256
a9d17fce1703f988ede95216b06e90284f5e3312038c3d28e6428ba492480fa7

SHA512
20069a66fe4b35193bea61f8bcdc729a040a4be40d87f8869b4abd8ba7f3a224fcb34919a80fe2a7038b25d0facfb2334fed4d367c056dc0f2bdc8e9eacac26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
199d70006a2884b05161f18e2531d2f0

SHA1
92e7065fd0accbda4d313279f6193f51e418f4ca

SHA256
33976c5303f7d1de266d71db11868687b55b3e35f53a6da29d3fe53ec16937c5

SHA512
43506ba829672097780de29f122534608b0d47b3e1a93f5fa442b350b2644282cd6eac447160d8f2be68cfc8829390dc58527c474d7f014d0e1edf9f2ef8aba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
9470ade5b5cec66e471481258f4b9c93

SHA1
6d6104c32a76852c9ef82a48f0e65b9824a41db5

SHA256
5a24908195e5bb165336c6e4d89ea37e8b75475578d548477b28383e5a4917ac

SHA512
f3dc4a39a74223573d7089cf553a76cdd6fb073357fc25eab93db6d952f73a43d0a15432697b1d412a04207008103260fef579e64c20877a9a6cf633bc32b6ba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
8c251dcb62a904e7366b07161fd90e54

SHA1
14c2b25eb0bc08ac1c7ba53afb1b21e331bd6d23

SHA256
d71ab56dbbe53aed8ce6dfb7cbf700d68b0d9a32391047ce523fadc0a27b7f80

SHA512
c542de86626d69bc236b1fa16c111ce832e8727231e5a0429a0ac918de42e9a16b5b276ef1a3a279f74632b1cec463fb299897df61567f76184b08752f7db38a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
383bada0f6e7272d7ec4f69813041dd5

SHA1
e38d6c84af935ec4448755bb416ac382b328440e

SHA256
295807694171ae4b0c89dd3bf728307fb2c11c8ba1ea4761994facb027c48872

SHA512
08768185bdf7f1ac57b650bc8251dbb374dbf6ce699d71ccc3d7be2e0a59d933f4395af6de510056d62ae3476e4580a6eb598dfe6317c4e011ceaf348561bdde

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ae8c2568f9438dc7edf2ce884412da93

SHA1
b9c9df9d557c5e14460d903be7d7a3dc172608ab

SHA256
95359cffa85781f7f7170aa34a23e1aa57a009ec57ccf6b6e488bbece9dd3716

SHA512
dd5d793aefb4bdebda7bd1f4777a4ffee1bd43e8045286ce14511882b52cf5911a5720cf404978c5b882c42b2367876f8e5113d4b2f112c012974e220fd69a13

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f974cd93954507b2a804bf6e0043a584

SHA1
3c1f05b9615dce1651b7682dded3d83ccd01d2e6

SHA256
e6dacbc6aaa0220450ef98a6f55377fce802eea6eca0a144b948545ece56101f

SHA512
a8c66e593b44d0917e2cb1c9f4c17f7f1469269a9b8e882cf3477597bce6eb69b33fcb6cfd2a3f9f79638c5d957b78bc420b41e0d9e35d9acf15e2878da6d896

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3cf6355a20c841d872d2db73e728b6eb

SHA1
68590ed5330b2e1c74b8843e621d152569203475

SHA256
e0389e0c1fa15ddc3537165a0d8943e581a083b506bdebb8ada8121ad365241d

SHA512
ccee7abd922a216719b77563f55a70fa6ae6c610e98a84278c31f4707824ddbf8eed72a7d1bbaa3ce4b7fa8f909cf0a060a67a396093674d7d7137f010710f95

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
f695a0ca965feb793c667c405a4ec0d5

SHA1
ccc96efed46f7ea25833343feeaad94957a96eaa

SHA256
4345473494bce634202787873b602ddedd8d0835fb5dea808054a25962c189a0

SHA512
a6d0198cb61c3cb2303380c89dde4bf04c082abb556ad7d99390314c07953b16af7dd7842c7d2241f44959089f0b0b35d310c929c55e8bb2afcb91d5e3f0b481

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fc39c1015386e96231664b01194851c0

SHA1
32c431a979f7e66a40d5fa5535b94ccfdf425b34

SHA256
dce1fc6cc2e8e24042a0794c752151faff3f60ef6cc78de33f5ac7821c252809

SHA512
729834178d53710c5cb03d55653a50f76f643284c63d7dc4884919175563b569186763f5d8442e697d091a8e8351441b012e50a762c57ec1ff78d2600f84412b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eaf83f07d65af0f5d84c40a931ae0faf

SHA1
0b3fd0834c0947f4aa7e8cccc9d5ceff15d07465

SHA256
4973f13fa0a8840d3a3cb72819f4f1c78ad9904b3dfe06b5a6b2726d8e755f41

SHA512
3d258cdbfa85d3053210e55f0739881a1056c4a56306fc46bbc677cf447a5729e25909fe515916ce3635fd1f07c05ceb23c81206b25157248036a1db64897284

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6ab11d751ac79a5148f60c688382164

SHA1
6f01848716a44405d1127fbdcead55db0b360745

SHA256
a2848606bb9d0642a7c50faa020ab5d05dc9282754cf4e931bb71f18e5166cab

SHA512
626555b836d237c09027b288f8de520b4c71de3f9f5ba8d59fbe8ec2fb99df92fa770f3aca1b6fbf43946bf92f1658f0c91a24259e85b2b7951c4edf31efef0f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fcb02e5f7948e4b62c7632b3c58e0dac

SHA1
0def01444910f964fc152abd2feca49f896ac290

SHA256
47f65a89301b8db7864c447df5249719addd804de965724154545214f1bd0f6d

SHA512
84e5aa9f129e5529d045b73a35fdb685894f6e665e7c4110e0beb2a88b383be3cb805ecb2634be8998ddd21d3fadc97042efb1c3f614319949604a2261567bcd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
94e84b19ea9e04cbd0283427026fb621

SHA1
edc926ff86f5991f0602f0a8822d1c72accecde6

SHA256
ab21cd364de14713564353f8b0b47f2485c1b352938910d5da6b4df49be5945d

SHA512
018d3e2ccbacfccf4a2febe612b7101732f96778a987f1d9de71267495d9e6b7e6df309325fbee9c87edad2988b18805ec1c8f3047d9bc13b08941dfaf28407a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
702a0df1f2c464dba92f6004a24c0196

SHA1
18c1b26b3ec0e6f3cd30e662284cfd4e2c12489f

SHA256
1a81428b3b716bf05bbcd42d8ccd6614f701e6107d8f0e4af17e63fcca0a9d11

SHA512
a0e88ef26a49d4fbf6765958ef0afd70a33949e25128ff855c9fbf3b870491776355401d1ca2cb22776e23408943141a6a9b44856875d36dcb98440e3467d16c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
940e7930fd0666b6f4c16f4d60afa6f9

SHA1
550294676ae6305a1484dfc783df31951c8ef717

SHA256
d8fff259a7fcda4c13cad5c7e49e74710a3151f63c059914cc0f986df7e97f05

SHA512
c346a174eff9d47a87455c63d6515beb96381c489919935517db5edc4dc642809e992a8dd64c28cd662f4b35b8a9c77eadbd4e5fa77ddf5564ac1868d6a5a6e2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
631265e458f1fdd6e605e4a5893a4217

SHA1
20c2e8111e46dae128f2f86ee239c142bb3027cd

SHA256
aabad53bee1ae9df57abafcd0e7a9114424a58414595226f6a11587cc64b1750

SHA512
380417b5769f71c154dc4d6e0ecfc33625cbc8999acf01fe5b1c9206b12039c3b253ce457cea97a321e96c3381ce28550be50bcc9ca7ac061680c89dd5e457fd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0739ffb2928102ba111d5adc70e6c72a

SHA1
e0720c8b4f6abce585bbbd8b60494b133849eb40

SHA256
5be80e2e17226dac11c581a7ad2b4e54d8e3b4ad925d00b20f5d526995e107a8

SHA512
d0aa7057a91e933d7fad975bb13d362038ed3a12ae4b2a213bf67040446ae0e1571311af014bd23a9bf152fafc8f5145801504206f2c4b948d42ae449b7d36e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8d6e56f11c80f7bccfe3f2547016da53

SHA1
1b239fca835cef9807fa9282155e90a09e2ed559

SHA256
3e4967ec2e0d0fb986d2f7ea0e4fc5e2f6700d494f7544efe28f65fab6adf95a

SHA512
1bce8581e44abe610d61d1182aa09cd99e541d004e1afb224e17fcc557841dace8c9ab6c2866cc1f5bd3e95f324b04ed7bf7d584809791cd88e71f1c0e17a315

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4077b5c88689d659fb19773ac8b36793

SHA1
a7f7d8783bc335301a68a1843b42848b9c2e99b2

SHA256
be1eb1ca1a72ce40e045c77629046e1f824ead04e4c4f5ccbe2c644cd68fd3ab

SHA512
414bbe1c57f17292c874a04c2b93894dd456f2b23dea1cdcef76fb96b4dc62c881251b90441227010e251575de41334a74883b0be8c4f25955a1324015852b84

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
326e0e7bb8a66e25e51394d39dd620d0

SHA1
586e06c1f25e3147374174d62b5a89dc25134ff2

SHA256
251d481a9ec87af906a29e2c795a7116e859a15abe8c67cf54be05292bf69117

SHA512
f10e25c28123c1849bc90383e02705e4edaa87325d4259c5bc48006f68e284e4f097abf1591be90bfef9ec4afd40a9807cb8bb214c9a84bc1379ad7e33324e0c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f61fa19987ef394718294750eb21ef98

SHA1
996f864913a611505a79cc23d6c248d0037f658f

SHA256
faef1f159e6bf0eb59fd979b7461b4183090f0b31810e2562907e03db3f91a9c

SHA512
80ae637b1df981b525d0535f4472237dd330768a7df11b731303b77d5fadaa421a5ab0beea5b8bc068f180758abe87d9fb0d08de71ff3e8d053c03bb13cb1bd1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
89ac8a9c0cbc9322e1345ae52a9d5291

SHA1
f7cd7e8945694981ae3193839052a4e6c38a7601

SHA256
aa56fe04144529368f6086bea79fbc54b8763933a0550407aa6ce8b69a4e8bcc

SHA512
7b5c5d8418b10319f2e2f79c364f33ab4d4764e5c6cd2c96676d8024bfd7d53f4883f9b70f5faea7c22eae954f7e6827fa4e2ab535fc96ad7c096a8ade623637

Download Submit
memory/244-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/244-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/644-284-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/776-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/776-299-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1228-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1228-534-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1604-529-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/1604-314-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/1652-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1652-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1652-21-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/1652-242-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/1652-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1728-2-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1728-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1728-31-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/1728-0-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2120-257-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2120-328-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/2120-258-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2120-265-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2520-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2520-533-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3276-41-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3276-35-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3276-243-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3276-34-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3656-72-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/3656-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3656-58-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/3656-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3656-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3896-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3896-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3896-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4008-271-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/4008-329-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4008-282-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4268-536-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4268-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4300-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4352-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4352-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4352-55-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4352-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4428-334-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4428-535-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4496-532-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4496-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4528-289-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4540-247-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4540-82-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4540-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4540-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4716-528-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4716-311-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4916-241-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4916-11-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/5012-324-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5012-253-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download